Hi,
I’m implementing the Authorisation Code grant using a docker-compose file running a php laravel app (with nginx to serve it), mysql and hydra:
version: "3.7"
services:
#
# PHP-FPM
#
app:
image: vendhq/oauth-poc
container_name: oauth_app
restart: unless-stopped
tty: true
ports:
- 9000
build:
context: .
dockerfile: php.dockerfile
args:
- UID=1000
- XDEBUG_PORT=9001
- XDEBUG_IDE_KEY=vend-backend
- OPCACHE_VALIDATE_TIMESTAMPS=1
depends_on:
- mysql
command: sh -c "/wait && /bootstrap.sh"
environment:
- WAIT_HOSTS=mysql:3306
- WAIT_HOSTS_TIMEOUT=300
- WAIT_SLEEP_INTERVAL=10
- WAIT_HOST_CONNECT_TIMEOUT=30
volumes:
- ./src:/var/www/html:rw
- ./config/dev/php/php.ini:/usr/local/etc/php/php.ini
networks:
- net
#
# NGINX
#
nginx:
image: nginx:1.19.1-alpine
container_name: oauth_nginx
restart: unless-stopped
tty: true
ports:
- 80:80
- 443:443
volumes:
- ./src:/var/www/html:rw
- ./config/dev/nginx/:/etc/nginx/conf.d/
networks:
- net
#
# MYSQL
#
mysql:
image: mysql:5.7
container_name: oauth_mysql
ports:
- "3306:3306"
environment:
- MYSQL_ROOT_PASSWORD=password
- MYSQL_DATABASE=oauth
networks:
- net
#
# HYDRA MIGRATE
#
hydra-migrate:
image: oryd/hydra:v1.6.0
container_name: oauth_hydra_migrate
environment:
- DSN=mysql://user:password@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4&parseTime=true
command:
migrate sql -e --yes
depends_on:
- mysql
restart: on-failure
networks:
- net
#
# HYDRA
#
hydra:
image: oryd/hydra:v1.6.0
container_name: oauth_hydra
command:
serve all --dangerous-force-http --dangerous-allow-insecure-redirect-urls=http://localhost/callback
depends_on:
- hydra-migrate
environment:
- DSN=mysql://user:password@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4&parseTime=true
- URLS_SELF_ISSUER=http://127.0.0.1:4444
- URLS_LOGIN=http://127.0.0.1/login
- URLS_ERROR=http://127.0.0.1/oauth-error
- LOG_LEAK_SENSITIVE_VALUES=true
- OAUTH2_EXPOSE_INTERNAL_ERRORS=true
- LOG_LEVEL=debug
ports:
- "4444:4444" # Public port
- "4445:4445" # Admin port
- "5555:5555" # Port for hydra token user
volumes:
- ./config/dev/hydra/certs/:/hydra_certs
restart: unless-stopped
networks:
- net
# Docker Networks
networks:
net:
driver: bridge
Everything goes well until I get the redirect_uri
from the login consent PUT request. When I redirect the user to it I got this error:
"error" => "request_forbidden"
"error_debug" => "No CSRF value available in the session cookie"
"error_description" => "The request is not allowed"
"error_hint" => "You are not allowed to perform this action."
"state" => "som3-stat3"
These are the steps I’m doing:
- GET http://127.0.0.1:4444/oauth2/auth?scope=openid+offline_access&response_type=code&client_id=b5b61016-c517-4f63-827d-5c8325932fc6&redirect_uri=http://127.0.0.1/callback&state=som3-stat3&code_challenge=uJtRM_p2LSPAPQSiYyfl12HclbOgGtHImsAkmwWyjOo&code_challenge_method=S256&prompt=login which redirects me to the /login URL with a login_challenge but I can’t see a CSRF token generated there, only the one Laravel created:
- Enter the user credentials and send the form (including the PUT request to
/requests/login/accept?login_challenge=...
) and I get theredirect_uri
as a response but then redirecting the user there gives me the error above.
Can someone see what I’m doing wrong?
Thanks!