https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
n

narrow-kitchen-3944

03/23/2022, 8:10 AM
Hey guys! I am fairly new to Kratos so bare with me 🙂 I've tried looking thru the issues on Github, docs, and also looked thru this chat for answers, but I can't seem to wrap my head around how to solve my issue. So, I run Kratos in my AKS, installed with helm chart and using image tag: v0.9.0-alpha.2 and testing it with kratos-selfservice-ui-react-nextjs locally. Register & login works perfect, but as soon as I add Microsoft OIDC I run into problems when I try to "Sign in with Microsoft". Error in the UI:
Copy code
{
  "id": "4f4d6d4f-2a2e-4a5a-8b48-c99e3ffdc77a",
  "error": {
    "code": 400,
    "debug": "key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity\<http://ngithub.com/ory/kratos/x.SessionGetString.func1\n\t/project/x/cookie.go:27\ngithub.com/ory/kratos/x.SessionGetString\n\t/project/x/cookie.go:46\ngithub.com/ory/kratos/continuity.(*ManagerCookie).sid\n\t/project/continuity/manager_cookie.go:97\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/project/continuity/manager_cookie.go:109\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/project/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/project/selfservice/strategy/oidc/strategy.go:254\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/project/selfservice/strategy/oidc/strategy.go:298\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/project/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/project/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108|ngithub.com/ory/kratos/x.SessionGetString.func1\n\t/project/x/cookie.go:27\ngithub.com/ory/kratos/x.SessionGetString\n\t/project/x/cookie.go:46\ngithub.com/ory/kratos/continuity.(*ManagerCookie).sid\n\t/project/continuity/manager_cookie.go:97\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/project/continuity/manager_cookie.go:109\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/project/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/project/selfservice/strategy/oidc/strategy.go:254\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/project/selfservice/strategy/oidc/strategy.go:298\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/project/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/project/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108>",
    "reason": "The browser does not contain the neccesary cookie to resume the session. This is a security violation and was thus blocked. Please clear your browser's cookies and cache and try again!",
    "status": "Bad Request",
    "message": "no resumable session found"
  },
  "created_at": "2022-03-23T07:37:14.567199Z",
  "updated_at": "2022-03-23T07:37:14.567199Z"
}
helm install kratos -f values.yaml ory/kratos values.yaml
Copy code
kratos:
  autoMigrate: true

  identitySchemas:
    "identity.default.schema.json": |
      {
        "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
        "$schema": "<http://json-schema.org/draft-07/schema#>",
        "title": "Person",
        "type": "object",
        "properties": {
          "traits": {
            "type": "object",
            "properties": {
              "email": {
                "type": "string",
                "format": "email",
                "title": "E-Mail",
                "minLength": 3,
                "<http://ory.sh/kratos|ory.sh/kratos>": {
                  "credentials": {
                    "password": {
                      "identifier": true
                    },
                    "totp": {
                      "account_name": true
                    }
                  },
                  "verification": {
                    "via": "email"
                  },
                  "recovery": {
                    "via": "email"
                  }
                }
              },
              "name": {
                "type": "object",
                "properties": {
                  "first": {
                    "title": "First Name",
                    "type": "string"
                  },
                  "last": {
                    "title": "Last Name",
                    "type": "string"
                  }
                }
              },
              "role": {
                "title": "Role",
                "type": "string",
                "default": "user",
                "enum": ["user", "admin"]
              },
              "group": {
                "title": "Group",
                "type":"array",
                "items": {
                  "type": "string"
                }
              }
            },
            "required": [
              "email"
            ],
            "additionalProperties": true
          }
        }
      }
  config:
    version: v0.9.0-alpha.2

    serve:
      public:
        base_url: <https://kratos.mydomain.com>
        cors:
          enabled: true

    dsn: <postgres://hidden>

    courier:
      smtp:
        connection_uri: <smtps://hidden>

    identity:
      default_schema_id: default
      schemas:
        - id: default
          url: file:///etc/config/identity.default.schema.json
    
    log:
      level: debug
      format: text
      leak_sensitive_values: true

    selfservice:
      default_browser_return_url: <http://localhost:3000/>
      allowed_return_urls:
        - <http://localhost:3000>
      
