CSRF with GitHub Login

[MalyshevValery]

Hi

I'm trying to implement login with GitHub.
So the pipeline is this:

1. A user enters the login screen and gets a CSRF token;
2. The user clicks on the GitHub button and is sent to GitHub to enter credentials;
3. The user is sent to the callback as given in the guide (http://127.0.0.1:4433/self-service/methods/oidc/callback/github). However, on this step the CSRF token is left as a cookie but there is no value to put into the request.

So the result is CSRF missing/invalid 403 error.
I suppose I miss a step somewhere so can you help?

PS I've read CSRF Pitfalls and can make Kratos work with all security set up but only for password flow.

[vinckr]

I assume you have gone over the OIDC guide.

Could you link your oidc.github.jsonnet and .kratos.yml ?

Also what version/os/container/docker-compose are you using?

Are you starting the login flow from a browser?

[MalyshevValery]

Could you link your oidc.github.jsonnet and .kratos.yml?

• kratos.yml https://pastebin.pl/view/2064474d
• jsonnet is the default one https://pastebin.pl/view/36c49b21
  Also, I've tried to check all domains (127.0.0.1 and localhost stuff) and put everything on localhost. Also using Nginx with localhost/account for UI & localhost/kratos for Kratos public. Again password flow works as intended

Also what version/os/container/docker-compose are you using?

I had used 0.5.0 Kratos but when encountered the problem updated to the latest 0.5.5
OS: Elementary OS 5.1.5 Hera
docker-compose: I use Kratos outside docker, basically compiled it according to instruction with go

Are you starting the login flow from a browser?

Yes.

1. /self-service/login/browser -> account/login
2. account/login -> github.com/login/oauth/authorize?client_id=...&response_type=code
3. github -> localhost/kratos/self-service/methods/oidc/callback/github
4. CSRF error

I've run debug mode and there are two errors when trying to access methods/oidc/callback/github. The first one is this
The request was malformed or contained invalid parameters reason: Unable to complete OpenID Connect flow because the OpenID Provider did not return the state query parameter. status:Bad Request status_code:400
And the second is the CSRF one:
The requested action was forbidden reason: A request failed due to a missing or invalid csrf_token value. status:Forbidden status_code:403

[vinckr]

You need to change localhost to http://127.0.0.1 .
This is because browsers (chrome,safari,?) interpret localhost as http://127.0.0.1 and since the URI doesnt match there is a CRSF error.

Let me know if that fixes it.

[MalyshevValery]

Hmmm I use Firefox but okay I will check it out

[MalyshevValery]

Okay, I tried changing localhost to 127.0.0.1 but it didn't help
Double-checked password flow with user registered through admin port + link to set password. And no CSRF error or any other so I suppose something is wrong in my GitHub config.

Here is complete flow during github login, if this can help
302 http://127.0.0.1/kratos/self-service/login/browser [set cookie csrf]
http://127.0.0.1/account/login?flow=463b29f9-a325-4a3e-8710-553b75bf3195
[click on gihub login button]
302 https://github.com/login/oauth/authorize?client_id=88c9085f3c5fa7c1942e&response_type=code
302 http://127.0.0.1/kratos/self-service/methods/oidc/callback/github?code=963d1d9f54f881706331
http://127.0.0.1/account/error?error=768ede5e-7176-486e-8dda-35ecef9f9a09 [csrf missing or invalid error]

Looks like Kratos expects the second CSRF value in form but there is no way to get it in callback.

[MalyshevValery]

Oh, I found the problem.
It appeared that I went from UI to github.com/login/oauth/.... directly instead of using action and fields provided in response from kratos/self-service/login/flows.

So I need to submit form with acquired CSRF token to self-service/methods/oidc/auth/ which sets ory_kratos_continuity cookie and then redirects to github

[vinckr]

Oh glad you found the cause!
Do you think we should add your findings to the github oidc guide, or do you think its more of an edge-case, or something that people wouldn't usually encounter?

[MalyshevValery]

Well. I checked all guides OIDC guide and User Login in Self-Service. So there is sufficient information about this issue on the User-Login doc page. Seems I was not attentive enough.

Maybe just add a reference to User-Login page with a note that request to self-service/login/flows is required