CSRF mismatch

[senitsgh]

Hello,
I am trying to setup Kratos as my authentication system. I have a nextJs application which needs to talk to kratos. I have implemented the authentication in my local machine with docker desktop, it worked. But when hosted in kubernetes/cloud, I am getting this csrf mismatch error which I am unable to get past. The NextJS App and Kratos are in the same domain.

The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. status:Forbidden status_code:403

Any help would be greatly appreciated. I am using kratos v0.8.2-alpha.1 & next 12.0.1.

Here is the logs from my nextJs app.
sign up flowId - cc92ac8b-142b-474d-8006-d0b874114d0c sign up cookie - csrf_token_60d6199f37e848dc27978204010e8a4d54cbd6c293d5f8397fbf0632e86b349c=y7/eFXITKXHekeevLURUw2lI4y9heq/uVGMw0UZSn1A= { id: 'cc92ac8b-142b-474d-8006-d0b874114d0c', type: 'browser', expires_at: '2022-02-12T11:25:39.068691Z', issued_at: '2022-02-12T11:15:39.068691Z', request_url: 'http://mydomain.com/self-service/registration/browser', ui: { action: 'https://mydomain.com/self-service/registration?flow=cc92ac8b-142b-474d-8006-d0b874114d0c', method: 'POST', nodes: [ [Object], [Object], [Object], [Object], [Object], [Object] ] } }

CSRF node I received in /self-service/registration/browser response
{ type: 'input', group: 'default', attributes: { name: 'csrf_token', type: 'hidden', value: '/nHBV0lpHKW1eydT3JUTm6GMouX8uCAjF6fLWUsPjUU1zh9CO3o11GvqwPzx0UdYyMRByp3Cj81DxPuIDV0SFQ==', required: true, disabled: false, node_type: 'input' }, messages: [], meta: {} }

POST request PayLoad for SignUP
https://mydomain.com/self-service/registration?flow=cc92ac8b-142b-474d-8006-d0b874114d0c csrf_token: /nHBV0lpHKW1eydT3JUTm6GMouX8uCAjF6fLWUsPjUU1zh9CO3o11GvqwPzx0UdYyMRByp3Cj81DxPuIDV0SFQ== traits.email: [email protected] traits.name.first: sen traits.name.last: kh password: ItsNotAValidPassword confirmPassword: ItsNotAValidPassword method: password

Thanks in advance :)

[senitsgh]

I was able to solve this issue. The Cookie was missing in the header, it was due to the setting kratos.yaml

cookies: domain: mydomain.com path: /auth same_site: Lax
After I changed it to the below one it worked.
cookies: domain: mydomain.com path: / same_site: Lax

[vinckr]

Thanks for sharing your fix @senitsgh 🙌

[SoGoDev]

I have same issue. I checked headers and cookies was there.