#talk-kratos
Title
n
narrow-kitchen-3944
03/23/2022, 8:10 AMHey guys!
I am fairly new to Kratos so bare with me 🙂
I've tried looking thru the issues on Github, docs, and also looked thru this chat for answers, but I can't seem to wrap my head around how to solve my issue.
So, I run Kratos in my AKS, installed with helm chart and using image tag: v0.9.0-alpha.2 and testing it with kratos-selfservice-ui-react-nextjs locally. Register & login works perfect, but as soon as I add Microsoft OIDC I run into problems when I try to "Sign in with Microsoft".
Error in the UI:
Copy code
{
"id": "4f4d6d4f-2a2e-4a5a-8b48-c99e3ffdc77a",
"error": {
"code": 400,
"debug": "key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity\<http://ngithub.com/ory/kratos/x.SessionGetString.func1\n\t/project/x/cookie.go:27\ngithub.com/ory/kratos/x.SessionGetString\n\t/project/x/cookie.go:46\ngithub.com/ory/kratos/continuity.(*ManagerCookie).sid\n\t/project/continuity/manager_cookie.go:97\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/project/continuity/manager_cookie.go:109\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/project/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/project/selfservice/strategy/oidc/strategy.go:254\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/project/selfservice/strategy/oidc/strategy.go:298\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/project/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/project/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108|ngithub.com/ory/kratos/x.SessionGetString.func1\n\t/project/x/cookie.go:27\ngithub.com/ory/kratos/x.SessionGetString\n\t/project/x/cookie.go:46\ngithub.com/ory/kratos/continuity.(*ManagerCookie).sid\n\t/project/continuity/manager_cookie.go:97\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/project/continuity/manager_cookie.go:109\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/project/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/project/selfservice/strategy/oidc/strategy.go:254\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/project/selfservice/strategy/oidc/strategy.go:298\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/project/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/project/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108>",
"reason": "The browser does not contain the neccesary cookie to resume the session. This is a security violation and was thus blocked. Please clear your browser's cookies and cache and try again!",
"status": "Bad Request",
"message": "no resumable session found"
},
"created_at": "2022-03-23T07:37:14.567199Z",
"updated_at": "2022-03-23T07:37:14.567199Z"
} Copy code
kratos:
autoMigrate: true
identitySchemas:
"identity.default.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
},
"role": {
"title": "Role",
"type": "string",
"default": "user",
"enum": ["user", "admin"]
},
"group": {
"title": "Group",
"type":"array",
"items": {
"type": "string"
}
}
},
"required": [
"email"
],
"additionalProperties": true
}
}
}
config:
version: v0.9.0-alpha.2
serve:
public:
base_url: <https://kratos.mydomain.com>
cors:
enabled: true
dsn: <postgres://hidden>
courier:
smtp:
connection_uri: <smtps://hidden>
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/identity.default.schema.json
log:
level: debug
format: text
leak_sensitive_values: true
selfservice:
default_browser_return_url: <http://localhost:3000/>
allowed_return_urls:
- <http://localhost:3000>
methods:
oidc:
enabled: true
config:
providers:
- id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: microsoft
client_id: ... # Replace this with the Application ID from the App Registration
client_secret: ... # Replace this with the generated Secret value from the App Registration 0ee5be1e-4071-45a5-b18d-14b6183ee327
microsoft_tenant: ... # Replace this with the Tenant of your choice (see below)
mapper_url: file:///etc/config/kratos/oidc.microsoft.jsonnet
scope:
- profile
- email
password:
enabled: true
flows:
error:
ui_url: <http://localhost:3000/error>
settings:
ui_url: <http://localhost:3000/settings>
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: <http://localhost:3000/recovery>
verification:
enabled: true
ui_url: <http://localhost:3000/verification>
after:
default_browser_return_url: <http://localhost:3000/>
logout:
after:
default_browser_return_url: <http://localhost:3000/login>
login:
ui_url: <http://localhost:3000/login>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <http://localhost:3000/registration>
after:
oidc:
hooks:
- hook: session
password:
hooks:
- hook: session
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
secrets:
cookie:
- SOME_RANDOM_VALUE_HERE
cipher:
- SOME_RANDOM_VALUE_HERE_TOO
cookies:
domain: .<http://mydomain.com|mydomain.com>
same_site: Lax
session:
cookie:
domain: .<http://mydomain.com|mydomain.com>
same_site: Lax
image:
repository: oryd/kratos
tag: v0.9.0-alpha.2
imagePullPolicy: Always
deployment:
livenessProbe:
httpGet:
path: /health/alive
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /health/ready
port: http-admin
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 5
extraVolumes: #[]
- name: oidc-microsoft-jsonnet
secret:
secretName: oidc-microsoft-jsonnet
extraVolumeMounts: #[]
- name: oidc-microsoft-jsonnet
mountPath: /etc/config/kratos
readOnly: true
ingress:
admin:
enabled: true
className: nginx
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
hosts:
- host: <http://admin.kratos.mydomain.com|admin.kratos.mydomain.com>
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: kratosadmin-tls
hosts:
- <http://admin.kratos.mydomain.com|admin.kratos.mydomain.com>
public:
enabled: true
annotations:
<http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
<http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
className: nginx
hosts:
- host: <http://kratos.mydomain.com|kratos.mydomain.com>
paths:
- path: /
pathType: Prefix
tls:
- secretName: kratos-pub-tls
hosts:
- <http://kratos.mydomain.com|kratos.mydomain.com>oidc.microsoft.jsonnet
Copy code
apiVersion: v1
kind: Secret
metadata:
name: oidc-microsoft-jsonnet
stringData:
oidc.microsoft.jsonnet: |-
local claims = std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, if the value is used for
// verification or as a password login identifier.
//
// If connecting only to your organization (one tenant), claims.email is safe to use if you haven't actively disabled e-mail verification during signup.
//
// The email might be empty if the account isn't linked to an email address.
// For a human readable identifier, consider using the "preferred_username" claim.
[if "email" in claims then "email" else null]: claims.email,
},
},
} Copy code
<https://kratos.mydomain.com/self-service/methods/oidc/callback/microsoft>
<http://localhost:3000>2 Views