wip: checking in

Author: jmgilman

playground/helmfile/platform/ory/kratos-values.yaml

@@ -33,6 +33,7 @@ kratos:
       allowed_return_urls:
         - https://forge.projectcatalyst.dev/
         - https://auth.projectcatalyst.dev/api/v1/oauth2/login
+        - https://auth.projectcatalyst.dev/api/v1/oauth2/consent
       flows:
         settings:
           ui_url: https://forge.projectcatalyst.dev//profile
@@ -70,6 +71,11 @@ kratos:
                   - email
                   - profile
 
+    cookies:
+      domain: projectcatalyst.dev
+      path: /
+      same_site: Lax
+
     session:
       cookie:
         domain: projectcatalyst.dev

playground/test_cli_auth.py

@@ -58,7 +58,8 @@ def run_server(server_class=HTTPServer, handler_class=CallbackHandler, port=4915
     # 2. Open Browser and Start Server
     print("Opening browser for authentication...")
     time.sleep(2)
-    webbrowser.open(auth_url)
+    print(auth_url)
+    #webbrowser.open(auth_url)
     authorization_code = None
     received_state = None
     run_server()

services/frontend/src/lib/auth/oidc.ts

@@ -33,31 +33,51 @@ const kratos = new FrontendApi(
  * browser naturally follows redirects (no CORS surprises).
  */
 export async function loginWithProvider(provider: string, returnTo: string = "/"): Promise<void> {
-  async function getFlowWithAction(): Promise<HasUi | null> {
+  // Prefer reusing an existing Kratos login flow if the URL already contains ?flow=...
+  // This preserves the original return_to (e.g., the Hydra login_challenge callback)
+  console.log("STARTING LOGIN WITH PROVIDER", provider, returnTo);
+  const url = new URL(window.location.href);
+  const existingFlowId = url.searchParams.get("flow");
+  console.log("existingFlowId", existingFlowId);
+
+  // For custom UI: read the existing flow using a no-credentials JSON request.
+  // Do NOT send cookies on this request or Kratos will require a CSRF header and return 403.
+  async function readExistingFlow(flowId: string): Promise<HasUi | null> {
     try {
-      const { data } = await kratos.createBrowserLoginFlow();
-      const f = data as unknown as HasUi;
+      const { data } = await kratos.getLoginFlow({ id: flowId });
+      const f = data as HasUi;
       const hasAction = typeof f.ui?.action === "string" && f.ui.action.length > 0;
       const hasId = typeof f.id === "string" && f.id.length > 0;
-      if (hasAction || hasId) return f;
-      return null;
-    } catch {
+      return (hasAction || hasId) ? f : null;
+    } catch (err) {
+      console.log("getLoginFlow error", err);
       return null;
     }
   }
 
-  let flow = await getFlowWithAction();
-  if (!flow) flow = await getFlowWithAction();
+  let flow: HasUi | null = null;
+
+  // Try to load the existing flow first (if present in URL)
+  if (existingFlowId) {
+    try {
+      console.log("readExistingFlow", existingFlowId);
+      flow = await readExistingFlow(existingFlowId);
+    } catch {
+      console.log("readExistingFlow error", existingFlowId);
+    }
+  }
 
+  // If no existing flow, initialize one via browser endpoint so Kratos sets cookies & returns here with ?flow=
   if (!flow) {
-    // As a last resort, navigate to the browser endpoint to let Kratos drive the flow
-    window.location.href = `${kratosBase}/self-service/login/browser`;
+    const rt = returnTo && returnTo.length > 0 ? `?return_to=${encodeURIComponent(returnTo)}` : "";
+    window.location.href = `${kratosBase}/self-service/login/browser${rt}`;
     return;
   }
 
   const action = flow.ui?.action ?? (flow.id ? `${kratosBase}/self-service/login?flow=${flow.id}` : "");
   if (!action) {
-    window.location.href = `${kratosBase}/self-service/login/browser`;
+    const rt = returnTo && returnTo.length > 0 ? `?return_to=${encodeURIComponent(returnTo)}` : "";
+    window.location.href = `${kratosBase}/self-service/login/browser${rt}`;
     return;
   }
   const method = (flow.ui?.method ?? "POST").toUpperCase();

services/ory/auth/internal/api/router.go

@@ -50,6 +50,9 @@ func SetupRouter(cfg *config.Config) *gin.Engine {
 		v1.POST("/oauth2/consent", h.ConsentPost)
 		v1.POST("/hydra/token-hook", h.TokenHook)
 
+		// BFF: expose Kratos login flow JSON without cookies for SPA
+		v1.GET("/kratos/login-flow", h.KratosLoginFlow)
+
 		// Prometheus metrics endpoint
 		v1.GET("/metrics", gin.WrapH(promhttp.Handler()))
 	}

services/ory/auth/internal/handlers/bff.go

@@ -0,0 +1,51 @@
+package handlers
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/gin-gonic/gin"
+)
+
+// KratosLoginFlow proxies the Kratos login flow JSON without forwarding cookies.
+// It is intended for SPAs to read the flow (including csrf_token and ui.action)
+// without tripping CSRF protections.
+func (h *Handlers) KratosLoginFlow(c *gin.Context) {
+	flowID := c.Query("id")
+	if flowID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "missing id", "correlation": corrFields(c)})
+		return
+	}
+
+	endpoint := fmt.Sprintf("%s/self-service/login/flows?id=%s", h.cfg.Kratos.PublicURL, url.QueryEscape(flowID))
+	req, err := http.NewRequest(http.MethodGet, endpoint, nil)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error(), "correlation": corrFields(c)})
+		return
+	}
+	// Ensure no cookies are forwarded; set minimal headers
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := h.httpClient.Do(req)
+	if err != nil {
+		c.JSON(http.StatusBadGateway, gin.H{"error": err.Error(), "correlation": corrFields(c)})
+		return
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		c.JSON(http.StatusBadGateway, gin.H{"error": err.Error(), "correlation": corrFields(c)})
+		return
+	}
+
+	contentType := resp.Header.Get("Content-Type")
+	if contentType == "" {
+		contentType = "application/json"
+	}
+	// Disable caching of flow JSON
+	c.Header("Cache-Control", "no-store, no-cache, must-revalidate, private")
+	c.Data(resp.StatusCode, contentType, body)
+}