Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie setting SameSite not applied when accessing provider from iframe hosted app in MS Dynamics environment #4006

Open
3 of 5 tasks
Saibot27 opened this issue Jul 18, 2024 · 0 comments
Open
3 of 5 tasks

Cookie setting SameSite not applied when accessing provider from iframe hosted app in MS Dynamics environment #4006

Saibot27 opened this issue Jul 18, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@Saibot27
Copy link

Saibot27 commented Jul 18, 2024
edited
Loading

Preflight checklist

Ory Network Project

No response

Describe the bug

We are running an app as communication widget within MS Dynamics using Dynamics 365 Channel Integration Framework 2.0 and are self-hosting Ory Kratos. Ory Kratos service has been started in production mode by omitting the --dev flag, all traffic runs over HTTPS.

We configured Kratos to use same_site: None for cookies.

cookies:
  domain: xxx.net
  same_site: None

session:
  lifespan: 1m
  cookie:
    same_site: None

When redirecting to the choosen provider we get an error message.

"code": 400,
"debug": "key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity...
"reason": "The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again!",
"status": "Bad Request",
"message": "no resumable session found"

We can see from ChromeDev tools that cookie ory_kratos_continuity was set but with SameSite=Lax.

Why are cookie settings not applied?

Reproducing the bug

  1. add/edit cookie setting same_site in kratos.yml
  2. restart kratos service in production mode (omit --dev flag)
  3. tail -f /var/log/kratos/kratos.log
  4. link to Ory Kratos
  5. select provider

Relevant log output

time=2024-07-17T13:33:41+02:00 level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:max-age=0 connection:close content-length:126 content-type:application/x-www-form-urlencoded cookie:[csrf_token_zzzz=] correlationid:tst-mmmm dnt:1 origin:https://my.domain.net referer:https://my.domain.net/auth/login?flow=<flowid> sec-ch-ua:"Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:iframe sec-fetch-mode:navigate sec-fetch-site:same-origin sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 x-forwarded-for:<ip>, <ip> x-forwarded-proto:https x-real-ip:<ip>] host:my.domain.net method:POST path:/self-service/login query:flow=<flowid> remote:127.0.0.1:47326 scheme:http]
time=2024-07-17T13:33:41+02:00 level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:max-age=0 connection:close content-length:126 content-type:application/x-www-form-urlencoded cookie:[csrf_token_zzzz=] correlationid:tst-mmmm dnt:1 origin:https://my.domain.net referer:https://my.domain.net/auth/login?flow=<flowid> sec-ch-ua:"Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:iframe sec-fetch-mode:navigate sec-fetch-site:same-origin sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 x-forwarded-for:<ip>, <ip> x-forwarded-proto:https x-real-ip:<ip>] host:my.domain.net method:POST path:/self-service/login query:flow=<flowid> remote:127.0.0.1:47326 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate location:https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=<clientid>&redirect_uri=https%3A%2F%2Fmy.domain.net%2Fauth%2Fapi%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fmicrosoft&response_type=code&scope=profile+email+openid&state=<stateid> set-cookie:[ory_kratos_continuity=ssss; Path=/; Expires=Fri, 16 Aug 2024 11:33:41 GMT; Max-Age=2592000; HttpOnly; Secure; SameSite=Lax] vary:Origin] size:0 status:303 text_status:See Other took:70.6453ms]
time=2024-07-17T13:33:41+02:00 level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:max-age=0 connection:close cookie:[csrf_token_zzzz=] correlationid:tst-dddd dnt:1 referer:https://my.domain.net/ sec-ch-ua:"Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:iframe sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 x-forwarded-for:<ip>, <ip> x-forwarded-proto:https x-real-ip:<ip>] host:my.domain.net method:GET path:/self-service/methods/oidc/callback/microsoft query:code=0.xxxx.yyyy remote:127.0.0.1:47340 scheme:http]
time=2024-07-17T13:33:41+02:00 level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity
github.com/ory/kratos/x.SessionGetString.func1
        /project/x/cookie.go:27
github.com/ory/kratos/x.SessionGetString
        /project/x/cookie.go:46
github.com/ory/kratos/continuity.(*ManagerCookie).sid
        /project/continuity/manager_cookie.go:97
github.com/ory/kratos/continuity.(*ManagerCookie).container
        /project/continuity/manager_cookie.go:109
github.com/ory/kratos/continuity.(*ManagerCookie).Continue
        /project/continuity/manager_cookie.go:64
github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback
        /project/selfservice/strategy/oidc/strategy.go:254
github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback
        /project/selfservice/strategy/oidc/strategy.go:298
github.com/ory/kratos/selfservice/strategy.disabledWriter
        /project/selfservice/strategy/handler.go:25
github.com/ory/kratos/selfservice/strategy.IsDisabled.func1
        /project/selfservice/strategy/handler.go:30
github.com/ory/kratos/x.NoCacheHandle.func1
        /project/x/nocache.go:18
github.com/ory/kratos/x.NoCacheHandle.func1
        /project/x/nocache.go:18
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
        /go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
github.com/ory/nosurf.(*CSRFHandler).handleSuccess
        /go/pkg/mod/github.com/ory/[email protected]/handler.go:234
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
        /go/pkg/mod/github.com/ory/[email protected]/handler.go:191
github.com/urfave/negroni.Wrap.func1
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.glob..func1
        /project/x/clean_url.go:12
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
        /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:198
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
        /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:101
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
        /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
        /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:76
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
        /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:165
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2047
github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1
        /go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:108 message:no resumable session found reason:The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:max-age=0 connection:close cookie:[csrf_token_zzzz=] correlationid:tst-dddd dnt:1 referer:https://my.domain.net/ sec-ch-ua:"Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:iframe sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 x-forwarded-for:<ip>, <ip> x-forwarded-proto:https x-real-ip:<ip>] host:my.domain.net method:GET path:/self-service/methods/oidc/callback/microsoft query:code=0.xxxx.yyyy remote:127.0.0.1:47340 scheme:http] service_name=Ory Kratos service_version=v0.10.0
time=2024-07-17T13:33:41+02:00 level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:max-age=0 connection:close cookie:[csrf_token_zzzz=] correlationid:tst-dddd dnt:1 referer:https://my.domain.net/ sec-ch-ua:"Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:iframe sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 x-forwarded-for:<ip>, <ip> x-forwarded-proto:https x-real-ip:<ip>] host:my.domain.net method:GET path:/self-service/methods/oidc/callback/microsoft query:code=0.xxxx.yyyy remote:127.0.0.1:47340 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:https://my.domain.net/auth/error?id=jjjj vary:Origin] size:113 status:303 text_status:See Other took:12.757112ms]
time=2024-07-17T13:33:41+02:00 level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:localhost:4433 method:GET path:/self-service/errors query:id=jjjj remote:127.0.0.1:47352 scheme:http]
time=2024-07-17T13:33:41+02:00 level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:localhost:4433 method:GET path:/self-service/errors query:id=jjjj remote:127.0.0.1:47352 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:[csrf_token_pppp; Path=/; Domain=sysnodes.net; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax] vary:Origin] size:4116 status:200 text_status:OK took:8.851186ms]

