stale-tomato-90284
03/11/2022, 11:07 AMkey ory_kratos_oidc_auth_code_session does not exist in cookie
The issue seems to have to do with the ory_kratos_continuity
cookie. This cookie has been set twice, once on kratos.staging.example.com and once on example.com. When I clear the ory_kratos_continuity
cookie on kratos.staging.example.com everything works fine again. This makes this login type unusable at the moment.
I noticed that the issue can be solved by checking which ory_kratos_continuity cookie is valid, and using that one. This is because, when Chrome sends the cookies, it sends them in the order of first kratos.staging.example.com and then example.com. When trying the same login flow in Firefox, everything works fine because Firefox sends first the example.com cookie and then the kratos.staging.example.com cookie. Also, when I copy the failed chrome request, switch the cookies order like mentioned, and send it with postman or curl, the same request now works as well.
Not sure how to go about this but this seems like a bug to me? Or is this something that can be solved with a correct configuration? (fyi @User)magnificent-energy-493
stale-tomato-90284
03/11/2022, 11:40 AMversion: v0.8.2-alpha.1
serve:
public:
base_url: <https://kratos.staging.example.com/>
cors:
enabled: true
admin:
base_url: <http://localhost:4434/>
selfservice:
default_browser_return_url: <https://app.staging.example.com/>
whitelisted_return_urls:
- <http://localhost:3000/>
- <https://app.staging.example.com/>
methods:
password:
enabled: true
oidc:
enabled: true
config:
providers:
- id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: microsoft
client_id: REDACTED # Replace this with the Application ID from the App Registration
client_secret: REDACTED # Replace this with the generated Secret value from the App Registration
tenant: REDACTED # Replace this with the Tenant of your choice (see below)
mapper_url: file:///etc/config/oidc.microsoft.jsonnet
scope:
- profile
- email
flows:
error:
ui_url: <https://app.staging.example.com/error>
settings:
ui_url: <https://app.staging.example.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: <https://app.staging.example.com/recovery>
verification:
enabled: true
ui_url: <https://app.staging.example.com/verification>
after:
default_browser_return_url: <https://app.staging.example.com/>
logout:
after:
default_browser_return_url: <https://app.staging.example.com/login>
login:
ui_url: <https://app.staging.example.com/login>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://app.staging.example.com/registration>
after:
password:
hooks:
- hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_url: file:///etc/config/identity.default.schema.json
courier:
smtp:
connection_uri: REDACTED
cookies:
same_site: Lax
domain: .<http://example.com|example.com>
local claims = std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, especially if the value is used for
// e.g. verification or as a password login identifier.
//
// If connecting only to your organization (one tenant), claims.email is safe to use if you have not actively disabled e-mail verification during signup.
//
// The email might be empty if the account is not linked to an email address.
// For a human readable identifier, consider using the "preferred_username" claim.
[if "email" in claims then "email" else null]: claims.email,
},
},
}
identity.default.schema.json:
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
magnificent-energy-493
stale-tomato-90284
03/11/2022, 1:30 PMmagnificent-energy-493