search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.32k stars 963 forks source link

/sessions/whoami cannot authorise by session token, only by session cookies #4129

Open tamtakoe opened 1 month ago

tamtakoe commented 1 month ago

Preflight checklist

Ory Network Project

No response

Describe the bug

http://localhost:4433/sessions/whoami returns 401 if I'm using session token instead of cookie

{
    "error": {
        "code": 401,
        "status": "Unauthorized",
        "reason": "No valid session credentials found in the request.",
        "message": "The request could not be authorized"
    }
}

Reproducing the bug

  1. Setup Kratos to use session token according https://www.ory.sh/docs/identities/session-to-jwt-cors 
    session:
whoami:
required_aal: aal1
tokenizer:
  templates:
    api_token:
      ttl: 1h
      jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'
  2. Get session token by cookie 
    curl --location 'http://localhost:4433/sessions/whoami?tokenize_as=api_token' \
--header 'Cookie: csrf_token_689af3ef6c442bd243df094e1d655035a08b6b22fc8ad5f5c24168a747cf69ba=m3evGLg2xyMyakE3PaHiT3mEdWsGtyCRrv2S4tebFyI=; ory_kratos_session=MTcyNzU0MzkzNHw5ckdiOUdRWHFzTWxQZlVtWVJDdERLMjJYMjFsc18tbmRjS2J3dmFBdHprWk9iRTIxbUl3VkZpd2JHUmU0b0FTMjgzcUFnMHZ1M0xYRnhQS0dPOWdzQ2NEdy1yaDBzT3Z6NjlpOEFhS1l6dHJPVnZFRGFKSnJueENQOTBFMUVLeHFTcGtHc3ZWSWRuaWxTNDgtT0ROVGRIRE15ZWFzc0htdmF4N2tWdkdCUzRSUnRxQnlXNjh2S3doNWRTODBEUVdRdV9JWUxsZTZQLVItNks2RWtlT3BFX1d1VnpPVFFiZXVoSXcwcHF5Y1BLdlU0MkJGTkM1Xzlzdi16TWxYR20tUlEzT2JoM1VCeU1UOWZYQ1lpeTB8nrc8HBLb1umgDFA34EDbj_tpYb0GCJTdAFZByT53akc='
  3. Make request with session token from tokenized field of previous response 
    curl --location 'http://localhost:4433/sessions/whoami' \
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTI4ODQsImlhdCI6MTcyNzU0OTI4NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiNjc0MjE4ZWEtOTJhMS00OWUxLTllYTgtMDA3NzMxNjY5NzYzIiwibmJmIjoxNzI3NTQ5Mjg0LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.kCN73R7BSf-GE7GpiZiUE0LHfiil9exoJFY1vImBWHWk-mWPBkriU4KcGVp6G6huBPwI4vaFS3FaJZTDLglbHg'
  4. See 401 response 
    {
"error": {
    "code": 401,
    "status": "Unauthorized",
    "reason": "No valid session credentials found in the request.",
    "message": "The request could not be authorized"
}
}

Relevant log output

time=2024-09-28T18:53:50Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/x@v0.0.623/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json accept-encoding:gzip, deflate, br authorization:[Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTMwNDUsImlhdCI6MTcyNzU0OTQ0NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiYjk0NTIzZGYtYTQxYy00OTY2LWE3N2ItNzU5NTQ0MGZlZDQ5IiwibmJmIjoxNzI3NTQ5NDQ1LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.Ja25NjG0MZJ-Q-RY62UfhUSmiCTfUhwZS_0WD19ZsmrnGMBEz2h7wQ2CjMRH8EUj6CRUs4cRt6MBu4DD-FZCow] connection:keep-alive postman-token:9c4927b5-ccb2-4d0e-98e0-334752b754a2 user-agent:PostmanRuntime/7.38.0] host:localhost:4433 method:GET path:/sessions/whoami query:<nil> remote:10.0.0.2:21140 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json vary:Origin] size:157 status:401 text_status:Unauthorized took:1.064377ms]

### Relevant configuration

```yml
version: v0.13.0

dsn: memory
dev: true

serve:
  public:
    base_url: http://localhost:4433
    cors:
      enabled: true
      allow_credentials: true
      allowed_origins:
        - http://localhost:4455
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Accept
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
  admin:
    base_url: http://kratos:4434/

selfservice:
  default_browser_return_url: http://localhost:4455/
  allowed_return_urls:
    - http://localhost:4455/

  methods:
    password:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true
    lookup_secret:
      enabled: true

  flows:
    error:
      ui_url: http://localhost:4455/error

    settings:
      ui_url: http://localhost:4455/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: http://localhost:4455/recovery

    verification:
      enabled: true
      use: code
      ui_url: http://localhost:4455/verification
      after:
        default_browser_return_url: http://localhost:4455/

    logout:
      after:
        default_browser_return_url: http://localhost:4455/login

    login:
      ui_url: http://localhost:4455/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: http://localhost:4455/registration
      after:
        password:
          hooks:
          - hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v1
      url: file:///etc/config/kratos/identity.schema.json

session:
  whoami:
    required_aal: aal1
    tokenizer:
      templates:
        api_token:
          ttl: 1h
          jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'
  earliest_possible_extend: 1h

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

Version

oryd/kratos:v1.2.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

nguyenhy commented 2 weeks ago

Same question here? any update for this issue? @tamtakoe Did you solve the issue?

Update: