Based on the knowledge sources provided, Ory Identities (also known as Ory Kratos) is the service that sets the CSRF token. This is evident from several documents: 1. In the [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) document, it's mentioned that "Ory Identities takes care of all required session and CSRF cookies and ensures that all security requirements are fulfilled." 2. The [Cookie-based security model](https://www.ory.sh/docs/security-model) document states that "Ory Identities implements special browser APIs which use additional security measures such as anti-CSRF cookies." 3. In the [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) document, it's explained that for browser apps, "When using this endpoint, Ory will set anti CSRF cookies." The CSRF token is set as part of the flow initialization process, typically when a user starts a login, registration, or other self-service flow. It's important to note that the CSRF token is only set for browser-based flows and not for native app flows, as native apps don't require the same level of CSRF protection.

Based on the information provided in the knowledge sources, I can offer some insights into why your session cookie configuration might not be working as expected: 1. Domain configuration: The domain you've set (

<http://stag.thommie.be|stag.thommie.be>

) is incorrect. The

domain

field in the cookie configuration should not include the protocol (http://). It should be just the domain name. Try changing it to:

yaml    domain: <http://stag.thommie.be|stag.thommie.be>

This is supported by the [Configuring cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies) document. 2. SameSite attribute: Setting

same_site: None

requires additional considerations: - As mentioned in the [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf) document, when you set

SameSite=None

, the cookie must also have the

secure

flag set to

true

. This is especially important for Chrome and other modern browsers. - If you're running Ory Kratos in development mode (with the

--dev

flag), it automatically disables

SameSite=Lax

because Chrome rejects cookies with

SameSite=Lax

that have

secure

set to

false

. 3. Running over HTTP: If you're running your application over HTTP (as suggested by the

http://

in your domain), this could cause issues. As stated in the CSRF troubleshooting document, "Ory Kratos' cookies have the

Secure

flag enabled by default. This means that the browser won't send the cookie unless the URL is a HTTPS URL." 4. Subdomain issues: The fact that you're seeing

<http://identities.stag.thommie.be|identities.stag.thommie.be>

instead of

<http://stag.thommie.be|stag.thommie.be>

suggests that there might be some subdomain configuration that's overriding your settings. Make sure your Ory Kratos instance is properly configured to use the main domain and not a subdomain. To resolve these issues, try the following: 1. Correct the domain configuration by removing the protocol. 2. Ensure you're running over HTTPS. 3. If you need to run over HTTP for development, use the

--dev

flag. 4. Make sure your Ory Kratos instance is not configured to use a subdomain by default. If these changes don't resolve the issue, you may need to review your entire Ory Kratos configuration to ensure there are no conflicting settings.

Yes, you need to initiate a recovery flow manually when creating an account for a user via the admin endpoints to send an email invite for setting their password. This process is often referred to as "user invitation" in Ory Identities (Kratos). Here's how you can do it: 1. First, create the user account using the admin API endpoint. This is described in the [Invite users](https://www.ory.sh/docs/kratos/manage-identities/invite-users) document:

curl --request POST -sL \      --header "Authorization: Bearer {ORY_API_KEY}" \      --header "Content-Type: application/json" \      --data '{      "schema_id": "<preset://email>",      "traits": {         "email": "$USER_EMAIL_ADDRESS"        }      }' https://{project-slug}.<http://projects.oryapis.com/admin/identities|projects.oryapis.com/admin/identities>

2. After creating the account, you need to manually initiate a recovery flow for this user. This is done using the admin recovery API, as described in the [Administrative account recovery](https://www.ory.sh/docs/kratos/manage-identities/account-recovery#magic-links) document:

curl --request POST -sL \       --header "Authorization: Bearer {ORY_API_KEY}" \       --header "Content-Type: application/json" \       --data '{       "expires_in": "12h",       "identity_id": "$ACCOUNT_ID"       }' https://$<http://PROJECT_SLUG.projects.oryapis.com/admin/recovery/link|PROJECT_SLUG.projects.oryapis.com/admin/recovery/link>

3. The response will contain a

recovery_link

. You need to send this link to the user's email address. It's important to note that this process is not automated, and you'll need to implement the email sending logic yourself. As mentioned in the [Invite users](https://www.ory.sh/docs/kratos/manage-identities/invite-users) document: "It is currently not possible to send the recovery link directly to a user's email, this feature is tracked as [#595](https://github.com/ory/kratos/issues/595)." Also, make sure that you have properly configured the recovery address in your identity schema, as described in the [Recovery address](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#recovery-address) document. This manual process allows you to create accounts and send invitations to users to set their passwords, effectively implementing a user invitation flow using Ory Identities' recovery mechanism.

Sorry @quick-addition-90714, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?

