https://www.ory.sh/ logo
Join Slack
Powered by
Hi there, I am facing an issue with an authenticat...
# talk-oathkeeper
f
Hi there, I am facing an issue with an authenticator inside access rules , when I enable it, I starts facing CORS issues, but when I disable that, it works fine. with enabled "cookie_session" authenticator, it works fine with POSTMAN authenticators: - handler: cookie_session Please help.
configuration for checking cookie session access rule - id: "orykratospublic" upstream: preserve_host: true url: "http://stackways-ory-prod-pub.sw-prod.svc.cluster.local:4433" strip_path: /.ory/kratos/public match: url: "https://app.stackways.io/.ory/kratos/public/<**>" methods: - GET - POST - PUT - DELETE - PATCH authenticators: - handler: noop authorizer: handler: allow mutators: - handler: noop cookie session authenticator config authenticators:   anonymous:     enabled: true     config:       subject: guest   cookie_session:     enabled: true     config:       check_session_url: http://stackways-ory-prod-pub.sw-prod.svc.cluster.local:4433/sessions/whoami       preserve_path: true       extra_from: "@this"       subject_from: "identity.id"       only:         - ory_kratos_session
Hello @damp-sunset-69236 can you please help me in this. Thanks.
Hello Team, Please help me with above as I am stuck on that from few days now, and I need to launch my app and due to above blocker, I am not able to do that. Please help.
d
Hello. Let me check it.
Have you tried to configure CORS for Kratos? You. can find guide here https://www.ory.sh/kratos/docs/guides/setting-up-cors
f
Yes @damp-sunset-69236 my kratos config is serve:   public:     base_url: https://app.stackways.io/.ory/kratos/public/     cors:       enabled: true       allowed_origins:         - https://app.stackways.io         - https://api.stackways.io       allowed_methods:         - POST         - GET         - PUT         - PATCH         - DELETE       allowed_headers:         - Authorization         - Content-Type         - Cookie       exposed_headers:         - Content-Type         - Set-Cookie
d
Could you please share a developer tools screenshot with an error? I think it would help
f
sure give me a min please.
https://app.stackways.io/ you can login here jagjeetprod@yopmail.com Welcome@1__ underscore is twice then go to https://app.stackways.io/home/servers there I have enabled cookie_session for ms-servers micro service and getting CORS issue after enabling above cookie_session everything works perfect on my local machine as backend API domain IP address is same for frontend and backend. updated allowed origins to allowed_origins:         - https://app.stackways.io         - https://api.stackways.io         - https://*.stackways.io and access rule is - id: "oryms serversprotected"   upstream:     preserve_host: false     url: "https://api.stackways.io/api/ms-servers"   match:     url: "http://stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456/api/ms-servers/<**>"     methods:       - GET       - POST       - PUT       - DELETE       - PATCH   authenticators:     - handler: cookie_session   authorizer:     handler: remote_json   mutators:     - handler: id_token   errors:     - handler: redirect       config:         to: https://app.stackways.io/forbidden
I will be sending you log screenshot for oathkeeper in a second.
@damp-sunset-69236
These are my oathkeeper logs. Please let me know if you need any other logs too.
d
I see. You need to setup CORS for your API and not for Kratos
Kratos configuration works fine for your case.
What load balancer do you use? Ingress or something else?
f
Kong as ingress.
my major issue is, when I enable "cookie_session" then starts facing this issue on DEV, rest works fine without this.
cookie_Session authenticator is this cookie_session:     enabled: true     config:       check_session_url: http://stackways-ory-prod-pub.sw-prod.svc.cluster.local:4433/sessions/whoami       preserve_path: true       extra_from: "@this"       subject_from: "identity.id"       only:         - ory_kratos_session
I have sent you almost all my configuration for Servers Micro Service, and not reaching to the point where it starts getting CORS because when I enable this, then request does not reaches at kraots level to authenticate cookie header, as in the ms-identities request, you can see cookie header is there. Its failing only at kratos level I think. Reason is, when I enable cookie_Session, then it works perfectly with POSTMAN, but browser got failed.
