Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/sessions/whoami cannot authorise by session token, only by session cookies #4129

Open
3 of 5 tasks
tamtakoe opened this issue Sep 28, 2024 · 0 comments
Open
3 of 5 tasks

/sessions/whoami cannot authorise by session token, only by session cookies #4129

tamtakoe opened this issue Sep 28, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@tamtakoe
Copy link

tamtakoe commented Sep 28, 2024
edited
Loading

Preflight checklist

Ory Network Project

No response

Describe the bug

http://localhost:4433/sessions/whoami returns 401 if I'm using session token instead of cookie

{
    "error": {
        "code": 401,
        "status": "Unauthorized",
        "reason": "No valid session credentials found in the request.",
        "message": "The request could not be authorized"
    }
}

Reproducing the bug

  1. Setup Kratos to use session token according https://www.ory.sh/docs/identities/session-to-jwt-cors
session:
  whoami:
    required_aal: aal1
    tokenizer:
      templates:
        api_token:
          ttl: 1h
          jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'
  1. Get session token by cookie
curl --location 'http://localhost:4433/sessions/whoami?tokenize_as=api_token' \
--header 'Cookie: csrf_token_689af3ef6c442bd243df094e1d655035a08b6b22fc8ad5f5c24168a747cf69ba=m3evGLg2xyMyakE3PaHiT3mEdWsGtyCRrv2S4tebFyI=; ory_kratos_session=MTcyNzU0MzkzNHw5ckdiOUdRWHFzTWxQZlVtWVJDdERLMjJYMjFsc18tbmRjS2J3dmFBdHprWk9iRTIxbUl3VkZpd2JHUmU0b0FTMjgzcUFnMHZ1M0xYRnhQS0dPOWdzQ2NEdy1yaDBzT3Z6NjlpOEFhS1l6dHJPVnZFRGFKSnJueENQOTBFMUVLeHFTcGtHc3ZWSWRuaWxTNDgtT0ROVGRIRE15ZWFzc0htdmF4N2tWdkdCUzRSUnRxQnlXNjh2S3doNWRTODBEUVdRdV9JWUxsZTZQLVItNks2RWtlT3BFX1d1VnpPVFFiZXVoSXcwcHF5Y1BLdlU0MkJGTkM1Xzlzdi16TWxYR20tUlEzT2JoM1VCeU1UOWZYQ1lpeTB8nrc8HBLb1umgDFA34EDbj_tpYb0GCJTdAFZByT53akc='
  1. Make request with session token from tokenized field of previous response
curl --location 'http://localhost:4433/sessions/whoami' \
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTI4ODQsImlhdCI6MTcyNzU0OTI4NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiNjc0MjE4ZWEtOTJhMS00OWUxLTllYTgtMDA3NzMxNjY5NzYzIiwibmJmIjoxNzI3NTQ5Mjg0LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.kCN73R7BSf-GE7GpiZiUE0LHfiil9exoJFY1vImBWHWk-mWPBkriU4KcGVp6G6huBPwI4vaFS3FaJZTDLglbHg'
  1. See 401 response
{
    "error": {
        "code": 401,
        "status": "Unauthorized",
        "reason": "No valid session credentials found in the request.",
        "message": "The request could not be authorized"
    }
}

Relevant log output

time=2024-09-28T18:53:50Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json accept-encoding:gzip, deflate, br authorization:[Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTMwNDUsImlhdCI6MTcyNzU0OTQ0NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiYjk0NTIzZGYtYTQxYy00OTY2LWE3N2ItNzU5NTQ0MGZlZDQ5IiwibmJmIjoxNzI3NTQ5NDQ1LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.Ja25NjG0MZJ-Q-RY62UfhUSmiCTfUhwZS_0WD19ZsmrnGMBEz2h7wQ2CjMRH8EUj6CRUs4cRt6MBu4DD-FZCow] connection:keep-alive postman-token:9c4927b5-ccb2-4d0e-98e0-334752b754a2 user-agent:PostmanRuntime/7.38.0] host:localhost:4433 method:GET path:/sessions/whoami query:<nil> remote:10.0.0.2:21140 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json vary:Origin] size:157 status:401 text_status:Unauthorized took:1.064377ms]


### Relevant configuration

```yml
version: v0.13.0

dsn: memory
dev: true

serve:
  public:
    base_url: http://localhost:4433
    cors:
      enabled: true
      allow_credentials: true
      allowed_origins:
        - http://localhost:4455
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Accept
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
  admin:
    base_url: http://kratos:4434/

selfservice:
  default_browser_return_url: http://localhost:4455/
  allowed_return_urls:
    - http://localhost:4455/

  methods:
    password:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true
    lookup_secret:
      enabled: true
            
  flows:
    error:
      ui_url: http://localhost:4455/error

    settings:
      ui_url: http://localhost:4455/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: http://localhost:4455/recovery

    verification:
      enabled: true
      use: code
      ui_url: http://localhost:4455/verification
      after:
        default_browser_return_url: http://localhost:4455/

    logout:
      after:
        default_browser_return_url: http://localhost:4455/login

    login:
      ui_url: http://localhost:4455/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: http://localhost:4455/registration
      after:
        password:
          hooks:
          - hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v1
      url: file:///etc/config/kratos/identity.schema.json

session:
  whoami:
    required_aal: aal1
    tokenizer:
      templates:
        api_token:
          ttl: 1h
          jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'
  earliest_possible_extend: 1h

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

Version

oryd/kratos:v1.2.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response
@tamtakoe tamtakoe added the bug Something is not working. label Sep 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tamtakoe