"CSRF session cookie could not be decoded" after login accept

ORY Hydra
#1

Hello,

I’m currently trying to implement my login&consent app in go for using Hydra.

I’ve been able to install hydra using a docker compose file for my dev environment and I’ve been able to create my oauth client without any problem. I’ve implemented a login form using this repo as example

My problem is when I want to accept the login, I execute the following request:
PUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=$LOGIN_CHALLENGE
which gives me a redirect url to the public hydra endpoint, but I when I redirect my client on it, I get an error redirection (http://localhost:3000/callback?error=request_forbidden&error_description=The+request+is+not+allowed&error_hint=You+are+not+allowed+to+perform+this+action.&state=2b6eea4a-7c71-4b42-a1e5-c55bf8fa683e) and when I check the log of hydra I get this error: “CSRF session cookie could not be decoded”

Here’s my docker-compose:

hydra:
  image: oryd/hydra:latest
  ports:
    - "4444:4444" # Public port
    - "4445:4445" # Admin port
  command:
    serve all --dangerous-force-http
  depends_on:
    - hydra-migrate
  environment:
    - URLS_SELF_ISSUER=http://127.0.0.1:4444
    - URLS_CONSENT=http://localhost:8000/consent
    - URLS_LOGIN=http://localhost:8000/login
    - URLS_LOGOUT=http://localhost:8000/logout
    - URLS_ERROR=http://localhost:8000/error
    - URLS_POST_LOGOUT_REDIRECT=https://reyah.eu/
    - DSN=postgres://hydra:secret@hydra-db:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
    - SECRETS_SYSTEM=thisisonlyfordevpurpose
    - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
    - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=thisisonlyfordevpurpose

Here’s my Go code that handle the POST /login (I’m using gin)

func (s *Server) handlerPostLogin(c *gin.Context) {
    [...] // My code that handle if the user exist and as entered the correct password

    params := admin.NewAcceptLoginRequestParamsWithTimeout(10 * time.Second).
		WithLoginChallenge(req.LoginChallenge).
		WithBody(&models.HandledLoginRequest{
   			Remember:    req.Remember,
			RememberFor: 3600,
    		Subject:     &req.Email,
		})
   	acceptLogin, err := s.hydra.Admin.AcceptLoginRequest(params)
	if err != nil {
		generateTemplatedError(c, http.StatusInternalServerError)
		return
	}
	c.Redirect(http.StatusFound, acceptLogin.Payload.RedirectTo)
}

If I check my redirection on the chrome dev tools, I can see the csrf cookie:

Capture%20d%E2%80%99%C3%A9cran%20de%202019-07-26%2023-05-20
Capture d’écran de 2019-07-26 23-05-20.png1851×467 81.4 KB

(PS: /callback is my redirect_uri)

Chrome version: 73
Hydra version: v1.0.0+oryOS.12

I am really desperate :grinning:

Thanks in advance for any help

#2

I finally figured out my problem and it’s extremly stupid

I started my login flow using http://localhost/oauth2/auth[...] but in the configuration of hydra I specified http://127.0.0.1 for the issuer url, so when I got the url back after my login accept, it was an url in http://127.0.0.1 and of course my csrf cookie is only available from http://localhost.

It could be great to display a warning in the logs of hydra when we try to access hydra using a different url from the self issuer url, nope ?

#3

That’s a good point! We should also document this very visibly. Would you be up to contribute these changes? I’m happy to help

#4

What is the best strategy here, should we block the request or just display a warning in the log ?

#5

A visible warning in the logs and a section in the docs makes sense