https://www.ory.sh/ logo
Join Slack
Powered by
I am having an issue I need immediate help with. I...
# talk-kratos
n
I am having an issue I need immediate help with. I am trying to deploy a combination of Kratos and Oathkeeper on Kubernetes inside an Azure AKS Cluster. I am using a configuration I already have been using in production on standard VM's that I validate using the Old Kratos Self Service Web example (prior to 9/24 where the UI switched). I have a problem where after properly deploying all deployments, services, Cluster IP's, load balancers and ingresses that mirror the working installation, I get the following error trying to log in:
Copy code
{
  "id": "security_csrf_violation",
  "code": 403,
  "reason": "The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
  "status": "Forbidden",
  "details": {
    "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
    "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
    "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
  },
  "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
Can anyone please give me a clue? I have spent hours on this verifying every setting, etc., and it seems that the cookie is not making it all the way to Kratos, but I cannot seem to verify that to be certain. I am using Nginx Ingress, and there is an Azure DNS handling the DNS mapping to the AKS Cluster...and then the Ingress is used to direct traffic to port 4455 of Oathkeeper. I am using the standard internal DNS Kubernetes node mappings to find the other services. Let me know what other information is helpful to debug this, and I will get it. I am using Oathkeeper version 0.38.16 (the latest) and Kratos version 0.8 (also the latest). I am NOT using the Helm charts. I am using Docker images directly configured as Deployments. The database is Postgres 13 as an Azure Postgres Flexible Server.
p
Hi @numerous-energy-92403 This is usually a difficult problem to debug as it could be one of multiple reasons. Have you looked at this page on our documentation yet? https://www.ory.sh/kratos/docs/debug/csrf#common-pitfalls Can you see in Chrome dev tools the cookie for the csrf_token being set?
n
Hey, @proud-plumber-24205! Thanks for your response. I have looked at that document, and you can see the difference between my working installation (https://kratos.tribecore.io) and my problem installation (https://kratos-ss-dev.dev.cordico.com) pretty quickly. When logging in, the 
ory_kratos_session
cookie is present in the response. In the problem installation, the cookie is absent. This would seem to indicate that the cookie is not making it from Kratos, where it is created, back to the browser on redirect. In the Oathkeeper log, I see in the last step that there is a "csrf_[some random stuff]" cookie, but no session token. Does that help you with telling me where to look?
p
Maybe the domain is set incorrectly on the kratos configs? What do your configs look like on the problem installation? omit sensitive information
Also do you have some Kratos logs?
n
Yes, here are the Kratos logs from that:
Copy code
time=2021-11-12T08:45:58Z level=info msg=Encountered self-service login error. audience=audit error=map[debug: details:map[docs:<https://www.ory.sh/kratos/docs/debug/csrf> hint:The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 content-length:181 content-type:application/x-www-form-urlencoded origin:<https://kratos-ss-dev.dev.cordico.com> referer:<https://kratos-ss-dev.dev.cordico.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15 x-forwarded-for:72.190.76.228 x-forwarded-host:kratos-dev.dev.cordico.comx-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:72.190.76.228 x-request-id:95e63015631572d04eb333fb5824f4ce x-scheme:https] host:<http://kratos-dev.dev.cordico.com|kratos-dev.dev.cordico.com> method:POST path:/self-service/login query:flow=8da3792a-98d3-44b2-88cf-781d03222375 remote:10.244.0.30:50700 scheme:http] login_flow=&{8da3792a-98d3-44b2-88cf-781d03222375 6afcf6e9-c5e9-4baf-8114-02f7feb34df3 browser 2021-11-12 08:55:45.119629 +0000 UTC 2021-11-12 08:45:45.119629 +0000 UTC [123 125] <http://kratos-ss-dev.dev.cordico.com/self-service/login/browser>   0xc000c7e870 2021-11-12 08:45:45.123585 +0000 UTC 2021-11-12 08:45:45.123585 +0000 UTC +WsdyIMdhgktgyD9CIJnTatvPw1BJy7JJetp5JDfictdfO7bAvnWslI4l7xMIFSbdlyNUKqc+FED8L/avL9abw== false aal1} service_name=Ory Kratos service_version=
