https://www.ory.sh/ logo
Join Slack
Powered by
Hey community, A question about accepting login re...
# talk-hydra
g
Hey community, A question about accepting login requests (in Hydra 1.11.10) If the case of a "double submit", one of the accept login request works and returns a redirection to Hydra with a 
login_verifier
, so that we get redirected to the consent URL. But if then another accept login request comes in with the same 
login_challenge
, Hydra returns a 409 Conflict, which makes it impossible to get another URL with a 
login_verifier
, so that we could still redirect to the consent URL in the end. Instead, we are only achieving to make the user restart entirely, get a new login challenge, having to enter credentials again. Has someone else encoutered this? Is there a way to workaround this? šŸ™‚ šŸ¤”
r
Oh man, I was just coming here to post this very question. 409 responses are not documented, so I also want to know what's the proper thing to do with them. Should our delegate also return a 409? But I think your question is better. (Also on 1.11.10)
l
There's a redirect url in the response body of the error
r
Docs document only 200 and error. For the latter, the only fields documented are ā€¢ error ā€¢ error_debug ā€¢ error_description ā€¢ error_hint ā€¢ status_code
l
right... I'm fetching the login request again, which may result in a 410 Gone if it has already been accepted (mind you, I'm currently using 1.10) but fetching the login request again to get the redirect url might be a route to take on 409 errors šŸ¤·
r
That would make sense; these 4xx error responses could use some documentation tho
(I just got paged for this issue again; because the docs only document 200, our delegate considers anything else a failure rn šŸ˜ž)
FWIW, this is the body of the 409 response:
Copy code
{
  "error": "Unable to insert or update resource because a resource with that value exists already",
  "error_description": ""
}
Will have to look at whether there is a redirect URL from a Location header or something
Ah, comes from 
redirect_to
field in the body of the 200 response. So it's not providing it in the 409 response (as of 1.11.10)
g
I'm fetching the login request again, which may result in a 410 Gone if it has already been accepted (mind you, I'm currently using 1.10) but fetching the login request again to get the redirect url might be a route to take on 409 errors
For now, that's what we ended up doing: on a 409, fetch the login request again. If the response it a 410 Gone with a 
redirect_to
, redirect to this URL. However, this URL is actually (re)starting an OAuth2 flow. So our user experience is still degraded since they have to input their credentials again, but at least they are unblocked šŸ˜•
r
That sounds imperfect. Would be nice to get a 409 with a redirect URL if the accept login already exists and a 410 if it has expired
I can open an issue about this
g
That would be great šŸ™
r
Created an issue. @gray-machine-46287, @late-balloon-3804: LMK if I said anything inaccurate, and of course feel free to provide additional context.
g
Thanks David for creating the issue šŸ™
l
I'm wondering if there are concerns about replay attacks and that's why the auth flow is restarted šŸ¤·šŸ¼ā€ā™‚ļø
r
Yeah, I wondered about that, too. If so, it should be documented: Here's what to do with a 409 (or 410).
If a token is relatively short-lived, replay attacks should be pretty rare
l
we're talking about user sessions too. setting cookies and sending session tokens, etc.
wouldn't a replay attack bypass the identification step? accepting a login request should only happen after we have authenticated the user no? or maybe I'm not thinking straight (I'm under the weather at the moment, so my brain is moving slower than normal šŸ¤’)
r
I think so, yes, but someone has to get their hands on the token, and if it's short-lived that seems unlikely. Much bigger issue for sessions of course, which tend to be long-lived
5 Views
Open in Slack
PreviousNext
Powered by