dazzling-toothbrush-97662
01/06/2022, 3:26 PMERR_TOO_MANY_REDIRECTS
I changed lots of configs, but couldn’t fix that.kratos:
autoMigrate: true
config:
version: v0.8.0-alpha.3
dsn: REDACTED
serve:
public:
base_url: <https://auth.foo.bar>
cors:
enabled: true
admin:
base_url: <https://auth-admin.foo.bar>
courier:
smtp:
connection_uri: REDACTED
from_name: John Doe
from_address: noreply@foo.bar
selfservice:
default_browser_return_url: <https://accounts.foo.bar>
flows:
error:
ui_url: <https://accounts.foo.bar/error>
settings:
ui_url: <https://accounts.foo.bar/settings>
login:
ui_url: <https://accounts.foo.bar/login>
registration:
ui_url: <https://accounts.foo.bar/registration>
after:
password:
hooks:
- hook: session
recovery:
enabled: true
ui_url: <https://accounts.foo.bar/recovery>
verification:
enabled: true
ui_url: <https://accounts.foo.bar/verify>
log:
leak_sensitive_values: true
identity:
default_schema_url: file:///etc/config/identity.schema.json
identitySchemas:
"identity.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
ingress:
admin:
enabled: true
className: nginx
hosts:
- host: auth-admin.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- auth-admin.foo.bar
public:
enabled: true
className: nginx
hosts:
- host: auth.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- auth.foo.bar
ingress:
enabled: true
className: nginx
hosts:
- host: accounts.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- accounts.foo.bar
kratosBrowserUrl: "<https://auth.foo.bar>"
kratosPublicUrl: "<https://auth.foo.bar>"
kratosAdminUrl: "<https://auth-admin.foo.bar>"
baseUrl: "/"
jolly-magazine-7609
01/06/2022, 4:33 PMdazzling-toothbrush-97662
01/06/2022, 4:37 PMjolly-magazine-7609
01/06/2022, 4:38 PMfoo.bar
,dazzling-toothbrush-97662
01/06/2022, 4:42 PMjolly-magazine-7609
01/06/2022, 4:43 PMSession Cookie Domain
dazzling-toothbrush-97662
01/06/2022, 4:44 PMjolly-magazine-7609
01/06/2022, 4:44 PMdazzling-toothbrush-97662
01/06/2022, 4:45 PMjolly-magazine-7609
01/06/2022, 4:45 PMdomain_aliases
dazzling-toothbrush-97662
01/06/2022, 4:45 PMjolly-magazine-7609
01/06/2022, 4:45 PMdazzling-toothbrush-97662
01/06/2022, 4:46 PMjolly-magazine-7609
01/06/2022, 4:46 PMdazzling-toothbrush-97662
01/06/2022, 4:46 PMjolly-magazine-7609
01/06/2022, 4:46 PM/public/api
dazzling-toothbrush-97662
01/06/2022, 4:47 PMjolly-magazine-7609
01/06/2022, 4:48 PMdazzling-toothbrush-97662
01/06/2022, 4:50 PMjolly-magazine-7609
01/06/2022, 4:50 PMdazzling-toothbrush-97662
01/06/2022, 4:51 PM<https://accounts.foo.bar/registration?flow=b30db8d1-9cf4-4661-87d9-dd80c33c0b22>
jolly-magazine-7609
01/06/2022, 4:51 PM/api/public/self-service/login/api
curl -v
dazzling-toothbrush-97662
01/06/2022, 4:54 PM➜ curl -v -s -X GET \
-H "Accept: application/json" \
<https://auth.foo.bar/self-service/login/api>
* Trying 104.21.13.44...
