kratos
kratos copied to clipboard
ory
return_to not propagated to the login flow when the browser flow is initiated
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
When I initiate the browser login flow with the return_to query parameter, this latter is not propagated to the login flow
Reproducing the bug
docker-compose.yml:
version: '2'
services:
ingress:
image: traefik:2.7.1
ports:
- 80:80
- 443:443
restart: unless-stopped
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- /var/run/docker.sock:/var/run/docker.sock
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.entrypoints=https'
- 'traefik.http.routers.api.rule=Host(`localhost`)'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.routers.api.tls.options=default'
- 'traefik.http.routers.api.tls=true'
- 'traefik.http.middlewares.auth-proxy.forwardauth.address=http://auth-proxy:4456/decisions'
- 'traefik.http.middlewares.auth-proxy.forwardauth.authResponseHeaders=X-User-Id'
auth-proxy:
image: oryd/oathkeeper:v0.39.0
command:
serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml"
restart: on-failure
volumes:
- ./access-rules.yml:/etc/config/oathkeeper/access-rules.yml:ro
- ./oathkeeper.yml:/etc/config/oathkeeper/oathkeeper.yml:ro
kratos:
image: oryd/kratos:v0.10.1
restart: unless-stopped
environment:
- LOG_LEVEL=trace
command: serve -c /etc/config/kratos/kratos.yml --watch-courier
volumes:
- ./identity.schema.json:/etc/config/kratos/identity.schema.json:ro
- ./kratos.yml:/etc/config/kratos/kratos.yml:ro
labels:
- 'traefik.enable=true'
- 'traefik.http.middlewares.kratos-admin-strip-prefix.stripprefix.prefixes=/kratos-admin'
- 'traefik.http.middlewares.kratos-strip-prefix.stripprefix.prefixes=/kratos'
- 'traefik.http.routers.kratos-admin.entrypoints=https'
- 'traefik.http.routers.kratos-admin.middlewares=kratos-admin-strip-prefix@docker'
- 'traefik.http.routers.kratos-admin.rule=Host(`localhost`) && PathPrefix(`/kratos-admin`)'
- 'traefik.http.routers.kratos-admin.service=kratos-admin'
- 'traefik.http.routers.kratos-admin.tls.options=default'
- 'traefik.http.routers.kratos-admin.tls=true'
- 'traefik.http.routers.kratos.entrypoints=https'
- 'traefik.http.routers.kratos.middlewares=kratos-strip-prefix@docker'
- 'traefik.http.routers.kratos.rule=Host(`localhost`) && PathPrefix(`/kratos`)'
- 'traefik.http.routers.kratos.service=kratos'
- 'traefik.http.routers.kratos.tls.options=default'
- 'traefik.http.routers.kratos.tls=true'
- 'traefik.http.services.kratos-admin.loadbalancer.server.port=4434'
- 'traefik.http.services.kratos.loadbalancer.server.port=4433'
website:
image: oryd/kratos-selfservice-ui-node:v0.10.1
environment:
- KRATOS_PUBLIC_URL=http://kratos:4433
- KRATOS_BROWSER_URL=https://localhost/kratos
- PORT=4455
- SECURITY_MODE=
restart: on-failure
labels:
- 'traefik.enable=true'
- 'traefik.http.middlewares.website-strip-prefix.stripprefix.prefixes=/website'
- 'traefik.http.routers.website.entrypoints=https'
- 'traefik.http.routers.website.middlewares=auth-proxy@docker,website-strip-prefix@docker'
- 'traefik.http.routers.website.rule=Host(`localhost`) && PathPrefix(`/website/`)'
- 'traefik.http.routers.website.service=website'
- 'traefik.http.routers.website.tls.options=default'
- 'traefik.http.routers.website.tls=true'
- 'traefik.http.services.website.loadbalancer.server.port=4455'
access-rules.yml:
- id: "ory:website:anonymous"
match:
url: "<{http,https}>://localhost/website/<{registration,welcome,recovery,verification,login*,error*,**.css,**.js,**.png,}>"
methods:
- GET
authenticators:
- handler: anonymous
authorizer:
handler: allow
mutators:
- handler: noop
- id: "ory:website:protected"
match:
url: "<{http,https}>://localhost/website/<{debug,dashboard,settings*}>"
methods:
- GET
authenticators:
- handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: header
errors:
- handler: redirect
config:
to: https://localhost/website/login
return_to_query_param: return_to
identity.schema.json
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First Name",
"type": "string"
},
"last": {
"title": "Last Name",
"type": "string"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
kratos.yml:
version: v0.7.1-alpha.1
dsn: memory
serve:
public:
base_url: https://localhost/kratos/
cors:
enabled: true
admin:
base_url: https://localhost/kratos-admin/
selfservice:
default_browser_return_url: https://localhost/website/
allowed_return_urls:
- https://localhost/
methods:
password:
enabled: true
flows:
error:
ui_url: https://localhost/website/error
settings:
ui_url: https://localhost/website/settings
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: https://localhost/website/recovery
verification:
enabled: true
ui_url: https://localhost/website/verification
after:
default_browser_return_url: https://localhost/website/
logout:
after:
default_browser_return_url: https://localhost/website/login
login:
ui_url: https://localhost/website/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: https://localhost/website/registration
after:
password:
hooks:
- hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mail:1025/?skip_ssl_verify=true
oathkeeper.yml:
log:
level: debug
format: json
serve:
api:
port: 4456
proxy:
port: 4455
cors:
enabled: true
allowed_origins:
- "*"
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
to: https://localhost/website/login
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
access_rules:
matching_strategy: glob
repositories:
- file:///etc/config/oathkeeper/access-rules.yml
authenticators:
anonymous:
enabled: true
config:
subject: guest
cookie_session:
enabled: true
