Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The documentation for Ory Kratos, specifically here has a 404 for one of the handlebars examples. The link displayed points to this repository, specifically to https://github.com/ory/kratos-selfservice-ui-node/blob/master/views/partials/ui_node_input_submit.hbs, sorry if this is the wrong place to open the issue. Screenshot below.

Reproducing the bug

Visit https://www.ory.sh/kratos/docs/concepts/ui-user-interface#ui-input-nodes and scroll to the Submit Input Node handlebars example. This appears on both the 0.8 and Next versions of the page.

Relevant log output

No response

Relevant configuration

No response

Version

0.8

On which operating system are you observing this issue?

Other

In which environment are you deploying?

Kubernetes

Additional Context

No response

See ory/kratos#219 for reference

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Script src seems to use 127.0.0.1 origin to fallback.

Reproducing the bug

1. Run Kratos with webauthn enabled.
2. Run self-service with given docker-compose config (Kratos config stripped)
3. Login and navigate to account settings.

Relevant log output

No response

Relevant configuration

# docker-compose.yml
version: '3.7'
services:
  selfservice:
    image: oryd/kratos-selfservice-ui-node
    environment:
    - KRATOS_PUBLIC_URL=http://kratos:4433/
    - KRATOS_BROWSER_URL=http://127.0.0.1:8001/authn/
    - BASE_PATH=/auth
    - PORT=4455
    - SECURITY_MODE=
    networks:
    - intranet
    restart: on-failure
    ports:
     - "4455:4455"

Version

0.11.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

I would happily drop a PR if guided, since I couldn't be sure where this issue fixed.
I'm sorry if I missed or did something wrong.

Thanks!

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Hello!
I'm experimenting with Kratos and the UI project.
When I'm signing in with google I need to press the sign-in button again or navigate to / for UI to refresh its state.
What am I doing wrong?

Also, I attached my configuration.

Reproducing the bug

Sign in with google.
You can use my deployment https://ui.kratos.aurokk.com/.
The problem appears only when you face a google consent screen (you'll face it every time if you have multiple google accounts signed in, or you sign in for the first time). If there is no consent screen — it works as expected!

Relevant log output

No response

Relevant configuration

kratos:
  config:
    dsn: ...
    secrets:
      default:
        - ...
        - ...
    identity:
      default_schema_id: user_v0
      schemas:
        - id: user_v0
          url: file:///etc/config/user_v0.schema.json
    courier:
      smtp:
        connection_uri: ...
        from_address: [email protected]
        from_name: Words
    serve:
      public:
        base_url: https://kratos.aurokk.com/
    selfservice:
      default_browser_return_url: https://ui.kratos.aurokk.com/
      methods:
        password:
          enabled: true
        link:
          enabled: true
        oidc:
          enabled: true
          config:
            providers:
              - id: google
                provider: google
                client_id: ...
                client_secret: ...
                mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiB0cnVlLAp9ICsgc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBbaWYgJ2VtYWlsJyBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gJ2VtYWlsJyBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K"
                scope:
                  - email
                  - profile
                requested_claims:
                  id_token:
                    email:
                      essential: true
                    email_verified:
                      essential: true
      flows:
        error:
          ui_url: https://ui.kratos.aurokk.com/error
        login:
          ui_url: https://ui.kratos.aurokk.com/login
        recovery:
          enabled: true
          ui_url: https://ui.kratos.aurokk.com/recovery
        registration:
          ui_url: https://ui.kratos.aurokk.com/registration
          after:
            oidc:
              hooks:
                - hook: session
        verification:
          enabled: true
          ui_url: https://ui.kratos.aurokk.com/verification
        settings:
          ui_url: https://ui.kratos.aurokk.com/settings
    cookies:
      same_site: Strict
      domain: kratos.aurokk.com
    session:
      cookie:
        same_site: Strict
        domain: kratos.aurokk.com
  automigration:
    enabled: true
  identitySchemas:
    "user_v0.schema.json": |
      {
        "$id": "https://kratos.aurokk.com/user_v0.schema.json",
        "$schema": "http://json-schema.org/draft-07/schema#",
        "title": "User",
        "type": "object",
        "properties": {
          "traits": {
            "type": "object",
            "properties": {
              "email": {
                "type": "string",
                "format": "email",
                "ory.sh/kratos": {
                  "credentials": {
                    "password": {
                      "identifier": true
                    }
                  },
                  "recovery": {
                    "via": "email"
                  },
                  "verification": {
                    "via": "email"
                  }
                }
              }
            }
          }
        }
      }