time=2021-11-12T08:45:58Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug: details:map[docs:<https://www.ory.sh/kratos/docs/debug/csrf> hint:The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but theydo not match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 content-length:181 content-type:application/x-www-form-urlencoded origin:<https://kratos-ss-dev.dev.cordico.com> referer:<https://kratos-ss-dev.dev.cordico.com/> user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15 x-forwarded-for:72.190.76.228 x-forwarded-host:<http://kratos-dev.dev.cordico.com|kratos-dev.dev.cordico.com> x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:72.190.76.228 x-request-id:95e63015631572d04eb333fb5824f4ce x-scheme:https] host:<http://kratos-dev.dev.cordico.com|kratos-dev.dev.cordico.com> method:POST path:/self-service/login query:flow=8da3792a-98d3-44b2-88cf-781d03222375 remote:10.244.0.30:50700 scheme:http] service_name=Ory Kratos service_version=
I deleted all cookies, @proud-plumber-24205 as the error message suggested, but it does not work. The Oathkeeper logs from the same installation say this:
Copy code
{"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","referer":"<https://kratos-ss-dev.dev.cordico.com/>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"b26a4810e19795cf84264e27699912d1"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/error","query":"id=69de69ae-fc5b-4509-8720-30178c8ec740","remote":"10.244.0.30:50834","scheme":"http"},"http_response":{"status":500,"text_status":"Internal Server Error","took":190920720},"level":"info","msg":"completed handling request","time":"2021-11-12T09:32:38Z"}
[cors] 2021/11/12 09:32:38 Handler: Actual request
[cors] 2021/11/12 09:32:38   Actual request no headers added: missing origin
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"e30-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"28db5e498591f8a2d73d4988acda2570"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/index.css","query":null,"remote":"10.244.0.30:50834","scheme":"http"},"level":"info","msg":"started handling request","time":"2021-11-12T09:32:38Z"}
{"audience":"application","granted":true,"http_host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","http_method":"GET","http_url":"<http://kratos-ss.ingress-nginx.svc.cluster.local:3000/index.css>","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","level":"warning","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"master","subject":"guest","time":"2021-11-12T09:32:38Z"}
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"e30-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"28db5e498591f8a2d73d4988acda2570"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/index.css","query":null,"remote":"10.244.0.30:50834","scheme":"http"},"http_response":{"status":304,"text_status":"Not Modified","took":3190492},"level":"info","msg":"completed handling request","time":"2021-11-12T09:32:38Z"}
[cors] 2021/11/12 09:32:38 Handler: Actual request
[cors] 2021/11/12 09:32:38   Actual request no headers added: missing origin
[cors] 2021/11/12 09:32:38 Handler: Actual request
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"8d9-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"6d0e927eed1e9580564642830a6eb6eb"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/form.css","query":null,"remote":"10.244.0.30:50816","scheme":"http"},"level":"info","msg":"started handling request","time":"2021-11-12T09:32:38Z"}
[cors] 2021/11/12 09:32:38   Actual request no headers added: missing origin
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"1cf-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"b8534a3bea0d1fedd10de18ec627037a"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/auth.css","query":null,"remote":"10.244.0.30:50820","scheme":"http"},"level":"info","msg":"started handling request","time":"2021-11-12T09:32:38Z"}
[cors] 2021/11/12 09:32:38 Handler: Actual request
[cors] 2021/11/12 09:32:38   Actual request no headers added: missing origin
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"333-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"6ac2dd0660e2a0da11e632efcf200602"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/typography.css","query":null,"remote":"10.244.0.30:50834","scheme":"http"},"level":"info","msg":"started handling request","time":"2021-11-12T09:32:38Z"}
