https://www.ory.sh/ logo
Powered by
#talk-kratos
Title
# talk-kratos
b

brash-gpu-27606

02/22/2022, 6:58 AM
Hello, I'm facing issue when i try to setup for Kratos with NextJS Kratos UI. Here is my use case - 1. User logs into the app using dev.example.com/login 2. User is redirected to dev.example.com post successful login just like the Nextjs Kratos UI app in Ory's example repository. 3. Post successful login, the user should be able to safely navigate to app.example.com which is actually a protected url which requires authenticated user with valid cookie. However in Step 3, the user is not able to safely navigate as the cookie being set on the browser is on the domain dev.example.com. I did configure the cookie domain settings to example.com in kratos config as well as session->cookie to same thing. Am i missing something over here?
d

damp-sunset-69236

02/22/2022, 8:29 AM
Hello. Could you show your kratos config please?
You can check ‘Advanced Base URl, CSRF & Session Cookie settings’ You session configuration should look like this
Copy code
session:
        cookie:
          domain: <http://example.com|example.com>
b

brash-gpu-27606

02/22/2022, 8:47 AM
Hey @User! Thanks for the response. I'm facing a problem wherein after doing that configuration, for some reason it never reaches the browser.
Copy code
kratos:

  development: true
  secrets:
    cookie:
        - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  # -- Enable the initialization job. Required to work with a DB
  autoMigrate: true

  # -- You can add multiple identity schemas here
  identitySchemas:
    "identity.default.schema.json": |
      {
         "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
         "$schema": "<http://json-schema.org/draft-07/schema#>",
         "title": "Person",
         "type": "object",
         "properties": {
            "traits": {
               "type": "object",
               "properties": {
                  "email": {
                     "type": "string",
                     "format": "email",
                     "title": "E-Mail",
                     "<http://ory.sh/kratos|ory.sh/kratos>": {
                        "credentials": {
                           "password": {
                              "identifier": true
                           }
                        },
                        "recovery": {
                           "via": "email"
                        },
                        "verification": {
                           "via": "email"
                        }
                     }
                  }
               },
               "required": [
                  "email"
               ],
               "additionalProperties": false
            }
         }
      }

  config:
    # dsn: <postgres://foo:bar@pg-sqlproxy-gcloud-sqlproxy:5432/db>
   dsn: <cockroach://root@cockroachdb:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4>

   courier:
      smtp:
        connection_uri: <smtp://mailhog.default.svc.cluster.local:1025/?disable_starttls=true>

   cookies:
      domain: <http://bitglaze.com|bitglaze.com>
      same_site: Lax
   session:
      cookie:
        domain: <http://bitglaze.com|bitglaze.com>
   serve:
    public:
        base_url: <https://dev.bitglaze.com/.ory/kratos/public/>
        cors:
            allowed_origins:
                - https://*.<http://bitglaze.com|bitglaze.com>
            allowed_methods:
                - POST
                - GET
                - PUT
                - PATCH
                - DELETE
            allowed_headers:
                - Authorization
                - Cookie
                - Content-Type
                - X-Session-Token
            exposed_headers:
                - Content-Type
                - Set-Cookie
            allow_credentials: true
            options_passthrough: false
            debug: true
            enabled: true
        port: 80

   selfservice:
      default_browser_return_url: <https://dev.bitglaze.com/>
      whitelisted_return_urls:
        - https://*.<http://bitglaze.com|bitglaze.com>
      methods:
         password:
               enabled: true
         totp:
               enabled: true
         lookup_secret:
               enabled: true
      flows:
         error:
               ui_url: <https://dev.bitglaze.com/error>
         settings:
               ui_url: <https://dev.bitglaze.com/settings>
               privileged_session_max_age: 15m
         recovery:
               enabled: true
               ui_url: <https://dev.bitglaze.com/recovery>
         verification:
               enabled: true
               ui_url: <https://dev.bitglaze.com/verification>
               after:
                  default_browser_return_url: <https://dev.bitglaze.com/>
         logout:
               after:
                  default_browser_return_url: <https://dev.bitglaze.com/login>
         login:
               ui_url: <https://dev.bitglaze.com/login>
               lifespan: 10m
         registration:
               lifespan: 10m
               ui_url: <https://dev.bitglaze.com/registration>
               after:
                  password:
                     hooks:
                           - hook: session

   identity:
      default_schema_url: file:///etc/config/identity.default.schema.json