Version

0.26.5

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Describe the bug

following the install guide on https://www.ory.sh/kratos/docs/quickstart/

start build docker image with source code in master

To Reproduce

Steps to reproduce the behavior:

git clone https://github.com/ory/kratos.git
git checkout master
make quickstart-dev

go to http://127.0.0.1:4455/dashboard

Expected behavior

show login screen

Actual behavior

shows

An error occurred

{
  "name": "UnauthorizedError",
  "message": "No authorization token was found",
  "code": "credentials_required",
  "status": 401,
  "inner": {
    "message": "No authorization token was found"
  }
}

logs

kratos-selfservice-ui-node_1  | UnauthorizedError: No authorization token was found
kratos-selfservice-ui-node_1  |     at middleware (/usr/src/app/node_modules/express-jwt/lib/index.js:79:21)
kratos-selfservice-ui-node_1  |     at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
kratos-selfservice-ui-node_1  |     at next (/usr/src/app/node_modules/express/lib/router/route.js:137:13)
kratos-selfservice-ui-node_1  |     at Route.dispatch (/usr/src/app/node_modules/express/lib/router/route.js:112:3)
kratos-selfservice-ui-node_1  |     at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
kratos-selfservice-ui-node_1  |     at /usr/src/app/node_modules/express/lib/router/index.js:281:22
kratos-selfservice-ui-node_1  |     at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)
kratos-selfservice-ui-node_1  |     at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10)
kratos-selfservice-ui-node_1  |     at SendStream.error (/usr/src/app/node_modules/serve-static/index.js:121:7)
kratos-selfservice-ui-node_1  |     at SendStream.emit (events.js:321:20)
kratos-selfservice-ui-node_1  | GET /dashboard 500 11571 - 714.033 ms
kratos-selfservice-ui-node_1  | GET /form.css 304 - - 20.003 ms
kratos-selfservice-ui-node_1  | GET /index.css 304 - - 15.942 ms
kratos-selfservice-ui-node_1  | GET /auth.css 304 - - 1.758 ms
kratos-selfservice-ui-node_1  | GET /typography.css 304 - - 2.589 ms
kratos-selfservice-ui-node_1  | GET /favicon.ico 302 22 - 11.979 ms

Environment

master branch with hash 6f750047

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

I am currently using the latest (alpha) version of this project.
I am aware that there is a reason that it is in an alpha state, so this issue should not be a complaint, but rather a question
Will there be a solution implemented to be able to complete Hydra's consent flow directly with this UI?
I really like its design and want to use it while focusing on other parts of my infrastructure before implementing my own.
Thank you very much for the hard work you put into your really nice products, I am looking forward to integrating them more within my application!

Describe your ideal solution

It would be very nice if this feature would be implemented in this UI.

Workarounds or alternatives

A workaround that would come to my mind is using the example Hydra consumer application just for consents.

Version

v0.11.0-alpha.0.pre.0

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

This happens for every clean build on latest

pandora-scraper-kratos-selfservice-ui-node-1  | > @ory/[email protected] serve
pandora-scraper-kratos-selfservice-ui-node-1  | > node lib/index.js
pandora-scraper-kratos-selfservice-ui-node-1  | 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! code EACCES
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! syscall mkdir
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! path /home/ory/.npm
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! errno -13
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! Your cache folder contains root-owned files, due to a bug in
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! previous versions of npm which has since been addressed.
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! To permanently fix this problem, please run:
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR!   sudo chown -R 10000:65533 "/home/ory/.npm"
pandora-scraper-kratos-selfservice-ui-node-1  | 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! Log files were not written due to an error writing to the directory: /home/ory/.npm/_logs
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

Reproducing the bug

Run container

Relevant log output

No response

Relevant configuration

No response

Version

latest

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The package published to npm contains a lot of files, that definitely shouldn't be part of the package.

Especially the .bin/ folder containing the ory-cli bumps the package size by about 40 MiB.

Reproducing the bug

go to https://www.npmjs.com/package/@ory/kratos-selfservice-ui-node?activeTab=explore

Relevant log output

No response

Relevant configuration

No response

Version

0.11.0-alpha.2

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

None

Additional Context

No response

Describe the bug

pathPrefix does not get set correctly in registration.hbs

To Reproduce

Steps to reproduce the behavior:

1. Set BASE_URL=/anything
2. Run server
3. Notice the handlebars templates don't respect the variable pathPrefix

Expected behavior

pathPrefix getting set to BASE_URL in the view file.

Environment

Docker Image

oryd/kratos-selfservice-ui-node:v0.6.0-alpha.2

docker.io/oryd/kratos-selfservice-ui-node@sha256:255582ce33e6941374afb26cd11b2b78b32090e92164fa3065f592ba05e6e4d3

Additional context

BASE_URL is necessary, as ingress resources in kubernetes do not allow ports outside of 80 and 443.

as seen in figma

Code in dashboad.ts

/src/routes/dashboard.ts line 8

  if (config.securityMode === 'JWT') {

according config.ts,

export const SECURITY_MODE_JWT = 'jwt'

so here should be

  if (config.securityMode === 'jwt') {

otherwise there should be a issue when run jwt mode.

and since the SECURITY_MODE_JWT already export,why not use SECURITY_MODE_JWT to compare directly.

