Hydra fork does not work with kratos 1.1.0

nsklikas commented 2 months ago

With the addition of token lifespans to the client configuration, hydra 2.3.0(fork) does not work with with kratos 1.1.0. The reason is that when Kratos tries to fetch the hydra login flow using the login_challenge, the flow that hydra returns includes the client. The client metadata contain the new lifespan fields and kratos throws an error because it does not allow extra fields when parsing the hydra responses. This issue does not occur with kratos v1.0.0

To overcome this we could remove the hydra configuration from kratos and handle the flow from the login UI.

To reproduce this you can:

fetch https://github.com/canonical/identity-platform-login-ui/tree/bug-demo
assuming you have github credentials set on .env, run docker compose up --build --remove-orphans

initiate a device flow by running:

code_client=$(hydra create client \
--endpoint http://localhost:4445 \
--grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code \
--response-type code \
--format json \
--scope openid,offline_access,email,profile \
--redirect-uri http://127.0.0.1:4446/callback \
--audience app_client \
)
curl -X POST localhost:4444/oauth2/device/auth \
-d "scope=openid email offline_access" \
-d client_id=`echo "$code_client" | yq .client_id` \
-u `echo "$code_client" | yq .client_id`:`echo "$code_client" | yq .client_secret`

If you go to the returned verification_uri and enter the user_code, you will get the following Kratos error:

kratos                        | time=2024-05-01T11:08:02Z level=info msg=An error occurred while handling a request func=github.com/ory/x/logrusx.(*Logger).ReportError file=/go/pkg/mod/github.com/ory/x@v0.0.614/logrusx/logrus.go:230 audience=application error=map[debug:json: unknown field "device_authorization_grant_id_token_lifespan" details:map[status_code:200] message:The request was malformed or contained invalid parameters reason:Unable to get OAuth 2.0 Login Challenge. stack_trace:
kratos                        | github.com/ory/kratos/hydra.(*DefaultHydra).GetLoginRequest
kratos                        |         /project/hydra/hydra.go:169
kratos                        | github.com/ory/kratos/selfservice/flow/login.(*Handler).createBrowserLoginFlow
kratos                        |         /project/selfservice/flow/login/handler.go:456
kratos                        | github.com/ory/kratos/x.(*RouterPublic).GET.NoCacheHandle.func1
kratos                        |         /project/x/nocache.go:21
kratos                        | github.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1
kratos                        |         /project/x/nocache.go:21
kratos                        | github.com/julienschmidt/httprouter.(*Router).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387
kratos                        | github.com/ory/nosurf.(*CSRFHandler).handleSuccess
kratos                        |         /go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234
kratos                        | github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191
kratos                        | github.com/urfave/negroni.(*Negroni).UseHandler.Wrap.func1
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos                        | github.com/ory/kratos/x.glob..func1
kratos                        |         /project/x/clean_url.go:15
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos                        | github.com/rs/cors.(*Cors).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/rs/cors@v1.8.2/cors.go:266
kratos                        | github.com/ory/kratos/cmd/daemon.servePublic.func1
kratos                        |         /project/cmd/daemon/serve.go:114
kratos                        | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP
kratos                        |         /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:284
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:142
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:92
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
kratos                        |         /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
kratos                        |         /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:234
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/ory/x/prometheusx.Metrics.Instrument.Metrics.instrumentHandlerStatusBucket.func1
kratos                        |         /go/pkg/mod/github.com/ory/x@v0.0.614/prometheusx/metrics.go:115
kratos                        | net/http.HandlerFunc.ServeHTTP
kratos                        |         /usr/local/go/src/net/http/server.go:2136
kratos                        | github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
kratos                        |         /go/pkg/mod/github.com/ory/x@v0.0.614/prometheusx/middleware.go:41
kratos                        | github.com/urfave/negroni.middleware.ServeHTTP

syncronize-issues-to-jira[bot] commented 2 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-868.

This message was autogenerated

shipperizer commented 2 months ago

Issue has been introduced by https://github.com/ory/kratos/commit/e3bfa109908e492f62353a275281d95dc5226196

the change in the hydra-client-go/v2 library version from a side branch introduces a json decoder and calls the DisallowUnknownFields which breaks everything on our side

https://github.com/ory/hydra-client-go/compare/master...add-skip-logout#diff-7061737ce649e7570a146716b85390a92fd6ab7a3381ed461e10541f2eee0427R371-R373

shipperizer commented 2 months ago

issue reported upstream https://github.com/ory/kratos/issues/3904

canonical / identity-platform-login-ui

Hydra fork does not work with kratos 1.1.0 #238