CSRF session cookie could not be decoded


During the Login challenge process My loginad consent app gets called from hydra and the following cookie is set: “oauth2_authentication_csrf”:“MTU1OTA1NTA4OXxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGRpWkRFeVkySmtZMkl6WkRRNFpUVTVOVFprWVdGalpqSmlZMkV3WXpaaHzQv2McMa8bLeZI7MIPQJlN1g-FVud4PVrAUDUaYk24Rw==”

When I call put

I get the redirect

Again the only cookie I currently have from hydra is the oauth2_authentication_csrf.
Once I do the redirect. I get the following error: level=error msg=“An error occurred” debug=“CSRF session cookie could not be decoded” description=“The request is not allowed” error=request_forbidden hint=“You are not allowed to perform this action.”

What am I missing here?


Could you show the complete flow? This works best by sharing the network payloads (feel free to remove/obfuscate sensitive data) of all “DOC” or “HTML” requests in the DevTools (assuming Chrome).

Also, as always, please share the version you’re using, your configuration, and potential log files.


Thanks for getting back to me but I figured out my issue. My login and consent client is being managed by our API which is in Java. I was creating new httpclients to call the hydra Admin. I then used those clients to call the redirect. I realized that I needed to do the redirect on the httpclient that was handling the login request from hydra. Even though I was adding the cookies to the new client it was still failing. This was my mistake.