Describe the bug

Whenever frontend is calling node.js backend and there is an error (validation) user get's redirected to the previous page. With this response it should get info about errors occurred during validation. However I can see that those responses are cached and returned plain form data without any errors whatsoever. Disabling cache on node.js end seems to help but it looks like a hacky way to fix the problem.

To Reproduce

1. Go to registration form.
2. Enter any data into form fields except password which fill in with some well known pass phrase like secret.
3. Form will be reloaded but no error is shown in the UI.
4. Check responses Age header to see which one gets cached.

Expected behavior

Responses should be properly varied and not cached only based on request params (not sure how it works currently).

Environment

• Version: v0.5.0 - v0.6.0
• Environment: kubernetes

Additional context
My hacky fix looks like this Wikia@a02c9bf

Repository's name at DockerHub looks old.
It should be kratos-selfservice-ui-node.
https://hub.docker.com/r/oryd/hive-selfservice-ui-node

I changed the identity.schema.json to have an array for emails to allow identities to have multiple emails. I had to move the title property to the email block instead of the items block.

Here is what it looks like in /settings:

I'm wondering how to set the title for the additional emails. Is this a configuration thing or is this an implementation of the UI itself?

Describe the bug

When I land on the email verification page after clicking the link in the email received asking me to verify my email I see the "success" message but I also see the field to enter my email address and send the verification email again.

To Reproduce

Click on link in email received for verification.

Expected behavior

Land on a page that only provides a success message.

Describe the bug

I setup Oathkeeper, Kratos, and the Self Service UI using the Zero Trust with IAP Proxy guide in our testing environment. I am able to login a user using OIDC (as reflected in the Kratos /identities API). But I get an error on the /dashboard page in the Self Service UI. Here's the error log from Self Service UI:

UnauthorizedError: secret or public key must be provided
at /usr/src/app/node_modules/express-jwt/lib/index.js:105:22
at /usr/src/app/node_modules/jsonwebtoken/verify.js:106:14
at getSecret (/usr/src/app/node_modules/jsonwebtoken/verify.js:90:14)
at Object.module.exports [as verify] (/usr/src/app/node_modules/jsonwebtoken/verify.js:94:10)
at verifyToken (/usr/src/app/node_modules/express-jwt/lib/index.js:103:13)
at fn (/usr/src/app/node_modules/async/lib/async.js:746:34)
at /usr/src/app/node_modules/async/lib/async.js:1213:16
at /usr/src/app/node_modules/async/lib/async.js:166:37
at /usr/src/app/node_modules/async/lib/async.js:706:43
at /usr/src/app/node_modules/async/lib/async.js:167:37

To Reproduce

I'm currently struggling to get the quickstart to reproduce the error, but will update this report as soon as I do.

Here is my current config for kratos-selfservice-ui-node:

HOST=<domain name here>

KRATOS_PUBLIC_URL=http://kratos:4433/
KRATOS_ADMIN_URL=http://kratos:4434/
BASE_URL=https://$HOST
SECURITY_MODE=jwt
JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
KRATOS_BROWSER_URL=https://$HOST/.ory/kratos/public

The error log makes me think it's a problem with the JWKS_URL setting, but it appears to be set correctly? I can ping that URL manually just fine.

Expected behavior

I expect to see the dashboard like I was able to do locally with the standalone Kratos quickstart.

Environment

Oathkeeper: v0.38.3
Kratos: v0.4.6
Self Service UI: v0.4.6

Describe the bug

We don't use port-based configs in our development environment. Instead we've generated a root cert and then lots of certificates for all of services including Kratos, Hydra and many more. And there's an issue with kratos-selfservice-ui-node in such kind of config: it uses broken 'Host:' header while trying to fetch data from public api which causes reverse proxy misbehaviour in configurations where such kind of proxy knows smth about both domains: one for Kratos and other for kratos-selfservice-ui-node.

