#talk-kratos
Title
d
dazzling-toothbrush-97662
01/06/2022, 3:26 PMHi,
I just ran Ory Kratos in local and tested it successfully.
But, when I tried to run it on a Kubernetes cluster, I get
ERR_TOO_MANY_REDIRECTSmy helm values:
Copy code
kratos:
autoMigrate: true
config:
version: v0.8.0-alpha.3
dsn: REDACTED
serve:
public:
base_url: <https://auth.foo.bar>
cors:
enabled: true
admin:
base_url: <https://auth-admin.foo.bar>
courier:
smtp:
connection_uri: REDACTED
from_name: John Doe
from_address: noreply@foo.bar
selfservice:
default_browser_return_url: <https://accounts.foo.bar>
flows:
error:
ui_url: <https://accounts.foo.bar/error>
settings:
ui_url: <https://accounts.foo.bar/settings>
login:
ui_url: <https://accounts.foo.bar/login>
registration:
ui_url: <https://accounts.foo.bar/registration>
after:
password:
hooks:
- hook: session
recovery:
enabled: true
ui_url: <https://accounts.foo.bar/recovery>
verification:
enabled: true
ui_url: <https://accounts.foo.bar/verify>
log:
leak_sensitive_values: true
identity:
default_schema_url: file:///etc/config/identity.schema.json
identitySchemas:
"identity.schema.json": |
{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
ingress:
admin:
enabled: true
className: nginx
hosts:
- host: auth-admin.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- auth-admin.foo.bar
public:
enabled: true
className: nginx
hosts:
- host: auth.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- auth.foo.barsecure app values:
Copy code
ingress:
enabled: true
className: nginx
hosts:
- host: accounts.foo.bar
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: foo-bar-tls
hosts:
- accounts.foo.bar
kratosBrowserUrl: "<https://auth.foo.bar>"
kratosPublicUrl: "<https://auth.foo.bar>"
kratosAdminUrl: "<https://auth-admin.foo.bar>"
baseUrl: "/"j
jolly-magazine-7609
01/06/2022, 4:33 PMThis is likely to be a cookie issue
✅ 1
d
dazzling-toothbrush-97662
01/06/2022, 4:37 PMI know that but I couldn’t fix that, so I sent my configs here 😄
j
jolly-magazine-7609
01/06/2022, 4:38 PMIf you cURL the public api endpoint you can see the cookie it's trying to set. It looks like you want to to be set on
foo.barI went through exactly the same thing
d
dazzling-toothbrush-97662
01/06/2022, 4:42 PMwhere I set that in my config? 🤔
j
jolly-magazine-7609
01/06/2022, 4:43 PMin the reference config comment it's shown in
Session Cookie Domainso config session cookie domain
d
dazzling-toothbrush-97662
01/06/2022, 4:44 PMso I should set session.cookie.domain to foo.bar?
j
jolly-magazine-7609
01/06/2022, 4:44 PMchange that, and curl the public api and see if it changes where the cookie is set
d
dazzling-toothbrush-97662
01/06/2022, 4:45 PMlet me do it
j
jolly-magazine-7609
01/06/2022, 4:45 PMI also have something in
domain_aliasesbut I think that's because ultimately we gave up using multiple domains
d
dazzling-toothbrush-97662
01/06/2022, 4:45 PMwhy domain aliases?
j
jolly-magazine-7609
01/06/2022, 4:45 PMI think because you are using multiple domains
d
dazzling-toothbrush-97662
01/06/2022, 4:46 PMno, I just use subdomains
j
jolly-magazine-7609
01/06/2022, 4:46 PMthat's what I mean
you have two separate sub domains right?
d
dazzling-toothbrush-97662
01/06/2022, 4:46 PMaha, so I have to use domain aliases?
j
jolly-magazine-7609
01/06/2022, 4:46 PMone for the web app and one for the public api
I think so
but
it was way easier to have the setup like they have it in their examples, where the public api is on the same domain in
/public/apid
dazzling-toothbrush-97662
01/06/2022, 4:47 PMyes, auth.foo.bar auth-admin.foo.bar & accounts.foo.bar
you mean using subdirectories instead of subdomains?
j
jolly-magazine-7609
01/06/2022, 4:48 PMI bet if you curl the public api endpoint it's being set on which ever is the public api, which is therefore not valid on the web app
yes
Can you do that with an nginx ingress?
