I'm having a little trouble with Kratos right now....
# talk-kratosc
careful-engineer-44837
10/22/2022, 12:38 PMI'm having a little trouble with Kratos right now. Maybe someone could give me some advice. I'm running Kratos (iam.domain.com) and the Node Selfservice UI (auth.domain.com) behind Nginx. Whenever I try to login under auth.domain.com I'm getting redirected from one domain to the next and back in some kind of circle until my browser interrupts the connection and I can't for the life of me figure out what config seems to be broken. When I run the Kratos example from the Quickstart documentation by itself without Nginx it works just fine. So I assume the culprit may be the Reverse Proxy.
Copy code
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /login HTTP/2.0" 303 216 "<https://auth.domain.com/welcome>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-"
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/login/browser?aal=&refresh=&return_to= HTTP/2.0" 303 100 "<https://auth.domain.com/>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-"
192.168.208.1 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/logout/browser HTTP/1.1" 401 192 "-" "axios/0.21.4" "-"
192.168.208.1 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/login/flows?id=bee0bf67-9523-4cd9-8d48-e2dd922d9f3c HTTP/1.1" 403 794 "-" "axios/0.21.4" "-"
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /login?flow=bee0bf67-9523-4cd9-8d48-e2dd922d9f3c HTTP/2.0" 302 212 "<https://auth.domain.com/>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-"
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/login/browser?aal=&refresh=&return_to= HTTP/2.0" 303 100 "<https://auth.domain.com/>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-"
192.168.208.1 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/logout/browser HTTP/1.1" 401 192 "-" "axios/0.21.4" "-"
192.168.208.1 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/login/flows?id=47f9265b-d12e-44d9-9a17-5ba2b5cb3a0f HTTP/1.1" 403 794 "-" "axios/0.21.4" "-"
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /login?flow=47f9265b-d12e-44d9-9a17-5ba2b5cb3a0f HTTP/2.0" 302 212 "<https://auth.domain.com/>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-"
38.221.50.36 - - [22/Oct/2022:12:36:15 +0000] "GET /self-service/login/browser?aal=&refresh=&return_to= HTTP/2.0" 303 100 "<https://auth.domain.com/>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-careful-engineer-44837
10/22/2022, 12:41 PMDocker Compose config:
Copy code
version: '3.7'
services:
opa:
image: openpolicyagent/opa:0.41.0
networks:
- intranet
ports:
- "8181:8181"
#- "443:8181"
command:
run --server --log-level debug --set=decision_logs.console=true
--addr <http://0.0.0.0:8181> --set-file services.acmecorp.credentials.bearer.token=/etc/bearer_token.txt --authentication=token --authorization=basic /etc/auth.rego
volumes:
- ./opa/certs/opa.domain.com.pem:/etc/opa.domain.com.pem
- ./opa/certs/opa.domain.com.key:/etc/opa.domain.com.key
- ./opa/secrets/bearer_token.txt:/etc/bearer_token.txt
- ./opa/config/auth.rego:/etc/auth.rego
proxy:
build:
context: proxy
dockerfile: ./Dockerfile
networks:
- intranet
ports:
- 0.0.0.0:80:80
- 0.0.0.0:443:443
kratos-migrate:
image: oryd/kratos:v0.10.0
environment:
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
volumes:
- type: volume
source: kratos-sqlite
target: /var/lib/sqlite
read_only: false
- type: bind
source: ./kratos/conf
target: /etc/config/kratos
command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
restart: on-failure
networks:
- intranet
kratos-selfservice-ui-node:
ports:
- "4455:4455"
environment:
- PORT=4455
- SECURITY_MODE=
- KRATOS_BROWSER_URL=<https://iam.domain.com/>
kratos:
#depends_on:
# - kratos-migrate
image: oryd/kratos:v0.10.0
ports:
- '4433:4433' # public
- '4434:4434' # admin
restart: unless-stopped
environment:
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
- LOG_LEVEL=trace
command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
volumes:
- type: volume
source: kratos-sqlite
target: /var/lib/sqlite
read_only: false
- type: bind
source: ./kratos/conf
target: /etc/config/kratos
networks:
- intranet
mailslurper:
image: oryd/mailslurper:latest-smtps
ports:
- '4436:4436'
- '4437:4437'
networks:
- intranet
networks:
intranet:
external: false
volumes:
kratos-sqlite:careful-engineer-44837
10/22/2022, 12:42 PMKratos Config
Copy code
version: v0.7.1-alpha.1
dsn: memory
serve:
public:
base_url: <https://iam.domain.com/>
cors:
enabled: true
admin:
base_url: <https://iam.domain.com/>
selfservice:
default_browser_return_url: <https://auth.domain.com/>
#default_browser_return_url: <http://slave01.jenkins.domain.com:4455/>
allowed_return_urls:
- <https://app.aws.domain.com>
- <http://app.aws.domain.com>
- <http://auth.domain.com>
- <https://auth.domain.com>
- <http://iam.domain.com>
- <https://iam.domain.com>
methods:
password:
enabled: true
flows:
error:
ui_url: <https://auth.domain.com/error>
settings:
ui_url: <https://auth.domain.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: <https://auth.domain.com/recovery>
verification:
enabled: true
ui_url: <https://auth.domain.com/verification>
after:
default_browser_return_url: <https://auth.domain.com/>
logout:
after:
default_browser_return_url: <https://auth.domain.com/login>
login:
ui_url: <https://auth.domain.com/login>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://auth.domain.com/registration>
after:
password:
hooks:
-
hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE111
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: <smtps://test:test@mailslurper:1025/?skip_ssl_verify=true>2 Views