"CSRF session cookie could not be decoded" after login accept


I’m currently trying to implement my login&consent app in go for using Hydra.

I’ve been able to install hydra using a docker compose file for my dev environment and I’ve been able to create my oauth client without any problem. I’ve implemented a login form using this repo as example

My problem is when I want to accept the login, I execute the following request:
PUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=$LOGIN_CHALLENGE
which gives me a redirect url to the public hydra endpoint, but I when I redirect my client on it, I get an error redirection (http://localhost:3000/callback?error=request_forbidden&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action.&state=2b6eea4a-7c71-4b42-a1e5-c55bf8fa683e) and when I check the log of hydra I get this error: “CSRF session cookie could not be decoded”

Here’s my docker-compose:

  image: oryd/hydra:latest
    - "4444:4444" # Public port
    - "4445:4445" # Admin port
    serve all --dangerous-force-http
    - hydra-migrate
    - URLS_CONSENT=http://localhost:8000/consent
    - URLS_LOGIN=http://localhost:8000/login
    - URLS_LOGOUT=http://localhost:8000/logout
    - URLS_ERROR=http://localhost:8000/error
    - URLS_POST_LOGOUT_REDIRECT=https://reyah.eu/
    - DSN=postgres://hydra:[email protected]:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
    - SECRETS_SYSTEM=thisisonlyfordevpurpose
    - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
    - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=thisisonlyfordevpurpose

Here’s my Go code that handle the POST /login (I’m using gin)

func (s *Server) handlerPostLogin(c *gin.Context) {
    [...] // My code that handle if the user exist and as entered the correct password

    params := admin.NewAcceptLoginRequestParamsWithTimeout(10 * time.Second).
   			Remember:    req.Remember,
			RememberFor: 3600,
    		Subject:     &req.Email,
   	acceptLogin, err := s.hydra.Admin.AcceptLoginRequest(params)
	if err != nil {
		generateTemplatedError(c, http.StatusInternalServerError)
	c.Redirect(http.StatusFound, acceptLogin.Payload.RedirectTo)

If I check my redirection on the chrome dev tools, I can see the csrf cookie:

(PS: /callback is my redirect_uri)

Chrome version: 73
Hydra version: v1.0.0+oryOS.12

I am really desperate :grinning:

Thanks in advance for any help

I finally figured out my problem and it’s extremly stupid

I started my login flow using http://localhost/oauth2/auth[...] but in the configuration of hydra I specified for the issuer url, so when I got the url back after my login accept, it was an url in and of course my csrf cookie is only available from http://localhost.

It could be great to display a warning in the logs of hydra when we try to access hydra using a different url from the self issuer url, nope ?

That’s a good point! We should also document this very visibly. Would you be up to contribute these changes? I’m happy to help

What is the best strategy here, should we block the request or just display a warning in the log ?

A visible warning in the logs and a section in the docs makes sense