https://www.ory.sh/ logo
Join Slack
Powered by
I have a problem with OIDC. I am getting the follo...
# ory-selfhosting
c
I have a problem with OIDC. I am getting the following error in the browser when I try to sign in with google, or link a google account:
Copy code
{
  "id": "da42871f-ccfb-413d-be59-ba98c0323ff6",
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "securecookie: error - caused by: crypto/aes: invalid key size 35"
  },
  "created_at": "2025-03-12T16:37:08.920426Z",
  "updated_at": "2025-03-12T16:37:08.920426Z"
}
Looking at my kratos.yml the relevant snippet is currently:
Copy code
secrets:
  cookie:
    - 7VPgn1v59aVrjlOeOVZy+ZSP/oSsXQ==
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - VZ3Oi1l5Tbj9xFXxZoYR7DDA6Vng/Q==
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305
So it should be using xchacha20 rather than AES, and the key is 32 long... so where is the error coming from? I can see the following lines in the kratos log journal, but I don't know what to do next.
Copy code
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: time=2025-03-12T16:50:57Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[message:securecookie: error - caused by: crypto/aes: invalid key size 35 stack_trace:
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/x.SessionPersistValues|github.com/ory/kratos/x.SessionPersistValues>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/x/cookie.go:22
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/continuity.(*ManagerCookie).Pause|github.com/ory/kratos/continuity.(*ManagerCookie).Pause>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/continuity/manager_cookie.go:64
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).initLinkProvider|github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).initLinkProvider>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/selfservice/strategy/oidc/strategy_settings.go:380
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).Settings|github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).Settings>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/selfservice/strategy/oidc/strategy_settings.go:312
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/selfservice/flow/settings.(*Handler).updateSettingsFlow|github.com/ory/kratos/selfservice/flow/settings.(*Handler).updateSettingsFlow>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/selfservice/flow/settings/handler.go:595
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/selfservice/flow/settings.(*Handler).RegisterPublicRoutes.(*Handler).IsAuthenticated.func7|github.com/ory/kratos/selfservice/flow/settings.(*Handler).RegisterPublicRoutes.(*Handler).IsAuthenticated.func7>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/session/handler.go:853
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/x.(*RouterPublic).POST.NoCacheHandle.func1|github.com/ory/kratos/x.(*RouterPublic).POST.NoCacheHandle.func1>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/x/nocache.go:21
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1|github.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1>
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]:         /project/x/nocache.go:21
Mar 12 16:50:57 ip-10-0-1-213 kratos[111802]: <http://github.com/julienschmidt/httprouter.(*Router).ServeHTTP|github.com/julienschmidt/httprouter.(*Router).ServeHTTP>
s
I'm not sure why it is using aes or if the error is just deceiving, but xchacha20-poly1305 keys need to be 32 byte
ah I see now, the session encryption always uses aes
Copy code
// The encryption key, if set, must be either 16, 24, or 32 bytes to select
// AES-128, AES-192, or AES-256 modes.
this is from the library we use to generate the session cookies
the cipher is used for the oidc state
c
thanks @steep-lamp-91158. So my issue is with encryption of a session cookie? But everything else apart from the OIDC google account linking and google signup works. I can login using password, passkey, code, or account recovery. And get a valid session with an ory_kratos_session cookie. So I am very lost.
s
hm I'm not sure, somehow it looks like it falls back to the 
PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
secret which is 35 characters long
apparently it failed with the first one, so it tried the second one
which hints to the decryption part failing
did you try with all cookies cleared? did you by any chance change the secret value during testing?
try to remove the invalid one and see which error you get
c
Wow, progress. Thank you! I removed the new secrets leaving only the insecure default 35 character long cookie secret, and the default insecure cipher secret, cleared the browser cookies and stopped and started kratos service. And I have just linked my google account to my kratos identity. Thanks for pointing me in the right direction. I'll do a bit more exploring to try to rotate out the cookie secret and then see if I can narrow down where that error came from. It does indeed seem like my attempt to cycle the secrets caused the issue. The error message doesn't seem to correlate with the facts, so I'll try and pin down the root cause a bit more..
I was following docs here for secrets and key rotation. https://www.ory.sh/docs/kratos/guides/secret-key-rotation But I have just done a few experiments ... it works when I have one and only one cookie secret. If I add a new cookie secret as described in the docs, then I get the "crypto/aes: invalid key size 35" error whenever I try to use google OIDC. If I remove either of the cookie secrets, so only one remains then it works again.
s
interesting, did you also try two secrets that are 32 characters long? not sure why the 35 one even works in the first place 😅
7 Views
Open in Slack
PreviousNext
Powered by