Based on the knowledge sources provided, I can explain when the CSRF token is set by Ory Kratos in the context of a login flow that involves OAuth and Hydra. The CSRF token is typically set by Kratos when a login flow is initiated. However, in your case, where you're doing an OAuth request to Hydra first, the process is slightly different: 1. When you initiate an OAuth request to Hydra, Hydra will redirect the user to Kratos for authentication. 2. At this point, Kratos will create a new login flow. This is evident from the logs in the [Github Issue #3674](https://github.com/ory/kratos/issues/3674):

time=2023-12-29T22:52:38Z level=info msg=started handling request func=<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP> file=/go/pkg/mod/github.com/ory/x@v0.0.623/reqlog/middleware.go:134 http_request=map[headers:map[accept:application/json accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive content-length:209 content-type:application/json cookie:[] postman-token:19d3a81a-c896-4745-8e71-43f4ea4dbb6f user-agent:PostmanRuntime/7.36.0] host:localhost:4433 method:POST path:/self-service/login query:flow=83bbc8cb-aa6d-457d-aa57-be8f09168600 remote:172.22.0.1:50446 scheme:http]

3. As part of creating this login flow, Kratos will set the CSRF token. This is done to protect against Cross-Site Request Forgery attacks, as explained in the [Defenses against cross-site request forgery](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery) document: "To protect against these attacks, Ory Identities uses various countermeasures, including the

sameSite

attribute and a dedicated anti-CSRF cookie using the synchronizer token pattern." 4. The CSRF token is set in both a cookie and as a hidden field in the login form. This can be seen in the response to the login flow creation, as shown in the [Github Issue #4024](https://github.com/ory/kratos/issues/4024):

Set-Cookie: ory_hydra_login_csrf_dev_2023525599=MTcyMjc1MTU4OHxUZTIxWTVsXzU3M04xalI0YXFib2RhcGdlbUc3U2xfMUNVc0w4WnpkUmY2Y0RRbjk1MU5pZElNMDQxNU9LTDYyZzNReXBLTUxWQ2ZwWDJKcnhyckFGRjZtMkU3TUM0TzJIU3U0cG9hZzBTaDdhVVE4SUZZd05CbEl5U0VZfOrXSFbKjjQRBcxNlSs8SgjqOdb2RX3MCr_PdrN-dzEj; Path=/; Expires=Sun, 04 Aug 2024 06:36:28 GMT; Max-Age=1800; HttpOnly; SameSite=Lax

5. When you submit the login form, you need to include this CSRF token in your request. As stated in the [Cross-site request forgery errors](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug) section: "This means that you must send a CSRF token in the body and CSRF cookie back when submitting a flow. The cookie should be sent by default by your browser, but you must add the CSRF token manually to the request body."

Based on the knowledge sources provided, I can explain when the CSRF token is set by Ory Kratos in the context of a login flow that involves OAuth and Hydra. The CSRF token is typically set by Kratos when a login flow is initiated. However, in your case, where you're doing an OAuth request to Hydra first, the process is slightly different: 1. When you initiate an OAuth request to Hydra, Hydra will redirect the user to Kratos for authentication. 2. At this point, Kratos will create a new login flow. This is evident from the logs in the [Github Issue #3674](https://github.com/ory/kratos/issues/3674):

time=2023-12-29T22:52:38Z level=info msg=started handling request func=<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP> file=/go/pkg/mod/github.com/ory/x@v0.0.623/reqlog/middleware.go:134 http_request=map[headers:map[accept:application/json accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive content-length:209 content-type:application/json cookie:[] postman-token:19d3a81a-c896-4745-8e71-43f4ea4dbb6f user-agent:PostmanRuntime/7.36.0] host:localhost:4433 method:POST path:/self-service/login query:flow=83bbc8cb-aa6d-457d-aa57-be8f09168600 remote:172.22.0.1:50446 scheme:http]

3. As part of creating this login flow, Kratos will set the CSRF token. This is done to protect against Cross-Site Request Forgery attacks, as explained in the [Defenses against cross-site request forgery](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery) document: "To protect against these attacks, Ory Identities uses various countermeasures, including the

sameSite

attribute and a dedicated anti-CSRF cookie using the synchronizer token pattern." 4. The CSRF token is set in both a cookie and as a hidden field in the login form. This can be seen in the response to the login flow creation, as shown in the [Github Issue #4024](https://github.com/ory/kratos/issues/4024):

Set-Cookie: ory_hydra_login_csrf_dev_2023525599=MTcyMjc1MTU4OHxUZTIxWTVsXzU3M04xalI0YXFib2RhcGdlbUc3U2xfMUNVc0w4WnpkUmY2Y0RRbjk1MU5pZElNMDQxNU9LTDYyZzNReXBLTUxWQ2ZwWDJKcnhyckFGRjZtMkU3TUM0TzJIU3U0cG9hZzBTaDdhVVE4SUZZd05CbEl5U0VZfOrXSFbKjjQRBcxNlSs8SgjqOdb2RX3MCr_PdrN-dzEj; Path=/; Expires=Sun, 04 Aug 2024 06:36:28 GMT; Max-Age=1800; HttpOnly; SameSite=Lax

5. When you submit the login form, you need to include this CSRF token in your request. As stated in the [Cross-site request forgery errors](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug) section: "This means that you must send a CSRF token in the body and CSRF cookie back when submitting a flow. The cookie should be sent by default by your browser, but you must add the CSRF token manually to the request body." In summary, the CSRF token is set by Kratos when it creates the login flow, which happens after the initial OAuth request to Hydra and the subsequent redirect to Kratos for authentication. It's important to include this token when submitting the login form to complete the authentication process.