      methods:
        oidc:
          enabled: true
          config:
            providers:
              - id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
                provider: microsoft
                client_id: ... # Replace this with the Application ID from the App Registration
                client_secret: ... # Replace this with the generated Secret value from the App Registration 0ee5be1e-4071-45a5-b18d-14b6183ee327
                microsoft_tenant: ... # Replace this with the Tenant of your choice (see below)
                mapper_url: file:///etc/config/kratos/oidc.microsoft.jsonnet
                scope:
                  - profile
                  - email
        password:
          enabled: true

      flows:
        error:
          ui_url: <http://localhost:3000/error>

        settings:
          ui_url: <http://localhost:3000/settings>
          privileged_session_max_age: 15m

        recovery:
          enabled: true
          ui_url: <http://localhost:3000/recovery>

        verification:
          enabled: true
          ui_url: <http://localhost:3000/verification>
          after:
            default_browser_return_url: <http://localhost:3000/>

        logout:
          after:
            default_browser_return_url: <http://localhost:3000/login>

        login:
          ui_url: <http://localhost:3000/login>
          lifespan: 10m

        registration:
          lifespan: 10m
          ui_url: <http://localhost:3000/registration>
          after:
            oidc:
              hooks:
                - hook: session
            password:
              hooks:
                - hook: session
    
    ciphers:
      algorithm: xchacha20-poly1305
    
    hashers:
      algorithm: bcrypt
      bcrypt:
        cost: 8

    secrets:
      cookie:
        - SOME_RANDOM_VALUE_HERE
      cipher:
        - SOME_RANDOM_VALUE_HERE_TOO
    
    cookies:
      domain: .<http://mydomain.com|mydomain.com>
      same_site: Lax

    session:
      cookie:
        domain: .<http://mydomain.com|mydomain.com>
        same_site: Lax

image:
  repository: oryd/kratos
  tag: v0.9.0-alpha.2
  imagePullPolicy: Always

deployment:
  livenessProbe:
    httpGet:
      path: /health/alive
      port: http-admin
    initialDelaySeconds: 60
    periodSeconds: 10
    failureThreshold: 5
  readinessProbe:
    httpGet:
      path: /health/ready
      port: http-admin
    initialDelaySeconds: 60
    periodSeconds: 10
    failureThreshold: 5
  
  extraVolumes: #[]
    - name: oidc-microsoft-jsonnet
      secret:
        secretName: oidc-microsoft-jsonnet
  extraVolumeMounts: #[]
    - name: oidc-microsoft-jsonnet
      mountPath: /etc/config/kratos
      readOnly: true

ingress:
  admin:
    enabled: true
    className: nginx
    annotations:
      <http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
      <http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
      <http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
      <http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
      <http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
      <http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
    hosts:
      - host: <http://admin.kratos.mydomain.com|admin.kratos.mydomain.com>
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: kratosadmin-tls
        hosts:
          - <http://admin.kratos.mydomain.com|admin.kratos.mydomain.com>
  public:
    enabled: true
    annotations:
      <http://kubernetes.io/ingress.allow-http|kubernetes.io/ingress.allow-http>: "false"
      <http://nginx.ingress.kubernetes.io/proxy-body-size|nginx.ingress.kubernetes.io/proxy-body-size>: "0"
      <http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
      <http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
      <http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
      <http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
    className: nginx
    hosts:
      - host: <http://kratos.mydomain.com|kratos.mydomain.com>
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: kratos-pub-tls
        hosts:
          - <http://kratos.mydomain.com|kratos.mydomain.com>
oidc.microsoft.jsonnet
Copy code
apiVersion: v1
kind: Secret
metadata:
  name: oidc-microsoft-jsonnet
stringData:
  oidc.microsoft.jsonnet: |-
    local claims = std.extVar('claims');
    {
      identity: {
        traits: {
          // Allowing unverified email addresses enables account
          // enumeration attacks,  if the value is used for
          // verification or as a password login identifier.
          //
          // If connecting only to your organization (one tenant), claims.email is safe to use if you haven't actively disabled e-mail verification during signup.
          //
          // The email might be empty if the account isn't linked to an email address.
          // For a human readable identifier, consider using the "preferred_username" claim.
          [if "email" in claims then "email" else null]: claims.email,
        },
      },
    }
AzureAD app registered as Web platform with redirect URIs:
Copy code
<https://kratos.mydomain.com/self-service/methods/oidc/callback/microsoft>
<http://localhost:3000>
I see two cookies set with some values in my browser: ory_kratos_continuity and csrf_token_afc... I have tried to clear the cookies in browser but no success. Hopefully someone here can help me pointing out where I'm going wrong 🙂 Thanks!
2 Views