search

ory / kratos

Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!
https://www.ory.sh/kratos/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
10.99k stars 949 forks source link

The ory_kratos_continuity cookie has no domain set #2713

Open akkie opened 1 year ago

akkie commented 1 year ago

Preflight checklist

Describe the bug

I run Kratos under a subdomain and because of the missing domain, the ory_kratos_continuity cookie will be set under the domain which serves the UI. After the redirect back from the OIDC provider, I get the error: no resumable session found.

Reproducing the bug

Relevant log output

No response

Relevant configuration

No response

Version

0.10.1

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

Already discussed here: https://github.com/ory/kratos/discussions/2560

aeneasr commented 1 year ago

To get some context, usually the cookie only needs to be available on the Ory Kratos domain, and nowhere else. Are you running into CORS issues maybe?

akkie commented 1 year ago

Hi, thanks for your answer.

Some pre context. I have abstracted the Kratos API with my own API and I use the JS SDK to connect to Kratos.

Kratos runs under auth.my.app and the frontend under my.app.

If I submit the OIDC login flow to my API, the API will return the set-cookie header with the cookie from Kratos so that the client can set the cookie. Because of the missing domain, the cookie will be set under the clients domain my.app. Now the user will be redirected to the OIDC provider, he/she authenticates there and gets redirected to the Kratos endpoint under auth.my.app. And under this domain, the cookie cannot be read.

aeneasr commented 1 year ago

Hm, that sounds like an edge case, normally you expose Kratos‘ API directly and not through a proxy. I’d like to avoid adding another config parameter. If you front Kratos‘ APIs you could also modify the cookie domain yourself!

Thus, I think this is a wont fix

akkie commented 1 year ago

Yes, you can see it this was. I'm able to change the cookie, that's correct. But you can also see it from a consistency perspective. Kratos creates three cookies. For two of them, I can configure the cookie domain. For one not. I don't see the additional config option as an additional burden. I see it as additional freedom.

kszafran commented 1 year ago

This is somewhat related: https://github.com/ory/kratos/issues/2654

edelmann7 commented 2 months ago

@aeneasr I face with a similar issue, but we intentionally use 1 Kratos instance for several sub-domains: the same users can share the same session in separate application instances (e.g. app1.domain.com and app2.domain.com) And session domain for ory_kratos_session is domain.com

So, that would be nice to have ory_kratos_continuity on the same domain as ory_kratos_session