d
https://docs.konghq.com/hub/kong-inc/cors/ try this for Kong and for your api.stackways.io domain
f
ok let me try that too, thank you. I will update you if this could be a solution.
d
I see that request to 
'<https://api.stackways.io/api/ms-identities/event/token-url?selectedaccount=>'
is blocked by CORS settings for api.stackways.io domain. Kong needs an configuration for CORS. Do I understand correctly that this API method invokes Kratos /session/whoami endpoint?
f
yes, this endpoint goes via KONG too.
kong is setup here > https://api.stackways.io/ which is for all backend APIs.
- id: "oryms identitiesprotected"   match:     url: "http://stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456/api/ms-identities/<**>"     methods:       - GET       - POST       - PUT       - DELETE       - PATCH   authenticators:     # - handler: cookie_session     - handler: noop   authorizer:     handler: remote_json   mutators:     - handler: id_token   errors:     - handler: redirect       config:         to: https://app.stackways.io/forbidden
Sorry, I was wrong, for ms-identites I have not enabled cookie_session yet which checks for /session/whoami
@damp-sunset-69236 any further suggestion please !!
d
I see that there’s a CORS configuration mismatch for the webpage. Have you tried to configure CORS for Kong on api.stackways.io domain?
f
yes @damp-sunset-69236 already did that but still same issue. Do you want me to show you any configuration for the same ?
d
The configuration for Kratos looks fine for your issue. You have lack of CORS setup for 
<http://api.stackways.io|api.stackways.io>
domain. I’d recommend to check your Kong configuration for that domain and try to configure it. Developer tools shows the only one issue with it. On development environment Kratos and most of services skips additional security checks.
f
I am getting this log on oathkeeper level [11:53 AM] Amit sharma {​​​​​"audience":"application","error":{​​​​​"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401}​​​​​,"granted":false,"http_host":"stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456","http_method":"GET","http_url":"http://stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456/api/ms-servers/graphql","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"oryms serversprotected","service_name":"ORY Oathkeeper","service_version":"v0.38.19-beta.1","time":"2022-02-14T062202Z"}
does this specifically point to any issue ?
@damp-sunset-69236
d
On the servers webpage the main problem is that 
<https://api.stackways.io/api/ms-identities/event/token-url?selectedaccount=be49f782-8aff-4a4e-9ad9-19483676876d>
endpoint is blocked because api.stackways has lack of CORS setup
Same thing with 
graphql
endpoint
f
api/ms-identites is a different microservice and api/ms-servers is a different micro service my current setup is as container app (Single SPA) >> server frotnend application (React) >> which goes to server backend Micro Service (NestJS)
I totally understand you for all above explanations. and you are correct. I only want to figure that why enabling "cookie_session" for an access rule, ends up with CORS issue for any Micro Service that I enabled it for. Thats the issue I am digging into.
@damp-sunset-69236
d
Okay. Understood. Let me check it
f
thank you very much.
@damp-sunset-69236 there is an update , I have enabled CORS at ms-identities microservice level, and it started working fine without "cookie_session" being enabled and then I have enabled this then I am facing 401, access credential invalid in logs. I think cookie is missing in oathkeeper cookie session request which is why it returns 401. please have a look again on https://app.stackways.io/home/servers and here is the current log for 401 {"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456","http_method":"GET","http_url":"http://stackways-ory-oathkeeper-prod-adm.sw-prod.svc.cluster.local:4456/api/ms-identities/event/token-url","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"oryms identitiesprotected","service_name":"ORY Oathkeeper","service_version":"v0.38.19-beta.1","time":"2022-02-14T070913Z"} Sorry, I might be irritating for you now, but literally I stuck here from last 7 days. I am helpless.
d
You have cors issues because you enabled CORS in Kratos and since you use oathkeeper and checks cookie for all requests that needs authentication checks you need to setup cors
You have two options here: 1. Disable CORS for Kratos (it’s not recommended because of security issues) 2. Configure CORS for Kong
f
Okay @damp-sunset-69236 I think I should try disabling CORS once at kraots level. updated configuration serve:   public:     base_url: https://app.stackways.io/.ory/kratos/public/     cors:       enabled: false may it works, then maybe can I check for CORS after re-enabling it.