config:
check_session_url: http://kratos:4433/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
noop:
enabled: true
authorizers:
allow:
enabled: true
mutators:
noop:
enabled: true
header:
enabled: true
config:
headers:
X-User-Id: "{{ print .Subject }}"
traefik.yml:
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: :443
providers:
docker:
exposedByDefault: true
api:
dashboard: true
debug: true
log:
level: debug
Relevant log output
time=2022-07-27T16:34:02Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:131 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 te:trailers upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0 x-forwarded-for:172.26.0.1 x-forwarded-host:localhost x-forwarded-port:443 x-forwarded-prefix:/kratos x-forwarded-proto:https x-forwarded-server:04d653cffd53 x-real-ip:172.26.0.1] host:localhost method:GET path:/self-service/login/browser query:aal=&refresh=&return_to=https%3A%2F%2Flocalhost%2Fwebsite%2Fsettings remote:172.26.0.4:46308 scheme:http]
time=2022-07-27T16:34:02Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:139 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 te:trailers upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0 x-forwarded-for:172.26.0.1 x-forwarded-host:localhost x-forwarded-port:443 x-forwarded-prefix:/kratos x-forwarded-proto:https x-forwarded-server:04d653cffd53 x-real-ip:172.26.0.1] host:localhost method:GET path:/self-service/login/browser query:aal=&refresh=&return_to=https%3A%2F%2Flocalhost%2Fwebsite%2Fsettings remote:172.26.0.4:46308 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:https://localhost/website/login?flow=44e577c0-9c88-4ddf-bf5d-c4041ab978ff vary:Origin] size:100 status:303 text_status:See Other took:4.160522ms]
time=2022-07-27T16:34:02Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:131 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/logout/browser query:<nil> remote:172.26.0.3:38170 scheme:http]
time=2022-07-27T16:34:02Z level=info msg=An error occurred while handling a request func=github.com/ory/x/logrusx.(*Logger).ReportError file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/logrus.go:226 audience=application error=map[debug: message:request does not have a valid authentication session reason:No active session was found in this request. stack_trace:
github.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest
/project/session/manager_http.go:136
github.com/ory/kratos/selfservice/flow/logout.(*Handler).createSelfServiceLogoutUrlForBrowsers
/project/selfservice/flow/logout/handler.go:119
github.com/ory/kratos/x.NoCacheHandle.func1
/project/x/nocache.go:18
github.com/ory/kratos/x.NoCacheHandle.func1
/project/x/nocache.go:18
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
github.com/ory/nosurf.(*CSRFHandler).handleSuccess
/go/pkg/mod/github.com/ory/[email protected]/handler.go:234
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
/go/pkg/mod/github.com/ory/[email protected]/handler.go:191
github.com/urfave/negroni.Wrap.func1
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.glob..func1
/project/x/clean_url.go:12
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:198
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:101
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:76
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:165
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1
/go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:108
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2047
github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
/go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:30
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/x/metricsx.(*Service).ServeHTTP
/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:275
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.HTTPLoaderContextMiddleware.func1
/project/x/httploadermiddleware.go:20
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29 status:Unauthorized status_code:401] http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/logout/browser query:<nil> remote:172.26.0.3:38170 scheme:http] http_response=map[status_code:401] service_name=Ory Kratos service_version=v0.10.1
time=2022-07-27T16:34:02Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:139 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/logout/browser query:<nil> remote:172.26.0.3:38170 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json vary:Origin] size:192 status:401 text_status:Unauthorized took:646.011µs]
time=2022-07-27T16:34:02Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:131 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/login/flows query:id=44e577c0-9c88-4ddf-bf5d-c4041ab978ff remote:172.26.0.3:38172 scheme:http]
time=2022-07-27T16:34:02Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:139 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token_15b4f8e19f7ed756074daa725c9ae2410d7e97ba68d2890362369ee427397e74=SkUDkQj+hJz7TXvkNiR90NcSaQec6LzU4A4pFPh/byg=; ory_kratos_continuity=MTY1ODkzNzMxOHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fEkVRqh6_MxQ2C-V8fyxCta0m1scyQw5IsFd838EsiTC; SESSION=60a68c2f-8496-4ef9-b23a-78e3e7b3fe3d; redirect_to=%2F] user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/login/flows query:id=44e577c0-9c88-4ddf-bf5d-c4041ab978ff remote:172.26.0.3:38172 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:1526 status:200 text_status:OK took:877.461µs]
Relevant configuration
No response
Version
0.10.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response
