Hi everyone I m having trouble setting up kratos auth for we Ory Community #talk-kratos

Hi everyone! I’m having trouble setting up kratos ...

gentle-bird-90474

05/18/2022, 8:22 AM

Hi everyone! I’m having trouble setting up kratos auth for web across different subdomains. Our setup shares an Ory cloud instance at

auth.mydomain.tld

and we have numerous feature environments, e.g.

prod.mydomain.tld

staging.mydomain.tld

and

feature123.mydomain.tld

. Logins from all of the feature environments fail with a

security_csrf_violation

and the message

"the request was rejected to protect you from Cross-Site-Request-Forgery"

. Local setup with Ory proxy works fine. I believe this to maybe be the root cause: • when the browser sends a request to

<https://auth.mydomain.tld/self-service/login/browser>

, the server responds with a

csrf_token_<someid>

cookie. the cookies domain uses

mydomain.tld

. • this

csrf_token_<someid>

cookie however is never stored on the browser, so obviously also not sent in subsequent requests (I have

withCredentials: true

added to axios) To the best of my knowledge and what I’ve read, Browsers should store the cookie and send it to other subdomains of

mydomain.tld

as well but this is not happening. So what am I missing? Can somebody help?

steep-lamp-91158

05/18/2022, 9:47 AM

Are you sure the cookie is being set on

mydomain.tld

? Can you check that in the browser console and Kratos config?

gentle-bird-90474

05/18/2022, 10:35 AM

Yes, I’m sure 😞

gentle-bird-90474

05/18/2022, 1:44 PM

@steep-lamp-91158 Any other ideas? Also, it’s weird that we don’t see any browser warnings that the cookie is being ignored.

gentle-bird-90474

05/18/2022, 1:45 PM

Three people in our team have reproduced this on their machine, so we’re a bit clueless…

steep-lamp-91158

05/18/2022, 1:48 PM

can you share your config (especially around cookies), and the request/response from the browser?

steep-lamp-91158

05/18/2022, 1:48 PM

or maybe dm me with the real domain?

gentle-bird-90474

05/18/2022, 1:49 PM

I’ll DM you in a bit, thanks

gentle-bird-90474

05/19/2022, 12:10 PM

TWIMC: everything I wrote above is exactly what’s needed to have it running nicely. Turns out our deployment pipeline had a bug and we were looking at old code that did not have

withCredentials: true

set on the Axios config. According to https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch, this is required for cookies to be set cross-origin:

• Unless
fetch()
is called with the
credentials
option set to
include
, `fetch()`:

◦ won’t send cookies in cross-origin requests

◦ won’t set any cookies sent back in cross-origin responses

(

withCredentials

on Axios controls

credentials

on fetch API)

gentle-bird-90474

05/19/2022, 12:31 PM

Please note:

withCredentials: true

needs to be set also for the initial GET requests that initializes the login flow, not only for the subsequent POST in which login credentials are submitted. If not included in the initial GET the Browser does not have (and subsequently does not send) the CSRF tokens required for the POST to succeed.

steep-lamp-91158

05/19/2022, 12:32 PM

nice, glad you figured it out 👍 that is really an annoying bug to trace down...

🙏 1

gentle-bird-90474

05/19/2022, 1:24 PM

Oh and kudos again publicly to @steep-lamp-91158 and @proud-plumber-24205 who thankfully helped debugging and gave me us the hint that allowed to finally figure out the root cause 🙂

🎉 1

8 Views

Open in Slack

Previous Next