{"audience":"application","granted":true,"http_host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","http_method":"GET","http_url":"<http://kratos-ss.ingress-nginx.svc.cluster.local:3000/form.css>","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","level":"warning","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"master","subject":"guest","time":"2021-11-12T09:32:38Z"}
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"8d9-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"6d0e927eed1e9580564642830a6eb6eb"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/form.css","query":null,"remote":"10.244.0.30:50816","scheme":"http"},"http_response":{"status":304,"text_status":"Not Modified","took":3070280},"level":"info","msg":"completed handling request","time":"2021-11-12T09:32:38Z"}
{"audience":"application","granted":true,"http_host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","http_method":"GET","http_url":"<http://kratos-ss.ingress-nginx.svc.cluster.local:3000/auth.css>","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","level":"warning","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"master","subject":"guest","time":"2021-11-12T09:32:38Z"}
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"1cf-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"b8534a3bea0d1fedd10de18ec627037a"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/auth.css","query":null,"remote":"10.244.0.30:50820","scheme":"http"},"http_response":{"status":304,"text_status":"Not Modified","took":5167571},"level":"info","msg":"completed handling request","time":"2021-11-12T09:32:38Z"}
{"audience":"application","granted":true,"http_host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","http_method":"GET","http_url":"<http://kratos-ss.ingress-nginx.svc.cluster.local:3000/typography.css>","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","level":"warning","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"master","subject":"guest","time":"2021-11-12T09:32:38Z"}
{"http_request":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cookie":"csrf_token_436ec13b3d89630c545b7b5a434123257f6b89aed7a48277bbdc23b6f367c0b2=pBfzE4HkULt/u7dBRKIz1t0zsl3ru9aYJhvWPixg06Q=","if-modified-since":"Tue, 21Sep 2021 05:36:42 GMT","if-none-match":"W/\"333-17c06db3610\"","referer":"<https://kratos-ss-dev.dev.cordico.com/error?id=69de69ae-fc5b-4509-8720-30178c8ec740>","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15","x-forwarded-for":"72.190.76.228","x-forwarded-proto":"https","x-request-id":"6ac2dd0660e2a0da11e632efcf200602"},"host":"<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>","method":"GET","path":"/typography.css","query":null,"remote":"10.244.0.30:50834","scheme":"http"},"http_response":{"status":304,"text_status":"Not Modified","took":6244770},"level":"info","msg":"completed handling request","time":"2021-11-12T09:32:38Z"}
p
Hey @numerous-energy-92403 sorry for only getting back to you now 😅 The only difference I see from the requests between the working and non-working code is that the working code is running on a subdomain 
<http://kratos-ss.tribecore.io|kratos-ss.tribecore.io>
and the non-working is running on a nested subdomain 
<http://kratos-ss-dev.dev.cordico.com|kratos-ss-dev.dev.cordico.com>.
Although this shouldn't have any difference to the cookies being set, maybe it does. Could you maybe send your configuration for kratos just omit sensitive information please
Also which version of kratos are you using?
n
0.8.0
The latest
p
I get a domain error here on registration
n
Thanks, @proud-plumber-24205 for checking on that! What do you mean by domain error (don't see what you mean)?
p
The cookie was blocked because neither did the request URL's domain exactly match the cookie domain, nor was the request URL's domain a subdomain of the cookie's Domain attribute value
👍 1
I cannot screenshot it since it is a hover message on the little info icon next to the "Domain" column
n
Okay...so I messed up configuration somewhere...
p
Yes, most likely under the cookie settings for kratos
n
This is my Kratos config:
Copy code
version: v0.8.0-alpha.3

