Hello,
I'm facing issue when i try to setup for Kr...
# talk-kratosb
brash-gpu-27606
02/22/2022, 6:58 AMHello,
I'm facing issue when i try to setup for Kratos with NextJS Kratos UI.
Here is my use case -
1. User logs into the app using dev.example.com/login
2. User is redirected to dev.example.com post successful login just like the Nextjs Kratos UI app in Ory's example repository.
3. Post successful login, the user should be able to safely navigate to app.example.com which is actually a protected url which requires authenticated user with valid cookie.
However in Step 3, the user is not able to safely navigate as the cookie being set on the browser is on the domain dev.example.com. I did configure the cookie domain settings to example.com in kratos config as well as session->cookie to same thing.
Am i missing something over here?
d
damp-sunset-69236
02/22/2022, 8:29 AMHello. Could you show your kratos config please?
damp-sunset-69236
02/22/2022, 8:33 AMYou can check ‘Advanced Base URl, CSRF & Session Cookie settings’
You session configuration should look like this
Copy code
session:
cookie:
domain: <http://example.com|example.com>b
brash-gpu-27606
02/22/2022, 8:47 AMHey @User! Thanks for the response. I'm facing a problem wherein after doing that configuration, for some reason it never reaches the browser.
brash-gpu-27606
02/22/2022, 8:47 AM Copy code
kratos:
development: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
# -- Enable the initialization job. Required to work with a DB
autoMigrate: true
# -- You can add multiple identity schemas here
identitySchemas:
"identity.default.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"recovery": {
"via": "email"
},
"verification": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
config:
# dsn: <postgres://foo:bar@pg-sqlproxy-gcloud-sqlproxy:5432/db>
dsn: <cockroach://root@cockroachdb:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4>
courier:
smtp:
connection_uri: <smtp://mailhog.default.svc.cluster.local:1025/?disable_starttls=true>
cookies:
domain: <http://bitglaze.com|bitglaze.com>
same_site: Lax
session:
cookie:
domain: <http://bitglaze.com|bitglaze.com>
serve:
public:
base_url: <https://dev.bitglaze.com/.ory/kratos/public/>
cors:
allowed_origins:
- https://*.<http://bitglaze.com|bitglaze.com>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
- X-Session-Token
exposed_headers:
- Content-Type
- Set-Cookie
allow_credentials: true
options_passthrough: false
debug: true
enabled: true
port: 80
selfservice:
default_browser_return_url: <https://dev.bitglaze.com/>
whitelisted_return_urls:
- https://*.<http://bitglaze.com|bitglaze.com>
methods:
password:
enabled: true
totp:
enabled: true
lookup_secret:
enabled: true
flows:
error:
ui_url: <https://dev.bitglaze.com/error>
settings:
ui_url: <https://dev.bitglaze.com/settings>
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: <https://dev.bitglaze.com/recovery>
verification:
enabled: true
ui_url: <https://dev.bitglaze.com/verification>
after:
default_browser_return_url: <https://dev.bitglaze.com/>
logout:
after:
default_browser_return_url: <https://dev.bitglaze.com/login>
login:
ui_url: <https://dev.bitglaze.com/login>
lifespan: 10m
registration:
lifespan: 10m
ui_url: <https://dev.bitglaze.com/registration>
after:
password:
hooks:
- hook: session
identity:
default_schema_url: file:///etc/config/identity.default.schema.json
log:
level: debug
format: text
leak_sensitive_values: truebrash-gpu-27606
02/22/2022, 8:48 AMHere are the logs of Kratos -
Copy code
[cors] 2022/02/22 08:45:30 Handler: Actual request
[cors] 2022/02/22 08:45:30 Actual request no headers added: missing origin
time=2022-02-22T08:45:30Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http]
time=2022-02-22T08:45:31Z level=debug msg=Running ExecuteLoginPostHook. audience=application flow_method=password http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] identity_id=85d462d2-418c-4a20-9f1a-617a2ba097dc service_name=Ory Kratos service_version=v0.8.0-alpha.3
time=2022-02-22T08:45:31Z level=info msg=Identity authenticated successfully and was issued an Ory Kratos Session Cookie. audience=audit http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] identity_id=85d462d2-418c-4a20-9f1a-617a2ba097dc service_name=Ory Kratos service_version=v0.8.0-alpha.3 session_id=08bdbe2a-27f0-418c-9e31-cc4e1214378f
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; Path=/; Domain=<http://bitglaze.com|bitglaze.com>; Max-Age=31536000; HttpOnly; SameSite=Lax vary:Origin] size:1143 status:200 text_status:OK took:482.477295ms]
[cors] 2022/02/22 08:45:31 Handler: Actual request
[cors] 2022/02/22 08:45:31 Actual request no headers added: missing origin
time=2022-02-22T08:45:31Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:9543 scheme:http]
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:9543 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8 vary:Origin x-kratos-authenticated-identity-id:85d462d2-418c-4a20-9f1a-617a2ba097dc] size:1125 status:200 text_status:OK took:27.596022ms]
[cors] 2022/02/22 08:45:31 Handler: Actual request
[cors] 2022/02/22 08:45:31 Actual request no headers added: missing origin
time=2022-02-22T08:45:31Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:61543 scheme:http]
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:61543 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8 vary:Origin x-kratos-authenticated-identity-id:85d462d2-418c-4a20-9f1a-617a2ba097dc] size:1125 status:200 text_status:OK took:26.33934ms]brash-gpu-27606
02/22/2022, 8:50 AMDomain appears missing from response.
brash-gpu-27606
02/22/2022, 8:52 AMIn case this info helps - I'm using Emissary Ingress as Gateway and have deployed this locally using Minikube with Ory Kratos Helm Charts.
b
billions-leather-15882
02/23/2022, 12:29 PMI was about to come and ask the same question but this answered my question, thanks! The idea to run kratos at say kratos.domain.tld and then app at app.domain.tld ..
But any good hints / pointers what to do if for some reason I would like to run at app.another-domain.tld - how would that be implemented? What are the keywords to look in the documentation for example. Is this the case where hydra would help or is this also in the scope of kratos? (just curiosity at the moment for me)
d
damp-sunset-69236
02/23/2022, 12:55 PM@User
It is possible to set a cookie for
<http://mydomain.com|mydomain.com><http://subdomain.mydomain.com|subdomain.mydomain.com><http://anotherdomain.com|anotherdomain.com><http://mydomain.com|mydomain.com>b
brash-gpu-27606
02/23/2022, 1:06 PM@User it seems like there is a bug that doesn't send Domain in Set-Cookie on NextJS Kratos UI. As for now, i was able to work it around by forcing cookie domain in next integrations createAPIHandler function. However, this doesn't seem like a long term solution to the problem.
brash-gpu-27606
02/23/2022, 1:09 PMHere's the issue on GitHub I'm referring to.
https://github.com/ory/kratos/issues/2194
👀 1
b
billions-leather-15882
02/23/2022, 1:15 PMYep. I know cookie can not be set to another domain, that is why I asked is there a resource to solve that problem. Like passing a token in HTTP request to another.tld which will then send it as Cookie parameter and verify trhough internal API or should it be wrapped around hydra/oauth2/etc...
4 Views