https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
s

stale-tomato-90284

03/11/2022, 11:07 AM
Hey Everyone, I have an issue with my self-hosted kratos OIDC login: Setup: kratos: kratos.staging.example.com nextjs app: app.staging.example.com I have configured Microsoft as an open id login option. When using Microsoft to login the first time, everything works fine. After logging out and logging in again, I get the following error:
Copy code
key ory_kratos_oidc_auth_code_session does not exist in cookie
The issue seems to have to do with the
ory_kratos_continuity
cookie. This cookie has been set twice, once on kratos.staging.example.com and once on example.com. When I clear the
ory_kratos_continuity
cookie on kratos.staging.example.com everything works fine again. This makes this login type unusable at the moment. I noticed that the issue can be solved by checking which ory_kratos_continuity cookie is valid, and using that one. This is because, when Chrome sends the cookies, it sends them in the order of first kratos.staging.example.com and then example.com. When trying the same login flow in Firefox, everything works fine because Firefox sends first the example.com cookie and then the kratos.staging.example.com cookie. Also, when I copy the failed chrome request, switch the cookies order like mentioned, and send it with postman or curl, the same request now works as well. Not sure how to go about this but this seems like a bug to me? Or is this something that can be solved with a correct configuration? (fyi @User)
1
m

magnificent-energy-493

03/11/2022, 11:38 AM
Hello Lucas, are you able to share you kratos config - sensitive values redacted?
s

stale-tomato-90284

03/11/2022, 11:40 AM
@User Absolutely:
Copy code
version: v0.8.2-alpha.1

serve:
  public:
    base_url: <https://kratos.staging.example.com/>
    cors:
      enabled: true


  admin:
    base_url: <http://localhost:4434/>

selfservice:
  default_browser_return_url: <https://app.staging.example.com/>
  whitelisted_return_urls:
    - <http://localhost:3000/>
    - <https://app.staging.example.com/>

  methods:
    password:
      enabled: true
    oidc:
      enabled: true
      config:
        providers:
          - id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
            provider: microsoft
            client_id: REDACTED # Replace this with the Application ID from the App Registration
            client_secret: REDACTED # Replace this with the generated Secret value from the App Registration
            tenant: REDACTED # Replace this with the Tenant of your choice (see below)
            mapper_url: file:///etc/config/oidc.microsoft.jsonnet
            scope:
              - profile
              - email

  flows:
    error:
      ui_url: <https://app.staging.example.com/error>

    settings:
      ui_url: <https://app.staging.example.com/settings>
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: <https://app.staging.example.com/recovery>

    verification:
      enabled: true
      ui_url: <https://app.staging.example.com/verification>
      after:
        default_browser_return_url: <https://app.staging.example.com/>

    logout:
      after:
        default_browser_return_url: <https://app.staging.example.com/login>

    login:
      ui_url: <https://app.staging.example.com/login>
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: <https://app.staging.example.com/registration>
      after:
        password:
          hooks:
            - hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_url: file:///etc/config/identity.default.schema.json

courier:
  smtp:
    connection_uri: REDACTED

cookies:
  same_site: Lax
  domain: .<http://example.com|example.com>
oidc.microsoft.jsonnet:
Copy code
local claims = std.extVar('claims');
{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks, especially if the value is used for
      // e.g. verification or as a password login identifier.
      //
      // If connecting only to your organization (one tenant), claims.email is safe to use if you have not actively disabled e-mail verification during signup.
      //
      // The email might be empty if the account is not linked to an email address.
      // For a human readable identifier, consider using the "preferred_username" claim.
      [if "email" in claims then "email" else null]: claims.email,
    },
  },
}
identity.default.schema.json:
Copy code
{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string"
            },
            "last": {
              "title": "Last Name",
              "type": "string"
            }
          }
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}
@User @User after manually building the ory/kratos:master docker image and using that one for deployment and migration job etc, this now works without issue. I assume the issue I linked in the last comment has fixed this. I think this is quite a big issue though. Do you have a timeline on the next oryd/kratos dockerimage release? I prefer to use yours than a self-build, self-tagged image
m

magnificent-energy-493

03/11/2022, 1:29 PM
that is the PR that fixed it that is correct https://github.com/ory/kratos/pull/2123 We recently made a big overhaul of the release pipeline, so thats why some releases have been delayed. It should come soon, I cant give you concrete timelines, but bear with us 🙏
🙏 1
👏 1
s

stale-tomato-90284

03/11/2022, 1:30 PM
Thanks @User ! Yes I noticed the kratos changes as well, upgrading to the master version brought some config changes with it 🙂 I really appreciate the work all the wonderful people at Ory are doing!
m

magnificent-energy-493

03/11/2022, 1:44 PM
That is great to hear Lucas, and feedback like yours is immensely valuable for Ory, so thank you 🙂
🙌 1
7 Views