Relevant configuration

kratos.yml

version: v0.10.0

dsn: postgres://...

cookies:
  domain: xxx.net
  same_site: None

session:
  lifespan: 1m
  cookie:
    same_site: None

serve:
  public:
    base_url: https://yyy.xxx.net/auth/api/
    host: localhost
    port: 4433
    cors:
      enabled: true
      allowed_origins:
        - https://yyy.xxx.net
      allowed_methods:
        - GET
        - OPTIONS
        - PUT
        - PATCH
        - DELETE

selfservice:
  default_browser_return_url: https://yyy.xxx.net/auth/zzz
  methods:
    oidc:
      config:
        providers:
          - client_id: ...
            client_secret: ...
            id: microsoft
            label: Microsoft
            mapper_url: base64://...      
			microsoft_tenant: organizations
            provider: microsoft
            scope:
			- profile
            - email

      enabled: true
    password:
      enabled: false

  flows:
    error:
      ui_url: https://yyy.xxx.net/auth/error

    settings:
      ui_url: https://yyy.xxx.net/auth/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: false
      ui_url: https://yyy.xxx.net/auth/recovery
	  
	  - profile
            - email

      enabled: true
    password:
      enabled: false

  flows:
    error:
      ui_url: https://yyy.xxx.net/auth/error

    settings:
      ui_url: https://yyy.xxx.net/auth/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: false
      ui_url: https://yyy.xxx.net/auth/recovery

Version

Ory Kratos service_version v0.10.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Other

Additional Context

Microsoft dynamics 365 channel integration framework 2.0
@Saibot27 Saibot27 added the bug Something is not working. label Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Saibot27