There was one complication with our setup there, and that is that whatever is being used to reverse proxy it (in your case nginx) needs to strip out the first part of the url `/api/public`before sending it on to the public api.
The truth is that we ended up using oathkeeper because it makes that setup really trivial
d
dazzling-toothbrush-97662
01/06/2022, 4:50 PMwhat should I check when I curl public api?
j
jolly-magazine-7609
01/06/2022, 4:50 PMI can't remember exactly, I think it's the first url to start a flow
d
dazzling-toothbrush-97662
01/06/2022, 4:51 PMyou mean this?
<https://accounts.foo.bar/registration?flow=b30db8d1-9cf4-4661-87d9-dd80c33c0b22>j
jolly-magazine-7609
01/06/2022, 4:51 PMJust looking now
I think it's
/api/public/self-service/login/apiso in your case you maybe don't need the api/public/
you want to be able to see the cookie so
curl -vor maybe use a web browser and look in the inspector
d
dazzling-toothbrush-97662
01/06/2022, 4:54 PM Copy code
➜ curl -v -s -X GET \
-H "Accept: application/json" \
<https://auth.foo.bar/self-service/login/api>
* Trying 104.21.13.44...
* TCP_NODELAY set
* Connected to auth.foo.bar (104.21.13.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=<http://sni.cloudflaressl.com|sni.cloudflaressl.com>
* start date: Jul 1 00:00:00 2021 GMT
* expire date: Jun 30 23:59:59 2022 GMT
* subjectAltName: host "auth.foo.bar" matched cert's "*.foo.bar"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc491810a00)
> GET /self-service/login/api HTTP/2
> Host: auth.foo.bar
> User-Agent: curl/7.64.1
> Accept: application/json
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 06 Jan 2022 16:54:14 GMT
< content-type: application/json; charset=utf-8
< content-length: 1331
< cache-control: private, no-cache, no-store, must-revalidate
< vary: Origin
< vary: Cookie
< strict-transport-security: max-age=15724800; includeSubDomains
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="<https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct>"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8bdT4jBfLjGvDUQtrPTpvhd4oubBqXP6OJyBEP7%2FcKCGEACyrvm2nOdjdvjj7NdSq%2FTp0cQrG%2FXFDQkGYWIWmAk3FX2Gbh5zNypNgIZ2oHgfKM8V7hmdItZi8nG7C88PSelCIUqxNVoZ6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6c967795d9bf4e31-FRA
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
{"id":"a4846c45-d587-4c45-8dc5-b151e23d8cbb","type":"api","expires_at":"2022-01-06T17:54:14.720544901Z","issued_at":"2022-01-06T16:54:14.720544901Z","request_url":"<http://auth.foo.bar/self-service/login/api>","ui":{"action":"<https://auth.foo.bar/self-service/login?flow=a4846c45-d587-4c45-8dc5-b151e23d8cbb>","method":"POST","nodes":[{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"password_identifier","type":"text","value":"","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070004,"text":"ID","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"password","type":"password","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070001,"text":"Password","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"method","type":"submit","value":"password","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1010001,"text":"Sign in","type":"info","context":{}}}}]},"created_at":"2022-01-06T16:54:14.72626Z","updated_at":"2022-01-06T16:54:14.72626Z","refresh":false,"requested_aal":"aal1"}
* Connection #0 to host auth.foo.bar left intact
* Closing connection 0I found that
request_urlAlso, I use browser based flow, not api based
j
jolly-magazine-7609
01/06/2022, 5:03 PMah sorry
what happens when you use browser?
d
dazzling-toothbrush-97662
01/06/2022, 5:04 PMredirect loop between 2 addresses
j
jolly-magazine-7609
01/06/2022, 5:04 PMso
Copy code
curl -v -s -X GET \
-H "Accept: application/json" \
<https://auth.foo.bar/self-service/login/browser>look for a set-cookie response header
d
dazzling-toothbrush-97662
01/06/2022, 5:06 PM< set-cookie: csrf_token_2edd7809834ad40adb6feb3276519cec29d23dd2b32dad7191ed49fffbc38121=frFDDEhMXY4puQWIwX396ibn9p/brJgK2F/8r9iSScM=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Laxj
jolly-magazine-7609
01/06/2022, 5:07 PMso it's got no domain set on it
d
dazzling-toothbrush-97662
01/06/2022, 5:07 PMdid I misconfigure?
