search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.24k stars 963 forks source link

The Refresh and Extend Sessions Don't Work #2495

Closed Answerlord closed 2 years ago

Answerlord commented 2 years ago

Preflight checklist

Describe the bug

I use the method that "PATCH https://{your-project-slug-here}.projects.oryapis.com/admin/sessions/{id}/refresh Authorization: Bearer {your-personal-access-token}" according to the https://www.ory.sh/docs/guides/session-management/refresh-extend-sessions. And i'd set the Authorization but it shows that 403 security_csrf_violation

Reproducing the bug

  1. run kratos serve according to the quick-start
  2. I create an HttpRequest in my goland project and set the Authorization in HttpRequest-Header
  3. send the request

here are my codes

        url := fmt.Sprintf("MyKratosHost/admin/sessions/%v/refresh", SessionId)
    extendSessionRequest, _ := http.NewRequest(http.MethodPatch, url, nil)
    extendSessionRequest.Header.Set("Authorization", "Bearer "+SessionToken)
        client := &http.Client{}
    response, _ := client.Do(extendSessionRequest)

Relevant log output

"error": {
        "id": "security_csrf_violation",
        "code": 403,
        "status": "Forbidden",
        "reason": "Please retry the flow and optionally clear your cookies. The request was 
        rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account 
        takeover, leaking personal information, and other serious security issues.",
        "details": {
            "docs": "https://www.ory.sh/kratos/docs/debug/csrf",
            "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
            "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
        },
        "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
    }

Relevant configuration

{
                "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
                "$schema": "http://json-schema.org/draft-07/schema#",
                "title": "Person",
                "type": "object",
                "properties": {
                  "traits": {
                    "type": "object",
                    "properties": {
                      "email": {
                        "type": "string",
                        "format": "email",
                        "title": "E-Mail",
                        "minLength": 3,
                        "ory.sh/kratos": {
                          "credentials": {
                            "password": {
                              "identifier": true
                            }
                          },
                          "verification": {
                            "via": "email"
                          },
                          "recovery": {
                            "via": "email"
                          }
                        }
                      },
                      "name": {
                        "type": "object",
                        "properties": {
                          "first": {
                            "title": "First Name",
                            "type": "string"
                          },
                          "last": {
                            "title": "Last Name",
                            "type": "string"
                          }
                        }
                      }
                    },
                    "required": [
                      "email"
                    ],
                    "additionalProperties": false
                  }
                }
              }

Version

v0.9.0-alpha.2

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

NoResponse

Answerlord commented 2 years ago

I use the MacOS and deploy kratos with docker-compose

aeneasr commented 2 years ago

This isn't released yet!

Answerlord commented 2 years ago

This isn't released yet!

ok,I see,thk u