dsn: <postgres://kratos:kratos@cordico-user-db.postgres.database.azure.com:5432/kratos>

serve:
  public:
    base_url: <https://kratos-dev.dev.cordico.com/>
    cors:
      enabled: true
  admin:
    base_url: <https://kratos-admin-dev.dev.cordico.com/>

selfservice:
  default_browser_return_url: <https://kratos-ss-dev.dev.cordico.com/>
  whitelisted_return_urls:
    - <https://kratos-ss-dev.dev.cordico.com/>

  methods:
    password:
      enabled: true


  flows:
    error:
      ui_url: <https://kratos-ss-dev.dev.cordico.com/error>

    settings:
      ui_url: <https://kratos-ss-dev.dev.cordico.com/settings>
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: <https://kratos-ss-dev.dev.cordico.com/recovery>

    verification:
      enabled: true
      ui_url: <https://kratos-ss-dev.dev.cordico.com/verify>
      after:
        default_browser_return_url: <https://kratos-ss-dev.dev.cordico.com/>

    logout:
      after:
        default_browser_return_url: <https://kratos-ss-dev.dev.cordico.com/auth/login>

    login:
      ui_url: <https://kratos-ss-dev.dev.cordico.com/auth/login>
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: <https://kratos-ss-dev.dev.cordico.com/auth/registration>
      after:
        password:
          hooks:
            -
              hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - Bjcm87kiruJlmrMdLmWyHRh56PbNzeRg

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_url: <base64://ew0KICAiJGlkIjogImh0dHBzOi8vdHJpYmVoZWFsdGguY29tL3ByZXNldHMva3J>hdG9zL3F1aWNrc3RhcnQvaWRlbnRpZmllci1wYXNzd29yZC9pZGVudGl0eS5zY2hlbWEuanNvbiIsDQogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsDQogICJ0aXRsZSI6ICJJZGVudGl0eSIsDQogICJ0eXBlIjogIm9iamVjdCIsDQogICJwcm9wZXJ0aWVzIjogew0KICAgICJ0cmFpdHMiOiB7DQogICAgICAidHlwZSI6ICJvYmplY3QiLA0KICAgICAgInByb3BlcnRpZXMiOiB7DQogICAgICAgICJpZGVudGlmaWVyIjogew0KICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsDQogICAgICAgICAgInRpdGxlIjogIklkZW50aWZpZXIiLA0KICAgICAgICAgICJtaW5MZW5ndGgiOiAzLA0KICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogew0KICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogew0KICAgICAgICAgICAgICAicGFzc3dvcmQiOiB7DQogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlDQogICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICB9DQogICAgICAgIH0sDQoJImVtYWlsIjogew0KICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsDQogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsDQogICAgICAgICAgInRpdGxlIjogIkUtTWFpbCIsDQogICAgICAgICAgIm1pbkxlbmd0aCI6IDMsDQoJICAib3J5LnNoL2tyYXRvcyI6IHsNCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsNCgkgICAgICAidmlhIjoiZW1haWwiDQoJICAgIH0NCgkgIH0gIA0KICAgICAgICB9LA0KICAgICAgICAibmFtZSI6IHsNCiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLA0KICAgICAgICAgICJwcm9wZXJ0aWVzIjogew0KICAgICAgICAgICAgImZpcnN0Ijogew0KICAgICAgICAgICAgICAidGl0bGUiOiAiRmlyc3QgTmFtZSIsDQogICAgICAgICAgICAgICJ0eXBlIjogInN0cmluZyINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICAibGFzdCI6IHsNCiAgICAgICAgICAgICAgInRpdGxlIjogIkxhc3QgTmFtZSIsDQogICAgICAgICAgICAgICJ0eXBlIjogInN0cmluZyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgIH0sDQogICAgICAicmVxdWlyZWQiOiBbDQoJImlkZW50aWZpZXIiLA0KICAgICAgICAiZW1haWwiDQogICAgICBdLA0KICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UNCiAgICB9DQogIH0NCn0NCg==

