kratos The ory_kratos_continuity cookie has no domain set

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Cloud project.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I run Kratos under a subdomain and because of the missing domain, the ory_kratos_continuity cookie will be set under the domain which serves the UI. After the redirect back from the OIDC provider, I get the error: no resumable session found.

Reproducing the bug

Setup Kratos under a subdomain and configure an OIDC provider
After redirecting back from the OIDC provider, the cookie cannot be accessed by Kratos which runs under the subdomain

Relevant log output

No response

Relevant configuration

No response

Version

0.10.1

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

Already discussed here: https://github.com/ory/kratos/discussions/2560

Sep 03 '22 15:09 akkie

To get some context, usually the cookie only needs to be available on the Ory Kratos domain, and nowhere else. Are you running into CORS issues maybe?

Sep 04 '22 08:09 aeneasr

Hi, thanks for your answer.

Some pre context. I have abstracted the Kratos API with my own API and I use the JS SDK to connect to Kratos.

Kratos runs under auth.my.app and the frontend under my.app.

If I submit the OIDC login flow to my API, the API will return the set-cookie header with the cookie from Kratos so that the client can set the cookie. Because of the missing domain, the cookie will be set under the clients domain my.app. Now the user will be redirected to the OIDC provider, he/she authenticates there and gets redirected to the Kratos endpoint under auth.my.app. And under this domain, the cookie cannot be read.

Sep 04 '22 08:09 akkie

Hm, that sounds like an edge case, normally you expose Kratos‘ API directly and not through a proxy. I’d like to avoid adding another config parameter. If you front Kratos‘ APIs you could also modify the cookie domain yourself!

Thus, I think this is a wont fix

Sep 04 '22 11:09 aeneasr

Yes, you can see it this was. I'm able to change the cookie, that's correct. But you can also see it from a consistency perspective. Kratos creates three cookies. For two of them, I can configure the cookie domain. For one not. I don't see the additional config option as an additional burden. I see it as additional freedom.

Sep 04 '22 11:09 akkie

This is somewhat related: https://github.com/ory/kratos/issues/2654

Sep 08 '22 12:09 kszafran

@aeneasr I face with a similar issue, but we intentionally use 1 Kratos instance for several sub-domains: the same users can share the same session in separate application instances (e.g. app1.domain.com and app2.domain.com) And session domain for ory_kratos_session is domain.com

So, that would be nice to have ory_kratos_continuity on the same domain as ory_kratos_session

Jun 25 '24 13:06 edelmann7