* TCP_NODELAY set
* Connected to auth.foo.bar (104.21.13.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=<http://sni.cloudflaressl.com|sni.cloudflaressl.com>
* start date: Jul 1 00:00:00 2021 GMT
* expire date: Jun 30 23:59:59 2022 GMT
* subjectAltName: host "auth.foo.bar" matched cert's "*.foo.bar"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc491810a00)
> GET /self-service/login/api HTTP/2
> Host: auth.foo.bar
> User-Agent: curl/7.64.1
> Accept: application/json
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 06 Jan 2022 16:54:14 GMT
< content-type: application/json; charset=utf-8
< content-length: 1331
< cache-control: private, no-cache, no-store, must-revalidate
< vary: Origin
< vary: Cookie
< strict-transport-security: max-age=15724800; includeSubDomains
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="<https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct>"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8bdT4jBfLjGvDUQtrPTpvhd4oubBqXP6OJyBEP7%2FcKCGEACyrvm2nOdjdvjj7NdSq%2FTp0cQrG%2FXFDQkGYWIWmAk3FX2Gbh5zNypNgIZ2oHgfKM8V7hmdItZi8nG7C88PSelCIUqxNVoZ6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6c967795d9bf4e31-FRA
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
{"id":"a4846c45-d587-4c45-8dc5-b151e23d8cbb","type":"api","expires_at":"2022-01-06T17:54:14.720544901Z","issued_at":"2022-01-06T16:54:14.720544901Z","request_url":"<http://auth.foo.bar/self-service/login/api>","ui":{"action":"<https://auth.foo.bar/self-service/login?flow=a4846c45-d587-4c45-8dc5-b151e23d8cbb>","method":"POST","nodes":[{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"password_identifier","type":"text","value":"","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070004,"text":"ID","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"password","type":"password","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070001,"text":"Password","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"method","type":"submit","value":"password","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1010001,"text":"Sign in","type":"info","context":{}}}}]},"created_at":"2022-01-06T16:54:14.72626Z","updated_at":"2022-01-06T16:54:14.72626Z","refresh":false,"requested_aal":"aal1"}
* Connection #0 to host auth.foo.bar left intact
* Closing connection 0
request_url
is http not https. maybe its this the problem, huh?jolly-magazine-7609
01/06/2022, 5:03 PMdazzling-toothbrush-97662
01/06/2022, 5:04 PMjolly-magazine-7609
01/06/2022, 5:04 PMcurl -v -s -X GET \
-H "Accept: application/json" \
<https://auth.foo.bar/self-service/login/browser>
dazzling-toothbrush-97662
01/06/2022, 5:06 PM< set-cookie: csrf_token_2edd7809834ad40adb6feb3276519cec29d23dd2b32dad7191ed49fffbc38121=frFDDEhMXY4puQWIwX396ibn9p/brJgK2F/8r9iSScM=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
jolly-magazine-7609
01/06/2022, 5:07 PMdazzling-toothbrush-97662
01/06/2022, 5:07 PMjolly-magazine-7609
01/06/2022, 5:08 PMPath=/; Domain=foo.bar; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
dazzling-toothbrush-97662
01/06/2022, 5:09 PMsession.cookie.domain
to foo.bar
but it doesn’t care 😄jolly-magazine-7609
01/06/2022, 5:10 PMdazzling-toothbrush-97662
01/06/2022, 5:10 PMjolly-magazine-7609
01/06/2022, 5:10 PMdazzling-toothbrush-97662
01/06/2022, 5:10 PMjolly-magazine-7609
01/06/2022, 5:13 PMkratos > config > session > cookie > domain
set?dazzling-toothbrush-97662
01/06/2022, 5:14 PMcookies.domain
setdomain_aliases
set 😄jolly-magazine-7609
01/06/2022, 5:16 PMdazzling-toothbrush-97662
01/06/2022, 5:16 PMjolly-magazine-7609
01/06/2022, 5:17 PMdazzling-toothbrush-97662
01/06/2022, 5:17 PMjolly-magazine-7609
01/06/2022, 5:20 PMsession > cookie
, the domain_aliases
and the cookies
dazzling-toothbrush-97662
01/06/2022, 5:22 PMjolly-magazine-7609
01/06/2022, 5:24 PMcookies
is set to the web app. a domain alias is set to the web app but with a base path of /api/public and the match_domain as the web app domain, and the session > cookie is set to the root domaindazzling-toothbrush-97662
01/06/2022, 10:25 PMhigh-optician-2097
dazzling-toothbrush-97662
01/07/2022, 9:09 AMhigh-optician-2097
dazzling-toothbrush-97662
01/07/2022, 9:18 AMhigh-optician-2097
stale-queen-97584
02/02/2022, 1:35 PMadorable-article-65467
02/02/2022, 1:49 PM# Settings for both anti-CSRF and session cookies
cookies:
domain: <http://www.cookies.com|www.cookies.com>
path: /cookies
same_site: Lax
I added #cookies to the kratos yaml akkording to https://www.ory.sh/kratos/docs/guides/multi-domain-cookies/#cookiesstale-queen-97584
02/02/2022, 3:33 PM