search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.35k stars 963 forks source link

CSRF token is empty when initialize Login Flow for API clients #948

Closed tnm0113 closed 3 years ago

tnm0113 commented 3 years ago

Describe the bug

I have followed Quick start guide but i cant get CSRF token when initialize Login Flow for API clients

Reproducing the bug

Steps to reproduce the behavior:

git clone https://github.com/ory/kratos.git cd kratos git checkout v0.5.5-alpha.1

docker pull oryd/kratos:latest-sqlite docker pull oryd/kratos-selfservice-ui-node:latest docker-compose -f quickstart.yml -f quickstart-standalone.yml up --build --force-recreate

Use POSTMAN request GET to URL: http://127.0.0.1:4433/self-service/login/api, CSRF token is empty on field value

Server logs kratos_1 | time=2020-12-30T08:17:06Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/x@v0.0.165/reqlog/middleware.go:139 method=GET name=public#http://127.0.0.1:4433/ remote=10.55.123.69:44578 request=/self-service/login/api status=200 text_status=OK took=91.256µs

Server configuration

Default configuration

Expected behavior

Get CSRF Token value

Environment

tnm0113 commented 3 years ago

I found that Login with API flows doesnt need CSRF Token for verifying like Browser flows. I want to build a service between our clients and Kratos, so our clients dont need to know stuff about Kratos, just send our service username, password and the service will request init API flows, complete flow, get token and send back to client. Does it have any risks ?

zepatrik commented 3 years ago

So basically a reverse proxy? Can't you use the browser flow then?

tnm0113 commented 3 years ago

No, our clients are API clients

aeneasr commented 3 years ago

There is no CSRF for API clients because they are API clients and not browsers. If you use browsers, use the browser APIs. CSRF is a browser attack vector only. So this is expected behaviour.

aeneasr commented 2 years ago

Hi @gotascii, can you please open a discussion with details? Best would be a reproducible code base

gotascii commented 2 years ago

Hi @gotascii, can you please open a discussion with details? Best would be a reproducible code base

Hey @aeneasr, I've deleted my comment, the issue was between the keyboard and the chair 🤦 Thanks for getting back to me, much appreciated!