We have an android app in Ionic React which we hav...
# talk-hydraf
few-orange-16990
11/16/2022, 5:14 PMWe have an android app in Ionic React which we have registered as a hydra client and once user clicks login, it will redirect to oauth provider site and once user enter their credentials and clicks login, it should accept login request but i'm getting "The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie error",
i have register some other sites as hydra client and it's working fine there, problem only occurs when i redirect from android to browser.
if i go back to login page and try again, it's working second time.
few-orange-16990
11/17/2022, 12:22 PMfrom /admin/oauth2/auth/requests/login/accept endpoint i'm getting redirect_to key in json object and
oauth2/auth?client_id=<id>&login_verifier=<value>&redirect_uri=<redirect_uri>&state=<state>&response_type=<response type>&scope=<scopes>&state=<state> as it's value and then once i redirect to this uri, i'm being redirect to redirect_uri along with these query parameters,
error=request_forbidden & error_description=The request is not allowed. The CSRF value from the token does not match the CSRF value from the data store.
few-orange-16990
11/17/2022, 12:23 PMthis problem occurs only when i'm triggering oauth flow from android app and when i'm trying it from other registered client sites, it's working.
few-orange-16990
11/17/2022, 12:24 PM@lemon-hamburger-81270
l
lemon-hamburger-81270
11/17/2022, 12:33 PMhelp
lemon-hamburger-81270
11/17/2022, 3:26 PM@aloof-oxygen-62624,,ping
a
aloof-oxygen-62624
11/17/2022, 3:28 PMSorry, I don't actually use Hydra myself 😕
Though Kratos seems to have separate login endpoints for clients like Android apps and websites, maybe Hydra does something similar?
aloof-oxygen-62624
11/17/2022, 3:29 PMWith the first endpoint explicitly mentioning CSRF, or rather the fact that its vulnerable against such attacks (which leads me to believe it wouldnt check CSRF tokens?)
f
few-orange-16990
11/18/2022, 4:43 AM@aloof-oxygen-62624 actually we have a separate oauth provider site and our flow s like this,
• User clicks login and triggers the oauth flow and they'll be redirected to the oauth provider site.
• they complete the login and consent flows and redirected back to android app with authorization_code.
• in android app we request access_token in exchange of authorization_code & then get user info with that access_token.
we have several wordpress sites with openid connect configured and they has the same flow. user triggers oauth, once they complete all flows, they're redirected back to wordpress site and everything works fine here, problem occurs only with android app.
few-orange-16990
11/18/2022, 4:45 AMWhen i get this "The CSRF value from the token does not match the CSRF value from the data store." error and i press back in android browser, it goes back to login page again and this time it finds active session and everything works fine.
21 Views