To Reproduce

One example is a config for Traefik 1.7 for Kratos:

labels:
            traefik.enable: true
            traefik.api.frontend.rule: "Host: api.kratos.local"
            traefik.api.port: '4433'
            traefik.api.protocol: 'http'
            traefik.api.frontend.headers.SSLRedirect: false
            traefik.admin.frontend.rule: "Host: admin.kratos.local"
            traefik.admin.port: '4434'
            traefik.admin.protocol: 'http'
            traefik.admin.frontend.headers.SSLRedirect: false

and for ui-node:

        labels:
            traefik.enable: true
            traefik.frontend.rule: "Host: ui.kratos.local"
            traefik.port: '80'
            traefik.protocol: 'http'
            traefik.frontend.headers.SSLRedirect: true

Other example is nginx config for both:

server {
    listen          80;
    server_name     ui.kratos.local;
    location / {
        proxy_pass  http://kratos-sample-app:80/;
    }
}

server {
    listen          80;
    server_name     api.kratos.local;
    location / {
        proxy_pass  http://kratos:4433/;
    }
}

Actual behavior

ui-node sets it's own domain ui.kratos.local while piping request to api.kratos.local in Host: header.
This is HTTP 1.1 violation. Host header is intended to be used by webserver in configurations where a single destination can lead to different virtualhosts.

So if webserver knows smth. about both used domains (ui.kratos.local & api.kratos.local) - it routes the request to wrong location. Even if the destination is api.kratos.local the request will be routed to ui.kratos.local as in Host: header.

The behaviour differs between webservers. Traefik returns 302-redirect which in turn redirects to ui.kratos.node and the redirect loop starts over. As opposed to Traefik, Nginx does not try to generate redirect and instead itself routes the request to ui.kratos.local where it gets the same type of response: a redirect.

So though Traefik and Nginx have different logic of handling such ill requests, both ways of handling cause a redirect loop for a browser

Expected behavior

/dashboard or / should be opened after login instead of looping infinitely through redirects just after logging in.

Describe the bug

The existing hydra-integration branch only works when accessing the oauth2 client page through firefox not chrome. On Chrome, an error is presented after the sign in flow instead of the being forwarded to the callback URL.

To Reproduce

Start the hydra-integration components and access http://127.0.0.1:5555 from chromium or similar.

Expected behavior

You should get the callback URL with the tokens.

Environment

• Ubuntu 20 for my colleague and me, but pretty sure there was discussion elsewhere that others had this issue as well

Additional context

Honestly I feel no urgency to fix this. Creating this mostly to track the issue so someone gets to it eventually. (I have a feeling that's gonna be me).

Wait a bit, I'll perform some forking/merging/etc stuff and create a PR.
I already have a working version.
Docker-compose example:

        environment:
            PORT: 443
            TLS_KEY_PATH: '/certificates/certificate.key'
            TLS_CERT_PATH: '/certificates/certificate.crt'
            ...more_vars
        volumes:
            - 'path/to/abovementioned/cert/files:/certificates:ro'
            ...more_volumes

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Hi,

for context, we are evaluating kratos, oathkeeper and keto currently. So I cloned the example repository when I ran into cookie issues with the hosted UI. I am currently facing a redirect loop.

Reproducing the bug

What I've done so far:

I've cloned your repository, built the docker image (make docker) and deployed it on a public URL. The only environment variable I set is KRATOS_PUBLIC_URL: https://XXX.projects.oryapis.com/api/kratos/public.

Then I went into the Console (your UI) and configured the custom links for login, registration, recovery, etc..

The project starts up, and I get redirect to /welcome.

Whenever I click any of the buttons for login, etc. my browser eventually gives up with a "too many redirects" error.

Relevant log output

To repro on the command line:

$ curl -L https://my-app.example.org/login
curl: (47) Maximum (50) redirects followed


# or more detailed:

$ curl -v -L https://my-app.example.org/login
*   Trying 5.57.43.202...
* TCP_NODELAY set
* Connected to my-app.example.org (5.57.43.202) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=my-app.example.org
*  start date: Feb  3 18:32:25 2022 GMT
*  expire date: May  4 18:32:24 2022 GMT
*  subjectAltName: host "my-app.example.org" matched cert's "my-app.example.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fab5080d600)
> GET /login HTTP/2
> Host: my-app.example.org
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 303 
< content-type: text/plain; charset=utf-8
< date: Thu, 03 Feb 2022 19:48:57 GMT
< location: https://XXX.projects.oryapis.com/api/kratos/public/self-service/login/browser?aal=&refresh=&return_to=
< vary: Accept
< x-powered-by: Express
< content-length: 149
< 
* Ignoring the response-body
* Connection #0 to host my-app.example.org left intact
* Issue another request to this URL: 'https://XXX.projects.oryapis.com/api/kratos/public/self-service/login/browser?aal=&refresh=&return_to='
*   Trying 104.18.13.126...
* TCP_NODELAY set
* Connected to XXX.projects.oryapis.com (104.18.13.126) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=oryapis.com
*  start date: Jan  9 00:00:00 2022 GMT
*  expire date: Apr  9 23:59:59 2022 GMT
*  subjectAltName: host "XXX.projects.oryapis.com" matched cert's "*.projects.oryapis.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fab5080d600)
> GET /api/kratos/public/self-service/login/browser?aal=&refresh=&return_to= HTTP/2
> Host: XXX.projects.oryapis.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 303 
< date: Thu, 03 Feb 2022 19:48:57 GMT
< content-type: text/html; charset=utf-8
< content-length: 103
< location: https://my-app.example.org/login?flow=72b79c56-0af8-49ae-a91c-cbba28733501
< cache-control: private, no-cache, no-store, must-revalidate
< set-cookie: csrf_token_a7d567194e5d40721c3e0a70dba7fcc523fb7ac0cc53b288b4b9a33eb2feadcd=JozvwPabFKYlEbNqprABjOF8sorsnhcUFrz9rEvZf14=; Path=/; Domain=XXX.projects.oryapis.com; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
< vary: Origin,Cookie
< x-envoy-upstream-service-time: 101
< permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< x-frame-options: DENY
...

