search

ory / kratos

Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!
https://www.ory.sh/kratos/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.05k stars 950 forks source link

`ignore_network_errors: true` doesn't work as expected #3140

Closed sqaisar closed 4 months ago

sqaisar commented 1 year ago

Preflight checklist

Describe the bug

The issue is with kratos registration API with password flow. When kratos is running behind nginx ingress upon registration of an user it returns 502 Bad Gateway but in kratos logs I can see the user was registered successfully. Also I can use that user to login.

ignore_network_errors: true does not work as expected. When we deploy kratos, by default haveibeenpwned_enabled: true is enabled and ignore_network_errors is set to true. So if kratos isn't able to reach haveibeenpwned api or an SSL error is thrown, kratos will ignore the error and user will be able to register successfully but it doesn't send user any response, and if the kratos was running behind proxy, that proxy will return 502 Bad Gateway or if you've directly made request to kratos POD/SVC it would just break the connection and user would see EMPTY reply from the server Even though the user was registered successfully.

Reproducing the bug

Deploy kratos using default config where ignore_network_errors: true and haveibeenpwned_enabled: true

And depending on your deployment just stop the external request from the deployment to haveibeenpwned host. if running locally maybe an entry in /etc/hosts file. And then try to register a new user.

This bug is in all versions, I haven't checked beta though.

Relevant log output

Ingress logs:

2023/02/24 14:00:28 [error] 859#859: *2797532 upstream prematurely closed connection while reading response header from upstream, client: 10.0.1.28, server: <domain redacted>, request: "POST /self-service/registration?flow=fedfad2f-82f6-4d4e-834f-b811b67b6f68 HTTP/1.1", upstream: "http://<ip redacted>/self-service/registration?flow=fedfad2f-82f6-4d4e-834f-b811b67b6f68", host: "<domain redacted>", referrer: "https://<domain redacted>/"


### Relevant configuration

_No response_

### Version

all versions

### On which operating system are you observing this issue?

Other

### In which environment are you deploying?

Kubernetes with Helm

### Additional Context

_No response_
bcordobaq commented 5 months ago

any updates on this? Is still happening?

efesler commented 4 months ago

The issue seems to be fixed in v 1.1.0