No CSRF token generated after being redirected to /login?login_challenge=

Hi,
I’m implementing the Authorisation Code grant using a docker-compose file running a php laravel app (with nginx to serve it), mysql and hydra:

version: "3.7"

services:
  #
  # PHP-FPM
  #
  app:
    image: vendhq/oauth-poc
    container_name: oauth_app
    restart: unless-stopped
    tty: true
    ports:
      - 9000
    build:
      context: .
      dockerfile: php.dockerfile
      args:
        - UID=1000
        - XDEBUG_PORT=9001
        - XDEBUG_IDE_KEY=vend-backend
        - OPCACHE_VALIDATE_TIMESTAMPS=1
    depends_on:
      - mysql
    command: sh -c "/wait && /bootstrap.sh"
    environment:
      - WAIT_HOSTS=mysql:3306
      - WAIT_HOSTS_TIMEOUT=300
      - WAIT_SLEEP_INTERVAL=10
      - WAIT_HOST_CONNECT_TIMEOUT=30
    volumes:
      - ./src:/var/www/html:rw
      - ./config/dev/php/php.ini:/usr/local/etc/php/php.ini
    networks:
      - net
  #
  # NGINX
  #
  nginx:
    image: nginx:1.19.1-alpine
    container_name: oauth_nginx
    restart: unless-stopped
    tty: true
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./src:/var/www/html:rw
      - ./config/dev/nginx/:/etc/nginx/conf.d/
    networks:
      - net

  #
  # MYSQL
  #
  mysql:
    image: mysql:5.7
    container_name: oauth_mysql
    ports:
      - "3306:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=password
      - MYSQL_DATABASE=oauth
    networks:
      - net

  #
  # HYDRA MIGRATE
  #
  hydra-migrate:
    image: oryd/hydra:v1.6.0
    container_name: oauth_hydra_migrate
    environment:
      - DSN=mysql://user:password@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4&parseTime=true
    command:
      migrate sql -e --yes
    depends_on:
      - mysql
    restart: on-failure
    networks:
      - net

  #
  # HYDRA
  #
  hydra:
    image: oryd/hydra:v1.6.0
    container_name: oauth_hydra
    command:
      serve all --dangerous-force-http --dangerous-allow-insecure-redirect-urls=http://localhost/callback
    depends_on:
      - hydra-migrate
    environment:
      - DSN=mysql://user:password@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4&parseTime=true
      - URLS_SELF_ISSUER=http://127.0.0.1:4444
      - URLS_LOGIN=http://127.0.0.1/login
      - URLS_ERROR=http://127.0.0.1/oauth-error
      - LOG_LEAK_SENSITIVE_VALUES=true
      - OAUTH2_EXPOSE_INTERNAL_ERRORS=true
      - LOG_LEVEL=debug
    ports:
      - "4444:4444" # Public port
      - "4445:4445" # Admin port
      - "5555:5555" # Port for hydra token user
    volumes:
      - ./config/dev/hydra/certs/:/hydra_certs
    restart: unless-stopped
    networks:
      - net
        
# Docker Networks
networks:
  net:
    driver: bridge

Everything goes well until I get the redirect_uri from the login consent PUT request. When I redirect the user to it I got this error:

"error" => "request_forbidden"
"error_debug" => "No CSRF value available in the session cookie"
"error_description" => "The request is not allowed"
"error_hint" => "You are not allowed to perform this action."
"state" => "som3-stat3"

These are the steps I’m doing:

• GET http://127.0.0.1:4444/oauth2/auth?scope=openid+offline_access&response_type=code&client_id=b5b61016-c517-4f63-827d-5c8325932fc6&redirect_uri=http://127.0.0.1/callback&state=som3-stat3&code_challenge=uJtRM_p2LSPAPQSiYyfl12HclbOgGtHImsAkmwWyjOo&code_challenge_method=S256&prompt=login which redirects me to the /login URL with a login_challenge but I can’t see a CSRF token generated there, only the one Laravel created:

• Enter the user credentials and send the form (including the PUT request to /requests/login/accept?login_challenge=...) and I get the redirect_uri as a response but then redirecting the user there gives me the error above.

Can someone see what I’m doing wrong?

Thanks!

Hey @hackerman thanks for this. It works perfect now.