### Relevant configuration

```yml
KRATOS_PUBLIC_URL: https://XXX.projects.oryapis.com/api/kratos/public

Version

master

On which operating system are you observing this issue?

Ory Cloud

In which environment are you deploying?

Docker Compose

Additional Context

Strictly speaking, I am deploying the app on Docker Swarm. But it's very similar to Docker Compose.

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Brief

Trying to open the signup page.
Get page "An error occurred" with message "connect ECONNREFUSED ::1:80"

The projects are deployed in kubernetes with Ingress.
Using deployment from: https://github.com/ory/k8s/tree/v0.26.1

Error

{
  "message": "connect ECONNREFUSED ::1:80",
  "name": "Error",
  "stack": "Error: connect ECONNREFUSED ::1:80\n    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16)",
  "config": {
    "url": "kratos-public.default.svc.cluster.local/self-service/registration/flows?id=e1cf779a-7d9e-4936-b25a-32653d46b4ad",
    "method": "get",
    "headers": {
      "Accept": "application/json, text/plain, */*",
      "User-Agent": "axios/0.21.4"
    },
    "transformRequest": [
      null
    ],
    "transformResponse": [
      null
    ],
    "timeout": 0,
    "xsrfCookieName": "XSRF-TOKEN",
    "xsrfHeaderName": "X-XSRF-TOKEN",
    "maxContentLength": -1,
    "maxBodyLength": -1,
    "transitional": {
      "silentJSONParsing": true,
      "forcedJSONParsing": true,
      "clarifyTimeoutError": false
    }
  },
  "code": "ECONNREFUSED"
}

I tried to get the page via wget from kratos-selfservice-ui-node pod inside kubernetes network but I got code 403:

wget -q -S -O - kratos-public.default.svc.cluster.local/self-service/registration/flows?id=168189ff-b9c3-44fa-8c8f-c7af9753157a 2>&1 
  HTTP/1.1 403 Forbidden
wget: server returned error: HTTP/1.1 403 Forbidden

But if I change the host to one available outside the kubernetes network, I can get the data from that url in the browser.
(url: http://public.kratos.localhost/self-service/registration/flows?id=cf0d88b4-2b7e-40f7-961e-829ad87af929)

{"id":"cf0d88b4-2b7e-40f7-961e-829ad87af929","type":"browser","expires_at":"2022-11-16T16:19:28.99898Z","issued_at":"2022-11-16T15:19:28.99898Z","request_url":"http://public.kratos.localhost/self-service/registration/browser?return_to=","ui":{"action":"https://kratos-587fd8b856-w2cjp:4433/self-service/registration?flow=cf0d88b4-2b7e-40f7-961e-829ad87af929","method":"POST","nodes":[{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"1lUykvKiVulRyRSsGlq7I57OYg14NRQ7lwWEP+2V5UMdeX4GwPbLac53oeHrqD6CM1le3VTDvlKnk4Kw1RSw8g==","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.username","type":"text","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"password","type":"password","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070001,"text":"Password","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"traits.email","type":"email","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1070002,"text":"E-Mail","type":"info"}}},{"type":"input","group":"password","attributes":{"name":"traits.name.first","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.name.last","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.favorite_animal","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"traits.accepted_tos","type":"text","disabled":false,"node_type":"input"},"messages":[],"meta":{}},{"type":"input","group":"password","attributes":{"name":"method","type":"submit","value":"password","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1040001,"text":"Sign up","type":"info","context":{}}}}]}}

Config

kratos config

My own file: "values/kratos.yaml"

ingress:
  admin:
    enabled: true
    className: ""
    annotations:
      {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: admin.kratos.localhost
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  public:
    enabled: true
    className: ""
    annotations:
      {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: public.kratos.localhost
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  
kratos:
  config:
    serve:
      public:
        cors:
          enabled: false
          allowed_origins:
            - http://ui.kratos.localhost
    hashers:
      argon2:
        parallelism: 1
        memory: 37MB
        iterations: 1
        salt_length: 16
        key_length: 16
    dsn: postgres://mikhailgorbachev666:82M3TLiz7SttMrLu2bTe&@chart-service-account-postgresql-db-postgresql-sa-service.default.svc.cluster.local:5432/db_service_account?sslmode=disable
    secrets:
      default:
        - dolore occaecat nostrud Ut
        - sit et commodoaute ut voluptate consectetur Duis
    identity:
      default_schema_id: default
      schemas:
        - id: default
          url: file:///etc/config/identity.default.schema.json
