Hydra cookie reject by browser

ORY Hydra
#1

Hi Experts,

recently i’m facing a problem related to the hydra cookie. when we test in the local everything works fine for the redirect from hydra to login page because its under same domain localhost. However after we deploy to our dev environment, we cannot receive the cookie when hydra redirect to our login url. I suspect this is because the cookie is rejected by browser because the domain is different from hydra and our app. so my question is how can we specify the domain in hydra if we want to use different subdomains for hydra and our app.

for example this is our hydra auth url:
https://public-hydra.dev-1.app/oauth2/auth?client_id=xilo-client&

then it will redirect to our login url: https://usersvc.dev-1.app/login?login_challenge=a318ac65193f45fb95d3d10e220f43f3

we cannot capture the cookie from hydra. if is is caused by the domain, how can we tell hydra the domain is dev-1.app instead of public-hydra.dev-1.app so it can share its cookie to other subdomain?

Please let me know if you want more information. thank you in advance.

Screen Shot 2020-11-14 at 11.38.08 AM
Screen Shot 2020-11-14 at 11.38.08 AM1412×185 47.8 KB
Screen Shot 2020-11-14 at 11.38.17 AM
Screen Shot 2020-11-14 at 11.38.17 AM795×105 20 KB

#2

I believe the problem could have to do with SAME_SITE. WHat version are you using?

#3

we were using version 1.3.2 but after upgrade to version 1.8.5 the problem still exist. the SAME_SITE value is NONE. From the official document it mentioned that the chrome will reject the cookies without secure flag. how could we set the flag for secure? could you please give me some advice? thank you.

Screen Shot 2020-11-16 at 9.53.41 PM
Screen Shot 2020-11-16 at 9.53.41 PM2238×508 192 KB

#4

If the secure flag is missing you are using --dangerous-force-http which is just for local testing. Do not do that in prod.

#5

thank you very much. i just disable the setting and i got another error: {“error”:“error”,“error_verbose”:“The error is unrecognizable.”,“error_description”:“The error is unrecognizable.\n\ncan not serve request over insecure http”,“status_code”:500,“error_debug”:“can not serve request over insecure http”}

seems this error related to tls? do you have any idea for the reason to cause this error? thank you

#6

It’s in the error message :wink:

#7

yes :joy: i fixed this issue but there is still no cookies when it redirect to our login page, this is the snapshot for your information: is there any configuration i might missing for this case?

Screen Shot 2020-11-16 at 11.11.00 PM
Screen Shot 2020-11-16 at 11.11.00 PM1387×207 53.6 KB

#8

Wait, you want to read ORY Hydra’s cookie in your login app? That is not possible, by design.

#9

is it possible caused by the domain difference between hydra and our web app? for example the domain for our web app is web.dev-1.app and for hydra is public-hydra.dev-1.app ? from our expectation we wish to use sub domain for web and hydra and the browser could recognize the domain is dev-1.app instead of public-hydra.dev-1.app. Is it possible to specify the domain in hydra? thank you :slight_smile:

#10

sorry maybe i didn’t describe my question clearly. On your official hydra node consent example , you are returning a static login page with csrf cookie embedded in the page. but in our case, we are redirecting to login page on another server where website server is deployed. will this cause the problem that browser cannot capture the csrf cookie for public hydra? as you can see from the screenshot there is no oauth2_authentication_csrf cookie in our login page. thank you

Screen Shot 2020-11-17 at 12.47.39 AM
Screen Shot 2020-11-17 at 12.47.39 AM1365×378 34.9 KB

#11

That cookie is not used by the login app, just ignore it.

#12

The login app csrf token is only to prevent csrf on the submit forms, it is not related to hydra.

#13

thank you for you reply. finally i solved this problem by using same domain for both hydra and our app :slight_smile:

1 Like