#talk-kratos
Title
s
stale-tomato-90284
03/11/2022, 11:07 AMHey Everyone, I have an issue with my self-hosted kratos OIDC login:
Setup:
kratos: kratos.staging.example.com
nextjs app: app.staging.example.com
I have configured Microsoft as an open id login option.
When using Microsoft to login the first time, everything works fine. After logging out and logging in again, I get the following error:
Copy code
key ory_kratos_oidc_auth_code_session does not exist in cookieory_kratos_continuityory_kratos_continuity✅ 1
m
magnificent-energy-493
03/11/2022, 11:38 AM
Hello Lucas,
are you able to share you kratos config - sensitive values redacted?
s
stale-tomato-90284
03/11/2022, 11:40 AM@User Absolutely:
Copy code
version: v0.8.2-alpha.1
serve:
public:
base_url: <https://kratos.staging.example.com/>
cors:
enabled: true
admin:
base_url: <http://localhost:4434/>
selfservice:
default_browser_return_url: <https://app.staging.example.com/>
whitelisted_return_urls:
- <http://localhost:3000/>
- <https://app.staging.example.com/>
methods:
password:
enabled: true
oidc:
enabled: true
config:
providers:
- id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: microsoft
client_id: REDACTED # Replace this with the Application ID from the App Registration
client_secret: REDACTED # Replace this with the generated Secret value from the App Registration
tenant: REDACTED # Replace this with the Tenant of your choice (see below)
mapper_url: file:///etc/config/oidc.microsoft.jsonnet
scope:
- profile
- email
flows:
error:
ui_url: <https://app.staging.example.com/error>
settings:
ui_url: <https://app.staging.example.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: <https://app.staging.example.com/recovery>
verification:
enabled: true
ui_url: <https://app.staging.example.com/verification>
after:
default_browser_return_url: <https://app.staging.example.com/>
logout:
after:
default_browser_return_url: <https://app.staging.example.com/login>
login:
ui_url: <https://app.staging.example.com/login>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://app.staging.example.com/registration>
after:
password:
hooks:
- hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_url: file:///etc/config/identity.default.schema.json
courier:
smtp:
connection_uri: REDACTED
cookies:
same_site: Lax
domain: .<http://example.com|example.com>oidc.microsoft.jsonnet:
Copy code
local claims = std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, especially if the value is used for
// e.g. verification or as a password login identifier.
//
// If connecting only to your organization (one tenant), claims.email is safe to use if you have not actively disabled e-mail verification during signup.
//
// The email might be empty if the account is not linked to an email address.
// For a human readable identifier, consider using the "preferred_username" claim.
[if "email" in claims then "email" else null]: claims.email,
},
},
} Copy code
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}not sure if related: https://github.com/ory/kratos/issues/2121 ?
@User @User after manually building the ory/kratos:master docker image and using that one for deployment and migration job etc, this now works without issue. I assume the issue I linked in the last comment has fixed this. I think this is quite a big issue though. Do you have a timeline on the next oryd/kratos dockerimage release? I prefer to use yours than a self-build, self-tagged image
m
magnificent-energy-493
03/11/2022, 1:29 PM
that is the PR that fixed it that is correct https://github.com/ory/kratos/pull/2123
We recently made a big overhaul of the release pipeline, so thats why some releases have been delayed. It should come soon, I cant give you concrete timelines, but bear with us 🙏
🙏 1
👏 1
s
stale-tomato-90284
03/11/2022, 1:30 PMThanks @User ! Yes I noticed the kratos changes as well, upgrading to the master version brought some config changes with it 🙂 I really appreciate the work all the wonderful people at Ory are doing!
m
magnificent-energy-493
03/11/2022, 1:44 PM
That is great to hear Lucas, and feedback like yours is immensely valuable for Ory, so thank you 🙂
🙌 1
7 Views