    courier:
      smtp:
        connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
    selfservice:
      default_browser_return_url: http://ui.kratos.localhost/
      flows:
        login:
          ui_url: http://ui.kratos.localhost/login

        registration:
          ui_url: http://ui.kratos.localhost/registration

        error:
          ui_url: http://ui.kratos.localhost/error
         
  automigration:
    enabled: true
  identitySchemas:
    "identity.default.schema.json": |
      {
        "$id": "http://mydomain.com/schemas/v2/customer.schema.json",
        "$schema": "http://json-schema.org/draft-07/schema#",
        "title": "A customer (v2)",
        "type": "object",
        "properties": {
          "traits": {
            "type": "object",
            "properties": {
              "username": {
                "type":"string",
                "ory.sh/kratos": {
                  "credentials": {
                    "password": {
                      "identifier": true
                    }
                  }
                }
              },
              "email": {
                "title": "E-Mail",
                "type": "string",
                "format": "email",
                "ory.sh/kratos": {
                  "credentials": {
                    "password": {
                      "identifier": true
                    }
                  }
                }
              },
              "name": {
                "type": "object",
                "properties": {
                  "first": {
                    "type": "string"
                  },
                  "last": {
                    "type": "string"
                  }
                }
              },
              "favorite_animal": {
                "type": "string"
              },
              "accepted_tos": {
                "type": "string"
              }
            },
            "required": ["username", "email"],
            "additionalProperties": false
          }
        }
      }

kratos-selfservice-ui-node config

# Default values for kratos-selfservice-ui-node.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# -- Number of replicas in deployment
replicaCount: 1

# -- Deployment image settings
image:
  # SELFSERVICE image
  repository: oryd/kratos-selfservice-ui-node
  # -- ORY KRATOS VERSION
  tag: v0.10.1
  pullPolicy: IfNotPresent

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

# -- Service configuration
service:
  type: ClusterIP
  port: 80
  # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
  name: http

# -- Ingress configration
ingress:
  enabled: true
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: ui.kratos.localhost
      paths: 
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

# -- Deployment level securityContext
securityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  privileged: false

# -- Deployment configuration
deployment:
  resources: {}
  #  We usually recommend not to specify default resources and to leave this as a conscious
  #  choice for the user. This also increases chances charts run on environments with little
  #  resources, such as Minikube. If you do want to specify resources, uncomment the following
  #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  #  limits:
  #    cpu: 100m
  #    memory: 128Mi
  #  requests:
  #    cpu: 100m
  #  memory: 128Mi

  # -- Array of extra envs to be passed to the deployment. Kubernetes format is expected
  # - name: FOO
  #   value: BAR
  extraEnv: []
  # -- If you want to mount external volume
  # For example, mount a secret containing Certificate root CA to verify database
  # TLS connection.
  extraVolumes: []
  # - name: my-volume
  #   secret:
  #     secretName: my-secret
  extraVolumeMounts: []
  # - name: my-volume
  #   mountPath: /etc/secrets/my-secret
  #   readOnly: true

  # -- Node labels for pod assignment.
  nodeSelector: {}
  # If you do want to specify node labels, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
  #   foo: bar

  # -- Configure node tolerations.
  tolerations: []

  # -- Configure pod topologySpreadConstraints.
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/name: kratos-selfservice-ui-node
  #       app.kubernetes.io/instance: kratos-selfservice-ui-node

  labels: {}
  #      If you do want to specify additional labels, uncomment the following
  #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
  #      e.g.  type: app

  annotations: {}
  #      If you do want to specify annotations, uncomment the following
  #      lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
  #      e.g.  sidecar.istio.io/rewriteAppHTTPProbers: "true"

  # https://github.com/kubernetes/kubernetes/issues/57601
  automountServiceAccountToken: false

affinity: {}