  schemas:
    - id: organization
      url: <base64://ew0KICAiJGlkIjogImh0dHBzOi8vbGV4aXBvbC5jb20vY29yZGljby9vcmdhbml>6YXRpb24uc2NoZW1hLmpzb24iLA0KICAiJHNjaGVtYSI6ICJodHRwOi8vanNvbi1zY2hlbWEub3JnL2RyYWZ0LTA3L3NjaGVtYSMiLA0KICAidGl0bGUiOiAiT3JnYW5pemF0aW9uIElkZW50aXR5IiwNCiAgInR5cGUiOiAib2JqZWN0IiwNCiAgInByb3BlcnRpZXMiOiB7DQogICAgInRyYWl0cyI6IHsNCiAgICAgICJ0eXBlIjogIm9iamVjdCIsDQogICAgICAicHJvcGVydGllcyI6IHsNCiAgICAgICAgImlkZW50aWZpZXIiOiB7DQogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwNCiAgICAgICAgICAidGl0bGUiOiAiSWRlbnRpZmllciIsDQogICAgICAgICAgIm1pbkxlbmd0aCI6IDMsDQogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7DQogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7DQogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsNCiAgICAgICAgICAgICAgICAiaWRlbnRpZmllciI6IHRydWUNCiAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgfQ0KICAgICAgICAgIH0NCiAgICAgICAgfSwNCgkiZW1haWwiOiB7DQogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwNCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwNCiAgICAgICAgICAidGl0bGUiOiAiRS1NYWlsIiwNCiAgICAgICAgICAibWluTGVuZ3RoIjogMywNCgkgICJvcnkuc2gva3JhdG9zIjogew0KICAgICAgICAgICAgInJlY292ZXJ5Ijogew0KCSAgICAgICJ2aWEiOiJlbWFpbCINCgkgICAgfQ0KCSAgfSAgDQogICAgICAgIH0sDQogICAgICAgICJvcmdhbml6YXRpb24iOiB7DQogICAgICAgICAgInR5cGUiOiAib2JqZWN0IiwNCiAgICAgICAgICAicHJvcGVydGllcyI6IHsNCiAgICAgICAgICAgICJuYW1lIjogew0KICAgICAgICAgICAgICAidGl0bGUiOiAiT3JnYW5pemF0aW9uIE5hbWUiLA0KICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgIm9yZ2FuaXphdGlvbl90eXBlIjogew0KICAgICAgICAgICAgICAidGl0bGUiOiAiT3JnYW5pemF0aW9uIFR5cGUiLA0KICAgICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciDQogICAgICAgICAgICB9LA0KCSAgICAiZGF0YSI6IHsNCgkgICAgICAidHlwZSI6Im9iamVjdCIsDQoJICAgICAgInRpdGxlIjoiT3JnYW5pemF0aW9uIERhdGEiLA0KCSAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6dHJ1ZQ0KCSAgICB9DQogICAgICAgICAgfQ0KICAgICAgICB9DQogICAgICB9LA0KICAgICAgInJlcXVpcmVkIjogWw0KCSJpZGVudGlmaWVyIiwNCiAgICAgICAgImVtYWlsIiwNCgkib3JnYW5pemF0aW9uIg0KICAgICAgXSwNCiAgICAgICJhZGRpdGlvbmFsUHJvcGVydGllcyI6IGZhbHNlDQogICAgfQ0KICB9DQp9DQo=

courier:
  smtp:
    connection_uri: <smtps://postmaster:3>d8c25d151343f553b2c9d19d52ea665-dbdfb8ff-c020ce20@smtp.mailgun.org:587/
    from_address: <mailto:admin@tribecore.io|admin@tribecore.io>

session:
  lifespan: 4320h
All I have there is a cookie secret...which I did repeat using...could that be an issue?
Okay...I think I see...there is a domain setting for the session AND a "Lax" setting...
9 Views
Open in Slack
PreviousNext
Powered by