Kratos CSRF issues without Oathkeeper

davidthor · May 20, 2020, 7:47am

Hi there,

I’ve been exploring the Ory stack to try to build some boilerplate identity/authorization flows for cloud-native / microservices systems, and have been very impressed with the thought that has gone into all the services! I’ve had a few successful trials with Hydra and Keto, but have run into a few issues that I’m struggling to resolve with Kratos - namely with the CSRF tokens and their host associations.

I’ve put together a sample repository that can be used to reproduce my issues, but namely I’ve used my own microservices tool, Architect, to generate and execute the docker-compose to spin up the stack and give everything a resolvable hostname. For simplicity, I’ve elected not to use oathkeeper as the proxy and instead am trying to figure out what hostnames to assign to the ui-node and kratos respectively such that they interact properly with COOKIE security mode on the ui-node. The repository and detailed reproduction instructions are in the repo:

Would someone be able to help be figure out what hosts I can assign to each service (namely kratos and the ui-node) such that CSRF checks will pass?

Thanks in advance,
David

davidthor · April 1, 2020, 9:50pm

Stepped away from my computer and came back to setup the ui-node to pipe content to Kratos only to find that someone was thoughtful enough to do that for me! Turns out with COOKIE security the express ui-node already has a pipe through to act as the proxy to kratos. Just updated the kratos browser url to match the ui-node and all worked great!

github.com

ory/kratos-selfservice-ui-node/blob/master/src/index.ts#L115


  app.get('/auth/login', authHandler('login'))
  app.get('/error', errorHandler)
  app.get('/profile', protect, profileHandler)
  app.get('/verify', verifyHandler)
}


app.get('/health', (_: Request, res: Response) => res.send('ok'))
app.get('/debug', debug)


if (config.securityMode === 'COOKIE') { // ExpressJS proxies Kratos public API
  app.use('/self-service', function(req: Request, res: Response) {
    const url = config.kratos.public + '/self-service' + req.url
    req.pipe(request(url, { followRedirect: false })).pipe(res)
  })
}


app.get('*', (_: Request, res: Response) => {
  res.redirect('/')
})


app.use((err: Error, req: Request, res: Response, next: NextFunction) => {

hackerman · April 2, 2020, 7:29am

We will release this in the next version and also in the docs

If you want to contribute to the docs how you got that working, that would be very helpful! If you want to help, let me know, I’ll point you to the right place

hackerman · April 12, 2020, 11:55am

I have written docs for this topic, hope it helps!