# -- Set this to ORY Kratos's Admin URL
kratosAdminUrl: "kratos-admin.default.svc.cluster.local"

# -- Set this to ORY Kratos's public URL
kratosPublicUrl: "kratos-public.default.svc.cluster.local"

# -- Set this to ORY Kratos's public URL accessible from the outside world.
kratosBrowserUrl: "http://public.kratos.localhost/"

# -- The baseUrl
baseUrl: ""

# -- The jwksUrl
jwksUrl: "http://oathkeeper-api"

projectName: "SecureApp"

Logs

kratos-selfservice-ui-node logs:

{"level":"info","message":"HTTP GET /health/ready","meta":{"req":{"headers":{"accept":"*/*","connection":"close","host":"10.244.0.157:3000","user-agent":"kube-probe/1.24"},"httpVersion":"1.1","method":"GET","originalUrl":"/health/ready","query":{},"url":"/health/ready"},"res":{"statusCode":200},"responseTime":1}} 
{"level":"info","message":"HTTP GET /health/alive","meta":{"req":{"headers":{"accept":"*/*","connection":"close","host":"10.244.0.157:3000","user-agent":"kube-probe/1.24"},"httpVersion":"1.1","method":"GET","originalUrl":"/health/alive","query":{},"url":"/health/alive"},"res":{"statusCode":200},"responseTime":2}} 
{"level":"info","message":"HTTP GET /registration","meta":{"req":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","host":"ui.kratos.localhost","referer":"http://ui.kratos.localhost/welcome","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0","x-forwarded-for":"172.18.0.1","x-forwarded-host":"ui.kratos.localhost","x-forwarded-port":"80","x-forwarded-proto":"http","x-forwarded-scheme":"http","x-real-ip":"172.18.0.1","x-request-id":"062b8b2d72fd63a17f49ba3fd20d6ae9","x-scheme":"http"},"httpVersion":"1.1","method":"GET","originalUrl":"/registration","query":{},"url":"/registration"},"res":{"statusCode":303},"responseTime":2}} 
Error: connect ECONNREFUSED ::1:80 
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16) 
{"level":"info","message":"HTTP GET /registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a","meta":{"req":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","host":"ui.kratos.localhost","referer":"http://ui.kratos.localhost/","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0","x-forwarded-for":"172.18.0.1","x-forwarded-host":"ui.kratos.localhost","x-forwarded-port":"80","x-forwarded-proto":"http","x-forwarded-scheme":"http","x-real-ip":"172.18.0.1","x-request-id":"abd3f0b0bdf663d31712e9807f412be3","x-scheme":"http"},"httpVersion":"1.1","method":"GET","originalUrl":"/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a","query":{"flow":"e1a80d6e-2aa8-4412-89a6-fd166cf21a8a"},"url":"/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a"},"res":{"statusCode":500},"responseTime":19}} 

Kratos logs:

time=2022-11-15T19:07:36Z level=warning msg=Configuration key serve.public.base_url was left empty. Optimistically guessing the server's base URL. Please set a value to avoid problems with redirects and cookies. audience=application service_name=Ory Kratos service_version=v0.10.1 
time=2022-11-15T19:07:36Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". referer:http://ui.kratos.localhost/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 x-forwarded-for:172.18.0.1 x-forwarded-host:public.kratos.localhost x-forwarded-port:80 x-forwarded-proto:http x-forwarded-scheme:http x-real-ip:172.18.0.1 x-request-id:edb5cce2d7ede56ef8e411bf30a968b5 x-scheme:http] host:public.kratos.localhost method:GET path:/self-service/registration/browser query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:10.244.0.8:59178 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:http://ui.kratos.localhost/registration?flow=e1a80d6e-2aa8-4412-89a6-fd166cf21a8a vary:Cookie] size:108 status:303 text_status:See Other took:7.169415ms] 
time=2022-11-15T19:07:45Z level=info msg=started handling request http_request=map[headers:map[accept:*/* connection:close user-agent:kube-probe/1.24] host:10.244.0.155:4434 method:GET path:/admin/health/ready query:<nil> remote:10.244.0.1:53354 scheme:http] 

Reproducing the bug

1. Install database
2. Install kratos and ui

helm install kratos --debug \
    helm/charts/kratos \
    -f values/kratos.yaml

helm install kratos-ui --debug \
    helm/charts/kratos-selfservice-ui-node

4. Open http://ui.kratos.localhost.
5. Press "Sign up" button.
6. Get page "An error occurred"

Relevant log output

No response

Relevant configuration

No response

Version

v0.10.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

When creating an account and using an invalid password like 123456, the UI will not show any error message and instead just show the vanilla registration screen. The data and error message however are available!

This should be fixed and the error message should be shown. This should work for both login and registration.

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

