You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ok, Ory in local on-machine kubernetes cluster via Helm chart, and I've tried versions 1.1.0 and 1.2.0 of the container. Kratos is configured with (obtained with kubectl describe cm kratos-config so this does seem to be what the container is doing)
I can initiate a login flow with curl -X GET -H "Accept: application/json" http://localhost:4433/self-service/login/browser | jq and via my SPA; all this is good. But I can't complete the login flow without including the csrf token, and I can't include the csrf token without including the correct cookie, and it seems to do that I need to request with-credentials: true... and at that point my browser gets angry:
Access to XMLHttpRequest at 'http://localhost:4433/self-service/login?flow=3794ffb3-1531-434d-af7d-97e622325b63' from origin 'http://localhost:8280' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Attempting to simulate a CORS preflight by asking for options looks like this:
And indeed I see no headers. I'm more new to CSRF and CORS than I probably should be, but when I've done searches it looks like most are "configure kratos to do cors", and I feel like that should be done? (it complains if I misspell any of the keys, so I think it is trying to use that config...)
Apologies for sounding so confused, but I've wrestled with this for some time now and am very confused.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Ok, Ory in local on-machine kubernetes cluster via Helm chart, and I've tried versions 1.1.0 and 1.2.0 of the container. Kratos is configured with (obtained with
kubectl describe cm kratos-config
so this does seem to be what the container is doing)I can initiate a login flow with
curl -X GET -H "Accept: application/json" http://localhost:4433/self-service/login/browser | jq
and via my SPA; all this is good. But I can't complete the login flow without including the csrf token, and I can't include the csrf token without including the correct cookie, and it seems to do that I need to requestwith-credentials: true
... and at that point my browser gets angry:Attempting to simulate a CORS preflight by asking for options looks like this:
And indeed I see no headers. I'm more new to CSRF and CORS than I probably should be, but when I've done searches it looks like most are "configure kratos to do cors", and I feel like that should be done? (it complains if I misspell any of the keys, so I think it is trying to use that config...)
Apologies for sounding so confused, but I've wrestled with this for some time now and am very confused.
Beta Was this translation helpful? Give feedback.
All reactions