Hydra + Kratos login flow

[friedemannsommer]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I'm trying to use the Hydra integration via the login_challenge argument for Kratos,
but the resulting responses are not what I would expect based on the API documentation.

• I would expect Kratos to request the OAuth2 login request from Hydra (which it does) and then add this
  to the oauth2_login_request field of the login flow, but this field is only present if the flow is (re-)requested via getLoginFlow.
• After a successful login, Kratos should redirect to the redirect_to URL which will be returned from Hydra via the acceptOAuth2LoginRequest request.

Reproducing the bug

oauth2_login_request field missing in createBrowserLoginFlow response

1. flow = createBrowserLoginFlow({ loginChallenge: 'login_challenge' })
2. flow will contain the oauth2_login_challenge field but oauth2_login_request isn't set
3. flow = getLoginFlow({ id: flow.id })
4. now the flow contains the oauth2_login_challenge and oauth2_login_request fields

redirect_browser_to after login with login_challenge

1. flow = createBrowserLoginFlow({ loginChallenge: 'login_challenge' })
2. flow = updateLoginFlow({ flow: flow.id, updateLoginFlowBody: { ... }})
3. flow will now be the SuccessfulNativeLogin response instead of browser_location_change_required

Relevant log output

started handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token=base64]] host:127.0.0.1 method:GET path:/self-service/login/browser query:login_challenge=123456789 remote:127.0.0.1]
[DEBUG] GET https://hydra-admin/admin/oauth2/auth/requests/login?login_challenge=123456789 audience=application service_name=Ory Kratos service_version=v0.11.1
completed handling request http_request=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close cookie:[csrf_token=base64]] host:127.0.0.1 method:GET path:/self-service/login/browser query:login_challenge=123456789 remote:127.0.0.1] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Cookie] size:1880 status:200 text_status:OK took:40.0ms]

Relevant configuration

selfservice:
  methods:
    password:
      enabled: true

oauth2_provider:
  url: https://hydra-admin

log:
  level: debug

Version

v0.11.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

The createBrowserLoginFlow (selfservice/flow/login/handler.go) function requests the Hydra login request and checks it, but seemingly doesn't add it the flow. But the getLoginFlow (selfservice/flow/login/handler.go) function does add the Hydra login request as field.

kratos/selfservice/flow/login/handler.go

Lines 542 to 551 in 3d07161

	if ar.OAuth2LoginChallenge.Valid {
	hlr, err := h.d.Hydra().GetLoginRequest(r.Context(), ar.OAuth2LoginChallenge)
	if err != nil {
	// We don't redirect back to the third party on errors because Hydra doesn't
	// give us the 3rd party return_uri when it redirects to the login UI.
	h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, err)
	return
	}
	ar.HydraLoginRequest = hlr
	}

[fabhuebner]

+1

[vinckr]

Hello @friedemannsommer & @fabhuebner

See this PR: ory/examples#67

This is a community effort to create a self-hosted Ory Kratos + Hydra integration example.
Any contribution / review / feedback etc is much appreciated 🙌

[friedemannsommer]

@vinckr If I understand the example correctly, it's using the Kratos init flow redirect and then loads the given flow which prevents part of the issue I described.

if (!isQuerySet(flow)) {
  logger.debug("No flow ID found in URL query initializing login flow", {
    query: req.query,
  })
  res.redirect(303, initFlowUrl)
  return
}

Example source references:

• https://github.com/ory/examples/blob/82666a2079fab5b354b5655c61424f0b2f39572f/kratos-hydra/src/pkg/index.ts#L18-L25
• https://github.com/ory/examples/blob/82666a2079fab5b354b5655c61424f0b2f39572f/kratos-hydra/src/routes/login.ts#L48-L54

Sadly I'm unable to implement it like this and must rely on the JSON response of these endpoints.

Which leads me to think, it is expected that the oauth2_login_request is missing in the JSON response of createBrowserLoginFlow (if a valid login_challenge was given)?

Based on the current implementation of the example I don't understand how the redirect after a successful login should work. Does Kratos redirect to Hydra if the form data is passed directly to /self-service/login?flow=<UUIDv4> (explicitly not using updateLoginFlow method)? I'll try to check this and report back.

[vinckr]

Hey @friedemannsommer

thanks for the detailed response.
The example is currently not in a working state, so that is why some things might be weird.
I also have to get into the gritty details some more...
Maybe we can include your use case as well in it (or it requires a different example setup? 🤔 )

[friedemannsommer]

I've created a (very basic) example project to demonstrate the described issues.
github.com/friedemannsommer/hydra-kratos-nextjs-integration

So far I have not managed to test if Kratos correctly redirects to Hydra after a successful login, if the login flow doesn't use the JSON API.

[friedemannsommer]

@vinckr @CaptainStandby Thank you for addressing this issue, should i create a separate issue (or rather discussion) for the redirect after login topic?