No luck even after disabling, getting 401 after enabling cookie_session aas authenticator. @damp-sunset-69236 😒
d
In developer tools I see that cookies does not pass to the graphql endpoint
Same thing with ms-identities
But when I inspect the cookies I see 
ory_kratos_session
cookie
f
yes, because CORS is blocking the request and request is blocked at frontend level, and have not even reached at graphql level. and this happens only when we enable cookie_session authenticator. I have removed "cookie_session" for now and now requests are working for all ms-identites level. Can you suggest me somthing, that how my access rule should be ?? or how can I pass this cookie_session auth by passing some addtional thins or whatever is required. I will attaching my code files for access rules and oathkeeper.yml @damp-sunset-69236 thanks a lot for your help too.
oathkeeper.zip
@damp-sunset-69236 please let me know if I am doing it right. I want to confirm if my configuration is correct as per ORY docs.
d
The configuration looks good by given example. Let me try to build a some example for you using Kong+oathkeeper+Kratos. Hopefully I can finish it tomorrow
f
o great thanks.
d
@faint-wire-27923 Hello. A simple example of using Oathkeeper with Kratos is ready!
The workflow is simple. The oathkeeper secures flask endpoint 
/oathkeeper
f
@damp-sunset-69236 thanks a lot dear for all your help. I am trying this now.
d
I built it without CORS and multi domain support but it works fine on my example.
f
that sounds great for multi domain port. Let me have a try.. will update you soon. thanks again.
Hello @damp-sunset-69236 it seems that KONG is not a part of above implementation. !!
d
Yes. But it has an example of using oathkeeper+kratos integration without Kong gateway
As for Kong I’m still implementing it and I wanted to give you an example of access rules usage with authentication checks
f
Locally (on same domain) , it works perfectly. I have this setup also without kong. But all in all thing is that cookie generates for app.stackways.io is not get passed for "cookie_session" authenticator for my implementation. as frontend is https://app.stackways.io but backend is https://api.stackways.io I thin either it will work for me for sub-sub domain or I need to change this whole setup. as frontend app is deployed on azure blob storage and backend is all set on kubernetes. That might be the biggest issue right now I am dealing with.
d
On your demo the main issue is that incoming requests are blocked by Kong
When I open https://api.stackways.io/api/ms-identities/graphql on the browser I see that I have 
ory_kratos_session
cookie set.
Have you tried setting up CORS policies for Kong for the api.stackways.io?
f
Yes, tried that KONG CORS policies but didn't work. you are able to see ory_kratos_session in ongoing requests due to below configuration session:   cookie:     domain: stackways.io   whoami:     required_aal: aal1
for kratos.yml
d
I added Kong example. There’s NO js frontend yet just a simple example of Kong+Kratos+OathKeeper WITHOUT multidomain support and cors enabled
1
I’m working on the documentation right now
f
@damp-sunset-69236 thanks for all your help. I will try above one too. Also what we have done is we have added backend API domain with different origin at CDN level so now the backend APIs are pointing at the same domain as container application which resolved my issue. I just resolved this one few hours ago. Thanks again.
d
Oh. Nice to hear that. Thanks for the update.
Anyways the example is pretty simple and has lack of features yet. I’ll continue to work on it anyways
f
thanks again @damp-sunset-69236
10 Views
Open in Slack
PreviousNext
Powered by