   log:
      level: debug
      format: text
      leak_sensitive_values: true
Here are the logs of Kratos -
Copy code
[cors] 2022/02/22 08:45:30 Handler: Actual request
[cors] 2022/02/22 08:45:30 Actual request no headers added: missing origin
time=2022-02-22T08:45:30Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http]
time=2022-02-22T08:45:31Z level=debug msg=Running ExecuteLoginPostHook. audience=application flow_method=password http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] identity_id=85d462d2-418c-4a20-9f1a-617a2ba097dc service_name=Ory Kratos service_version=v0.8.0-alpha.3
time=2022-02-22T08:45:31Z level=info msg=Identity authenticated successfully and was issued an Ory Kratos Session Cookie. audience=audit http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] identity_id=85d462d2-418c-4a20-9f1a-617a2ba097dc service_name=Ory Kratos service_version=v0.8.0-alpha.3 session_id=08bdbe2a-27f0-418c-9e31-cc4e1214378f
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close content-type:application/json cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=B1Y77RmPZkaD+rlcnDzco3V9WT4F0AN8fG1EmIt2WBo= referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:POST path:/self-service/login query:flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6 remote:172.17.0.1:1573 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; Path=/; Domain=<http://bitglaze.com|bitglaze.com>; Max-Age=31536000; HttpOnly; SameSite=Lax vary:Origin] size:1143 status:200 text_status:OK took:482.477295ms]
[cors] 2022/02/22 08:45:31 Handler: Actual request
[cors] 2022/02/22 08:45:31 Actual request no headers added: missing origin
time=2022-02-22T08:45:31Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:9543 scheme:http]
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/login?flow=6c332101-a1ea-4a31-9bc9-9805c0b130d6> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:9543 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8 vary:Origin x-kratos-authenticated-identity-id:85d462d2-418c-4a20-9f1a-617a2ba097dc] size:1125 status:200 text_status:OK took:27.596022ms]
[cors] 2022/02/22 08:45:31 Handler: Actual request
[cors] 2022/02/22 08:45:31 Actual request no headers added: missing origin
time=2022-02-22T08:45:31Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:61543 scheme:http]
time=2022-02-22T08:45:31Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, / accept-encoding:gzip, deflate accept-language:en-IN,en-GB;q=0.9,en;q=0.8,en-US;q=0.7 connection:close cookie:csrf_token_a1ef72f817aa785fd776758de4364067ed05b87cb77cf196c4bfbb45f291b573=FWn7WuMMiAkI8iK5xv9k+SayM+LKjZf8E1qsQvNfwBI=; ory_kratos_session=MTY0NTUxOTUzMXxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR0ZMU0ZFeU5FVlFiR041WW05cFFqaFZhVWRQZDJSeVF6RlVWbkF4T1U1NnxkXXilig7G7jjPoRFtFy2HOQQZT2KwewMz7ffeWiOl3Q== referer:<https://dev.bitglaze.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56] host:kratos-public.default.svc.cluster.local method:GET path:/sessions/whoami query:<nil> remote:172.17.0.1:61543 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8 vary:Origin x-kratos-authenticated-identity-id:85d462d2-418c-4a20-9f1a-617a2ba097dc] size:1125 status:200 text_status:OK took:26.33934ms]
Domain appears missing from response.
In case this info helps - I'm using Emissary Ingress as Gateway and have deployed this locally using Minikube with Ory Kratos Helm Charts.
b

billions-leather-15882

02/23/2022, 12:29 PM
I was about to come and ask the same question but this answered my question, thanks! The idea to run kratos at say kratos.domain.tld and then app at app.domain.tld .. But any good hints / pointers what to do if for some reason I would like to run at app.another-domain.tld - how would that be implemented? What are the keywords to look in the documentation for example. Is this the case where hydra would help or is this also in the scope of kratos? (just curiosity at the moment for me)
d

damp-sunset-69236

02/23/2022, 12:55 PM
@User It is possible to set a cookie for 
<http://mydomain.com|mydomain.com>
 when the original request was made to 
<http://subdomain.mydomain.com|subdomain.mydomain.com>
. It is however not possible to set a cookie for 
<http://anotherdomain.com|anotherdomain.com>
 when the original request was made to 
<http://mydomain.com|mydomain.com>
. See also this answer on StackOverflow. Taken from Configuring Cookies
b

brash-gpu-27606

02/23/2022, 1:06 PM
@User it seems like there is a bug that doesn't send Domain in Set-Cookie on NextJS Kratos UI. As for now, i was able to work it around by forcing cookie domain in next integrations createAPIHandler function. However, this doesn't seem like a long term solution to the problem.
Here's the issue on GitHub I'm referring to. https://github.com/ory/kratos/issues/2194
👀 1
b

billions-leather-15882

02/23/2022, 1:15 PM
Yep. I know cookie can not be set to another domain, that is why I asked is there a resource to solve that problem. Like passing a token in HTTP request to another.tld which will then send it as Cookie parameter and verify trhough internal API or should it be wrapped around hydra/oauth2/etc...
4 Views
Powered by