I cannot deploy kratos + secureapp in my test environment (no docker setup). redirect loop...

[emrahcom]

I'm trying to deploy kratos + secureapp in my test environment but I'm failing. I'm always getting redirects while connecting to the dashboard.

containers

I have 3 LXC containers:

1. kratos container (172.22.22.12)
2. secureapp container (172.22.22.13)
3. nginx container as a reverse proxy (172.22.22.14 and 172.17.17.26 as public IP)

Containers can access each others using 172.22.22.0/24, no restriction... kratos.mydomain.corp and secureapp.mydomain.corp point to 172.17.17.26 (to nginx reverse proxy) in my network. TCP/80 and TCP/443 are accepted by this container. I have a self-signed certificate which contains the following domains and IPs on Nginx:

• kratos.mydomain.corp
• secureapp.mydomain.corp
• 172.17.17.26
• 172.22.22.14

Nginx redirects the traffics

• to kratos (http://172.22.22.12:4433) if the destination is https://kratos.mydomain.corp
• to secureapp (http://172.22.22.13:4455) if the destination is https://secureapp.mydomain.corp

kratos

I run kratos using the following command:

su -l kratos
export KRATOS_VERSION=v0.7.1-alpha.1
wget -O /tmp/kratos-install.sh https://raw.githubusercontent.com/ory/kratos/$KRATOS_VERSION/install.sh
bash /tmp/kratos-install.sh -b /usr/local/bin $KRATOS_VERSION
kratos version
>>> Version:                        v0.7.1-alpha.1
>>> Build Commit:   4fe76af1302d45ddf4cf3c2c5949311c9cf1f8b8
>>> Build Timestamp:        2021-07-22T17:41:40Z

export DSN=memory
kratos serve -c /home/kratos/config/kratos.yml

This is my /home/kratos/config/kratos.yml file

version: v0.7.1-alpha.1
                                               
dsn: memory
                                               
serve:        
  public:     
    base_url: https://kratos.mydomain.corp/
    cors:
      enabled: true
  admin: 
    base_url: https://kratos.mydomain.corp:4434/                                                                                                                                               

selfservice:
  default_browser_return_url: https://secureapp.mydomain.corp/
  whitelisted_return_urls:
    - https://secureapp.mydomain.corp
                                               
  methods:         
    password:     
      enabled: true
                                               
  flows:                                                                                       
    error:
      ui_url: https://secureapp.mydomain.corp/error
                                               
    settings:                                                                                  
      ui_url: https://secureapp.mydomain.corp/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: https://secureapp.mydomain.corp/recovery

    verification:
      enabled: true
      ui_url: https://secureapp.mydomain.corp/verify
      after:
        default_browser_return_url: https://secureapp.mydomain.corp/

    logout:
      after:
        default_browser_return_url: https://secureapp.mydomain.corp/auth/login

    login:
      ui_url: https://secureapp.mydomain.corp/auth/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: https://secureapp.mydomain.corp/auth/registration
      after:
        password:
          hooks:
            -
              hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - c4577b81e3c6e22a5d87b6c904c90959d86eda60d24b1b1a63522c539133ec0bdd4b0ffe102a8a1d6efff0226e8286af8da60ab8ca9906556a812a25

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true&legacy_ssl=true

secureapp

I run secureapp (kratos-selfservice-ui-node) using the following commands

su -l secureapp
export KRATOS_VERSION=v0.7.1-alpha.1
git clone https://github.com/ory/kratos-selfservice-ui-node.git
cd kratos-selfservice-ui-node
git checkout $KRATOS_VERSION

npm ci
npm run build

export KRATOS_ADMIN_URL=http://172.22.22.12:4434/
export KRATOS_PUBLIC_URL=http://172.22.22.12:4433/
export KRATOS_BROWSER_URL=https://kratos.mydomain.corp/
export BASE_URL=https://secureapp.mydomain.corp/
export PORT=4455
export SECURITY_MODE=cookie
npm run serve

failed result

When I try to connect to https://secureapp.mydomain.corp/dashboard using chromium in a private session, I get ERR_TOO_MANY_REDIRECTS. The last addess in the navigation bar is https://secureapp.mydomain.corp/auth/login?flow=9de594a1-70f8-4b19-8cd9-87f24c9b6f4d

this is the browser console screenshot

What will be wrong in this setup?
Thanks

[aeneasr]

As you are on multiple domains, this might help: https://www.ory.sh/kratos/docs/guides/multi-domain-cookies#cookies

[emrahcom]

Thanks @aeneasr, I can get login screen after adding the following lines in my kratos.yml

cookies:
  domain: mydomain.corp
  path: /
  same_site: Lax

session:
  cookie:
    domain: mydomain.corp
    path: /
    same_site: Strict

But there are some points which are not clear for me

• What are the differences between these two blocks? (cookies vs session.cookie)
• There is a line in guide such as

2. Unless --dev is set, Ory Kratos' cookies are only sent over HTTPS.

Does this mean I cannot use http as a scheme for SecureApp's KRATOS_ADMIN_URL and KRATOS_PUBLIC_URL in production? I didn't set dev mode for Kratos and it seems working with http (I mean I can get login page with a flow id)

• When I click the Register new account button in SecureApp's Login page, it goes to the login page again with a new flow id. The register button points to https://secureapp.mydomain.corp/auth/registration actually. What is wrong here?

thanks

[aeneasr]

From the docs:

# Settings for both anti-CSRF and session cookies
cookies:
  domain: www.cookies.com
  path: /cookies
  same_site: Lax

session:
  cookie:
    # Overrides cookies.domain for session cookies
    domain: my-domain.com

Soe the first setting sets the domain for all cookies (CSRF + session), the second (session.cookie) only for session cookies.

Does this mean I cannot use http as a scheme for SecureApp's KRATOS_ADMIN_URL and KRATOS_PUBLIC_URL in production? I didn't set dev mode for Kratos and it seems working with http (I mean I can get login page with a flow id)

We have no enforcement on HTTPS but all redirect URLs etc will be HTTPS. The admin endpoint is not really affected by this.

If this helped you, can you please select the answer? Thank you!

[emrahcom]

If this helped you, can you please select the answer? Thank you!

I don't know why but I cannot mark your answers. Thanks

[vinckr]

If this helped you, can you please select the answer? Thank you!

I don't know why but I cannot mark your answers. Thanks

Unfortunately you can only mark the parent answer, not individual answers in a response thread. But this is good enough to know that the question has been answered!

[emrahcom]

* When I click the `Register new account` button in SecureApp's Login page, it goes to the login page again with a new flow id. The register button points to `https://secureapp.mydomain.corp/auth/registration` actually. What is wrong here?

My bad... I had a typo in my schema path. That's OK too