https://www.ory.sh/ logo
Join Slack
Powered by
Hey again Could you help me with such error please...
# talk-kratos
l
Hey again Could you help me with such error please:
Copy code
{
  "id": "security_csrf_violation",
  "code": 403,
  "reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
  "status": "Forbidden",
  "details": {
    "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
    "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
    "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
  },
  "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
I tried to clear cookies Restart flow It doesn't help
s
please post your full request and cookie/cors config
l
Copy code
curl "<https://127.0.0.1:4433/self-service/registration?flow=f305421e-149f-4dbc-981e-446af9ac8529>" ^
  -H "authority: 127.0.0.1:4433" ^
  -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" ^
  -H "accept-language: en-US,en;q=0.9" ^
  -H "cache-control: max-age=0" ^
  -H "content-type: application/x-www-form-urlencoded" ^
  -H "origin: <http://127.0.0.1:4455>" ^
  -H "referer: <http://127.0.0.1:4455/>" ^
  -H "sec-ch-ua: ^\^"Google Chrome^\^";v=^\^"105^\^", ^\^"Not)A;Brand^\^";v=^\^"8^\^", ^\^"Chromium^\^";v=^\^"105^\^"" ^
  -H "sec-ch-ua-mobile: ?0" ^
  -H "sec-ch-ua-platform: ^\^"Windows^\^"" ^
  -H "sec-fetch-dest: document" ^
  -H "sec-fetch-mode: navigate" ^
  -H "sec-fetch-site: cross-site" ^
  -H "sec-fetch-user: ?1" ^
  -H "upgrade-insecure-requests: 1" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" ^
  --data-raw "csrf_token=HQaRUZf^%^2BduX2b^%^2FbEV74pvCqPAQdjE^%^2BculN27YNdOMLlL0Xz169nFWHB5DXXOIcsQEEWHUvrE3RagQ5^%^2F9RSukIA^%^3D^%^3D&traits.username=dimon&password=lolkek98&traits.name.first=dsdssd&traits.name.last=dsds&method=password" ^
  --compressed ^
  --insecure
request, cookies are included
interesting thing is that oidc flow is working but all email/username/etc flows are not working because of that error
I could find only such thread https://github.com/ory/kratos/discussions/2216 But it's not my case I don't change default config for cookies:
s
I don't see any cookies in that request?
l
csrf_token_54e64d84a80e91b26e73a95b3618d0bac75b23fa51df9bdcb1f52daa326c1406=2cVTOvvRxdPREuF/CbSQTbcgu0dHOvjj4yMzOhuT0Z0=
when I copy request as curl from browser I get csrf_token inside --data-raw but actually it's part of cookies
this is my diff from your kratos quickstart.yml and kratos.yaml
s
yes that is exactly the problem no cookies are send, they would be in the 
Cookie
header
l
but why they weren't send?
s
cors settings
l
I've just added ssl to quickstart example
is it settings in kratos.yaml?
s
what is your config? and domain?
yes in kratos.yaml
l
config with oidc provider
diff with original config is above
with original config everything works well
my domain is 127.0.0.1 didn't change something about it
So, when I add ssl support I'm starting to get that error
s
the UI is running on http, but the backend not?
both have to use http
or none
3 Views
Open in Slack
PreviousNext
Powered by