ory
/self-service/login/browser hangs when aal is not set
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
My login application built on top of Kratos redirects users to /self-service/login/browser without passing any parameters in case of invalid/no session.
After updating Kratos, the endpoint is not working anymore as intended. No errors, it just hangs up until timeout. Logs only show the 'started handling request' message and nothing more.
The only way to make it work is to always pass ?aal=aal1 to the self-service login endpoint.
EDIT: it also works when passing any non-empty query string, even if it's invalid.
Reproducing the bug
Steps to reproduce this behavior:
- Enable 2FA
- Open /self-service/login/browser
Relevant log output
No response
Relevant configuration
No response
Version
v0.10.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Binary
Additional Context
No response
I tried reproducing this but could not - can you please provide more context (screen casts, logs, database versions, environment) or even better a reproducible case (e.g. using an ory cloud free account) or a failing test case? Thank you! :)
I think the issue is caused by the "null" query string. I was playing around and noticed that I get redirected successfully to the login page even if I just write random letters after the ?.
Request without query string
{
"http_request":{
"headers":{
"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"accept-encoding":"gzip, deflate, br",
"accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3",
"connection":"close",
"dnt":"1",
"sec-fetch-dest":"document",
"sec-fetch-mode":"navigate",
"sec-fetch-site":"none",
"sec-fetch-user":"?1",
"upgrade-insecure-requests":"1",
"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
},
"host":"kratos-public",
"method":"GET",
"path":"/self-service/login/browser",
"query":null,
"remote":"@",
"scheme":"http"
},
"level":"info",
"msg":"started handling request",
"time":"2022-07-19T17:40:43+02:00"
}
Request with ?aal=aal1
{
"http_request":{
"headers":{
"accept":"application/json, text/plain, */*",
"connection":"close",
"cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".",
"user-agent":"axios/0.21.4"
},
"host":"localhost",
"method":"GET",
"path":"/self-service/login/flows",
"query":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".",
"remote":"@",
"scheme":"http"
},
"level":"info",
"msg":"started handling request",
"time":"2022-07-19T17:47:09+02:00"
}
---------------------------------------------------------------------------------
{
"http_request":{
"headers":{
"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"accept-encoding":"gzip, deflate, br",
"accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3",
"connection":"close",
"dnt":"1",
"sec-fetch-dest":"document",
"sec-fetch-mode":"navigate",
"sec-fetch-site":"none",
"sec-fetch-user":"?1",
"upgrade-insecure-requests":"1",
"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
},
"host":"kratos-public",
"method":"GET",
"path":"/self-service/login/browser",
"query":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".",
"remote":"@",
"scheme":"http"
},
"http_response":{
"headers":{
"cache-control":"private, no-cache, no-store, must-revalidate",
"content-type":"text/html; charset=utf-8",
"location":"https://accounts.[REDACTED]/login?flow=10864c21-56f0-4956-ba57-1cebe18b5cea",
"set-cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".",
"vary":"Origin"
},
"size":102,
"status":303,
"text_status":"See Other",
"took":13566736
},
"level":"info",
"msg":"completed handling request",
"time":"2022-07-19T17:47:09+02:00"
}
Random query string
In all cases I entered the URL manually in a Private Browsing window to simulate an user trying to log in for the first time. My login page is served at /login and the default redirect_to for the self-service login endpoint is the home page of the user dashboard (accounts.[....].[...]).
Thank you again for the detailed screenshots! I can't reproduce this on our system though. Not sure what the problem was, but I don't think it's kratos.