No CSRF value available in the session cookie



I got error when trying to setup hydra and my login page. I even tried it with hydra-login-consent-node demo, the same issue occurred.

time="2018-10-02T02:27:01Z" level=info msg="started handling request" method=GET remote="" request="/oauth2/auth?client_id=d0a5928b-47e3-4f72-9c02-b2d95887da6f&login_verifier=9861d23bbabe4ee1968975cdfbb5f6c5&redirect_uri=http%3A%2F%2Flocalhost%3A9020%2Fcallback&response_type=code&scope=&state=1234567890"
time="2018-10-02T02:27:01Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."

I only added callback page on the demo code as below:

var callback = require('./routes/callback');
app.use('/callback', callback);

I tried with hydra 1.0.0-beta.9

hydra version                                                                                       
Version:    v1.0.0-beta.9
Git Hash:   f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-19T03:41:54Z

and triggered hydra with command below:

SYSTEM_SECRET=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) \
OAUTH2_ISSUER_URL=http://localhost:4444/ \
OAUTH2_CONSENT_URL=http://localhost:3000/consent \
OAUTH2_LOGIN_URL=http://localhost:3000/login \
hydra serve --dangerous-force-http all

Please help.
Thank you in advance.


oh got it…

its my own fault. I generated the login_challenge url using postman but trigger it and run the login page on chrome. so the oauth2_authentication_csrf cookie not generated on chrome.

my bad.