-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error authenticating POST requests from browser session behind Oathkeeper #270
Comments
Thank you for the detailed report! We will probably have to make some changes in oathkeeper instead but we can track the issue here :) |
I have found the error: the bug is in oathkeeper project. authenticator cookie_session has a function which send a request to CheckSessionURL asking if the session_id in the cookie is valid or not. This function, forwardRequestToSessionStore, receives as a first parameter the original request from the user and then makes a new request to the CheckSessionURL. The problem is that this function is using the original request Method to make the new request to CheckSessionURL, however, kratos API REST just accepts GET method. |
The problem still exists. The Problem is that no CSRF token is send with the request, but One possible fix could be to set
|
Still have the problem with kratos oryd/kratos:v0.10.1 and oathkeeper oryd/oathkeeper:v0.40.0 |
Adding a bug report here per @aeneasr request on Discord.
Describe the bug
In the following situation, Kratos responds with a 400 error with a message about a missing CSRF token:
/sessions/whoami
as detailed below.Reproducing the bug
Steps to reproduce the behavior:
cookie_session
. For example:Resulting in a 400 error from Kratos => 401 error from Oathkeeper.
(Trimmed) Server logs
Server configuration
.oathkeeper.yml
access-rules.yml
Expected behavior
Given a valid ory_kratos_session cookie, expected POST requests to reach the protected API.
Environment
Docker latest images as of 2020-02-27
oryd/oathkeeper
sha256:5f5099ba754180103dae6f4cd827d8d2f6fcc451a2635ed83ab896c5414dea38
oryd/kratos
sha256:e7482ee40663b7f63ca2b5fe0826c01444cf3c2e289480ab1afdc812361f72e3
Additional context
None.
The text was updated successfully, but these errors were encountered: