CSRF session cookie could not be decoded

#1

During the Login challenge process My loginad consent app gets called from hydra and the following cookie is set: “oauth2_authentication_csrf”:“MTU1OTA1NTA4OXxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGRpWkRFeVkySmtZMkl6WkRRNFpUVTVOVFprWVdGalpqSmlZMkV3WXpaaHzQv2McMa8bLeZI7MIPQJlN1g-FVud4PVrAUDUaYk24Rw==”

When I call put http://127.0.0.1:4445/oauth2/auth/requests/login/accept?login_challenge=f09cd73f51624e5b9b7651f628b5d1a6

I get the redirect http://127.0.0.1:4444/oauth2/auth?client_id=zapier-test-client-id&deviceId=e6c1518b-6364-4985-bd65-5375413865e3&login_verifier=bf124df7bc554605838ae94492520ac7&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=offline&state=testingStateout2&userId=2de8c76b-2cb7-43fb-bb7e-ed0b1e7cdef5

Again the only cookie I currently have from hydra is the oauth2_authentication_csrf.
Once I do the redirect. I get the following error: level=error msg=“An error occurred” debug=“CSRF session cookie could not be decoded” description=“The request is not allowed” error=request_forbidden hint=“You are not allowed to perform this action.”

What am I missing here?

#2

Could you show the complete flow? This works best by sharing the network payloads (feel free to remove/obfuscate sensitive data) of all “DOC” or “HTML” requests in the DevTools (assuming Chrome).

Also, as always, please share the version you’re using, your configuration, and potential log files.

#3

Thanks for getting back to me but I figured out my issue. My login and consent client is being managed by our API which is in Java. I was creating new httpclients to call the hydra Admin. I then used those clients to call the redirect. I realized that I needed to do the redirect on the httpclient that was handling the login request from hydra. Even though I was adding the cookies to the new client it was still failing. This was my mistake.