j
jolly-magazine-7609
01/06/2022, 5:08 PMso it will only count for the domain you got it from I imagine
yes there is a missing setting somewhere, you need it to include the domain like this:
Path=/; Domain=foo.bar; Max-Age=31536000; HttpOnly; Secure; SameSite=Laxd
dazzling-toothbrush-97662
01/06/2022, 5:09 PMI set
session.cookie.domainfoo.barj
jolly-magazine-7609
01/06/2022, 5:10 PMyeah so there must be something else
d
dazzling-toothbrush-97662
01/06/2022, 5:10 PMit sets cookie on subdomains
j
jolly-magazine-7609
01/06/2022, 5:10 PMthis is why it's easier to have the web app and the public api on the same domain
d
dazzling-toothbrush-97662
01/06/2022, 5:10 PMit’s harder or impossible to use subdomains?
j
jolly-magazine-7609
01/06/2022, 5:13 PMIt's not impossible
we had it working
so in the helm values you have
kratos > config > session > cookie > domaind
dazzling-toothbrush-97662
01/06/2022, 5:14 PMyes
also
cookies.domainalso
domain_aliasesj
jolly-magazine-7609
01/06/2022, 5:16 PMI give up then haha
I would just mess with the config until I can get the csrf cookie to be set on the right domain
d
dazzling-toothbrush-97662
01/06/2022, 5:16 PMbtw thanks for your time
j
jolly-magazine-7609
01/06/2022, 5:17 PMthank you
❤️ 1
d
dazzling-toothbrush-97662
01/06/2022, 5:17 PMmy cookie doesn’t have Domain as you mentioned
https://ory-community.slack.com/archives/C012RJ2MQ1H/p1641488950015100?thread_ts=1641482797.004000&cid=C012RJ2MQ1H
so I should find a way to set that on root domain, huh?
j
jolly-magazine-7609
01/06/2022, 5:20 PMit is not that clear what each of the 3 places in the config relate to when you set it up. It will be something to do with the
session > cookiedomain_aliasescookies👍 1
d
dazzling-toothbrush-97662
01/06/2022, 5:22 PMmaybe I have to check source code…
j
jolly-magazine-7609
01/06/2022, 5:24 PMin ours the
cookiesgood luck
🙏 1
d
dazzling-toothbrush-97662
01/06/2022, 10:25 PMgave up,
couldn’t run on kubernetes successfully,
neither subdomain nor subpath.
@User any idea?
h
high-optician-2097
01/07/2022, 8:40 AM
If you have a hard time getting it to work yourself, you can try Ory Cloud (https://console.ory.sh). We have an onboarding program where you get the first year for free with custom domain. I’d recommend that route if you’re stuck in your own deployment
d
dazzling-toothbrush-97662
01/07/2022, 9:09 AMI guessed you suggests cloud version 😅
I just trying to find an open source identity and authentication project to use. As you mentioned there is no enterprise feature and all of Ory products are open source. I guess we should improve the documentations to make it easier to use.
Your answer is like a marketing trap 😊
h
high-optician-2097
01/07/2022, 9:14 AM
It’s not a marketing trap, just try the product in cloud. See if it fits your use case. You can later still deploy it yourself. If redirects don’t work or are looping it means you have configured something incorrectly. But it’s incredibly hard to tell you what exactly because I don’t have access to your system
✅ 1
In Cloud we have taken care of everything and you don’t need to figure out deployment to see if the product works. It’s still open source, it’s the same code base we have in the github 🙂
d
dazzling-toothbrush-97662
01/07/2022, 9:18 AMI’m not a business. Just a developer who tries to start a business, so Cloud version doesn’t work for me now.
I’ll try again and if get successful, will contribute to the documentations.
Forget my quote about marketing trap ❤️
h
high-optician-2097
01/07/2022, 9:25 AM
Nice, no problem 🙂 This could be helpful:
https://www.ory.sh/kratos/docs/guides/configuring-cookies/
https://www.ory.sh/kratos/docs/debug/csrf/
👍 1
s
stale-queen-97584
02/02/2022, 1:35 PM@User
a
adorable-article-65467
02/02/2022, 1:49 PM Copy code
# Settings for both anti-CSRF and session cookies
cookies:
domain: <http://www.cookies.com|www.cookies.com>
path: /cookies
same_site: Laxs
stale-queen-97584
02/02/2022, 3:33 PM@User
👍 1
22 Views