Hello everyone it s me again see no evil I have trouble with Ory Community #ory-network

Hello everyone, it’s me again :see_no_evil: . I ha...

gentle-bird-90474

07/05/2022, 2:52 PM

Hello everyone, it’s me again 🙈 . I have trouble with our local development setup (mobile application -> oathkeeper/ory-cloud -> backend) in which requests using the

X-Session-Token

header are never successfully authenticated. Weirdly enough, the same code base and configuration (with adjusted hostnames etc.) works just fine in our

staging

and

production

environments. It seems only

localhost

makes it a difference. Any idea on your side if that could e.g. be related to special treatment of

localhost

gentle-bird-90474

07/05/2022, 3:06 PM

I found the solution (after hours of debugging and minutes after posting :/)… Looking at https://www.ory.sh/docs/guides/session-management/overview#session-token I could see that there are two options of passing the session token (for our mobile app): •

X-Session-Token: XYZ

•

Authorization: Bearer XYZ

gentle-bird-90474

07/05/2022, 3:08 PM

It seems that Oathkeeper only forwards the

Authorization

header, not the

X-Session-Token

header which is IMO a usability bug. Oathkeeper and Kratos / Ory cloud should work more nicely together here.

gentle-bird-90474

07/05/2022, 3:09 PM

At least the documentation for

bearer_token

could explicitly mention that

X-Session-Token

must be configured and give an example on how to do so.

gentle-bird-90474

07/05/2022, 3:11 PM

https://www.ory.sh/docs/oathkeeper/pipeline/authn#bearer_token-configuration

high-optician-2097

07/05/2022, 4:04 PM

Oh yes, you’re absolutely right, Oathkeeper should play much nicer with the API here. This is a great find, thank you! Have you been able to resolve the problem with a config value, or is it just not working?

gentle-bird-90474

07/05/2022, 8:13 PM

I had configured before on our staging / production environments to use

X-Session-Token

. Weirdly, this didn’t work on a local setup, so that’s when I debugged and eventually changed to use the

Authorization

header.

gentle-bird-90474

07/05/2022, 8:17 PM

Another thing I noticed: using

LOG_LEAK_SENSITIVE_VALUES

actually does lead to logging of sensitive values in the case of the

cookie_session

authenticator (cookie headers are being logged). Using the

bearer_token

, it would neither log

X-Session-Token

, nor

Authorization

headers, but all others. Obviously, this led me down a wrong path debugging my app (we use cookies for web, bearer_token for mobile) if it correctly adds those headers, even ending up using Wireshark to make sure they actually do go over the wire 🙈 . Also, here my expectation is that using

LOG_LEAK_SENSITIVE_VALUES

would also log

X-Session-Token

and

Authorization

headers.

high-optician-2097

07/06/2022, 4:20 PM

In which project? Oathkeeper?

gentle-bird-90474

08/18/2022, 1:40 PM

@high-optician-2097 Yes.

4 Views

Open in Slack

Previous Next