search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.24k stars 963 forks source link

base_url not respected when path is in base_url #2573

Closed williamohara closed 2 years ago

williamohara commented 2 years ago

Preflight checklist

Describe the bug

Using Nginx running on k8.

Ingress config sets path /auth/ to go to kratos-public

when I hit https://mySubDomain.myDomain.com/auth/self-service/login/browser?aal=&refresh=&return_to= I get a 404 page not found from kratos router see log below

when i take the path out of config and set ingress to go to kratos-public directly from "/" it works - it responds with a flow UI url and a valid flowid param

Reproducing the bug

set up nginx on kubernetes using helm set up kratos on kubernetes using helm - config setting serve.public.base_url to https://mySubDomain.myDomain.com/auth/ set up ingress to route traffic with /auth/ path to kratos-public enter https://mySubDomain.myDomain.com/auth/self-service/login/browser?aal=&refresh=&return_to= into browser

notice 404 from kratos expect to see redirect to login ui_url

Relevant log output

time=2022-07-05T23:34:09Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 cache-control:max-age=0 cookie:[_ga=GA1.1.1768238953.1656722038; _ga_RQ1V9PR71B=GS1.1.1656722037.1.1.1656722067.0; csrf_token_************************=; csrf_token_******=] sec-ch-ua:" Not;A Brand";v="99", "Microsoft Edge";v="103", "Chromium";v="103" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.66 Safari/537.36 Edg/103.0.1264.44 x-forwarded-for:10.240.0.226 x-forwarded-host:mySubDomain.myDomain.com x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:10.240.0.226 x-request-id:40a7331c61399a6c26983157c806b047 x-scheme:https] host:mySubDomain.myDomain.com method:GET path:/auth/self-service/login/browser query:aal=&refresh=&return_to= remote:10.240.0.137:52460 scheme:http] http_response=map[headers:map[content-type:text/plain; charset=utf-8 vary:Origin x-content-type-options:nosniff] size:19 status:404 text_status:Not Found took:358.511µs]

Relevant configuration

serve:
      public:
        base_url: https://mySubDomain.myDomain.com/auth/
        host: ""
        port: 4433

        cors:
          enabled: true
          allowed_origins:
            - https://myDomain.com
            - https://mySubDomain.myDomain.com
            - https://*.myDomain.com
          allowed_methods:
            - POST
            - GET
            - PUT
            - PATCH
            - DELETE
          allowed_headers:
            - Authorization
            - Cookie
          exposed_headers:
            - Content-Type
            - Set-Cookie
          allow_credentials: false
          options_passthrough: false
          max_age: 0
          debug: false

      admin:
        port: 4434
        base_url: https://mySubDomain.myDomain.com/authadmin
        host: "" 

    hashers:
      argon2:
        iterations: 1
        parallelism: 1
        salt_length: 16
        key_length: 16
        memory: 131KB
      bcrypt:
        cost: 4
      algorithm: bcrypt

    ciphers: 
      algorithm: noop

    cookies: 
      path: '/'
      same_site: Strict
      domain: 'https://mySubDomain.myDomain.com'

Version

10.0.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

when i take the path out of config and set ingress to go to kratos-public directly from "/" it works - it responds with a flow UI url and a valid flowid param

zepatrik commented 2 years ago

Stripping a path prefix is not supported by Kratos. You should instead strip the prefix in your ingress (for nginx there seem to be multiple options).

williamohara commented 2 years ago

ok - its funny - I set up Kratos some time ago on previous versions this exact same way - did this change - or was it a bug that was allowing me to do so.

I configured my nginix to run Kratos off of root and my UI against /ui/

now i am getting a redirect loop

I will say this one is closed though and open another one if i can't figure it out