When a user goes to the UI there is no way for users to see any other language besides english.

Describe your ideal solution

Being able to send in url parameters or get the accept-language header to display the language of the user.

Workarounds or alternatives

Currently we are forking the UI and adding support for i18n using the i18next framework this framework has support for handlebars.

Version

latest

Additional Context

Since I am adding this to a fork of this project, I can contribute to this project with the i18next framework. But if there is already a decision on going about this another way I'm happy to contribute.

Describe the bug

As described in #43 when piping request to response fails, the node app crashes due to unhandled error.

To Reproduce

Please refer to steps in #43

Expected behavior

App doesn't crash and logs some messages and returns 500 error.

Environment

• Kratos-selfservice-ui-node: v0.3.0-alpha.1
• Kratos: v0.3.0-alpha.1
• Environment: quickstart (docker-compose)

Additional context

Logs:

kratos-selfservice-ui-node_1  | No request found in URL, initializing auth flow.
kratos-selfservice-ui-node_1  | GET /auth/login 302 148 - 42.718 ms
kratos_1                      | time="2020-05-22T12:35:39Z" level=info msg="started handling request" method=GET name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49302" request=/self-service/browser/flows/login
kratos_1                      | time="2020-05-22T12:35:44Z" level=info msg="completed handling request" method=GET name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49302" request=/self-service/browser/flows/login status=302 text_status=Found took=5.4979608s
kratos-selfservice-ui-node_1  | GET /.ory/kratos/public/self-service/browser/flows/login 302 100 - 5583.624 ms
kratos_1                      | time="2020-05-22T12:35:44Z" level=info msg="started handling request" method=GET name="admin#http://kratos:4434/" remote="172.20.0.4:46460" request="/self-service/browser/flows/requests/login?request=a1386f7e-b249-40a4-9fd9-38a87329ff8a"
kratos_1                      | time="2020-05-22T12:35:44Z" level=info msg="completed handling request" method=GET name="admin#http://kratos:4434/" remote="172.20.0.4:46460" request="/self-service/browser/flows/requests/login?request=a1386f7e-b249-40a4-9fd9-38a87329ff8a" status=200 text_status=OK took=1.9646ms
kratos-selfservice-ui-node_1  | GET /auth/login?request=a1386f7e-b249-40a4-9fd9-38a87329ff8a 200 13535 - 387.953 ms
kratos-selfservice-ui-node_1  | GET /index.css 304 - - 31.221 ms
kratos-selfservice-ui-node_1  | GET /typography.css 304 - - 35.093 ms
kratos-selfservice-ui-node_1  | GET /form.css 304 - - 25.768 ms
kratos-selfservice-ui-node_1  | GET /auth.css 304 - - 33.850 ms
kratos_1                      | time="2020-05-22T12:35:47Z" level=info msg="started handling request" method=POST name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49314" request=/self-service/browser/flows/strategies/oidc/auth/a1386f7e-b249-40a4-9fd9-38a87329ff8a
kratos_1                      | time="2020-05-22T12:35:49Z" level=info msg="completed handling request" method=POST name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49314" request=/self-service/browser/flows/strategies/oidc/auth/a1386f7e-b249-40a4-9fd9-38a87329ff8a status=302 text_status=Found took=1.7090371s
kratos-selfservice-ui-node_1  | POST /.ory/kratos/public/self-service/browser/flows/strategies/oidc/auth/a1386f7e-b249-40a4-9fd9-38a87329ff8a 302 0 - 1717.150 ms
kratos_1                      | time="2020-05-22T12:35:54Z" level=info msg="started handling request" method=GET name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49320" request="/self-service/browser/flows/strategies/oidc/callback/github?code=...&state=..."
kratos_1                      | time="2020-05-22T12:35:59Z" level=debug msg="Received successful OpenID Connect callback but user is not registered. Re-initializing registration flow now." provider=github subject=...
kratos_1                      | time="2020-05-22T12:36:04Z" level=debug msg="OpenID Connect Jsonnet mapper completed." mapper_jsonnet_output="{\n   \"identity\": {\n      \"traits\": {\n         \"email\": \"[email protected]\"\n      }\n   }\n}\n" mapper_jsonnet_url="file:///etc/config/kratos/oidc.github.jsonnet" oidc_claims="&{https://github.com/login/oauth/access_token ... Anuar Ustayev       https://github.com/anuveyatsu https://avatars1.githubusercontent.com/u/...?v=4  [email protected] true      false 1590150887}" oidc_provider=github
kratos_1                      | time="2020-05-22T12:36:06Z" level=debug msg="A new identity has registered using self-service registration. Running post execution hooks." identity_id=d39fe51c-e8e4-4f8b-919e-0f3bdd26a45c
kratos_1                      | time="2020-05-22T12:36:07Z" level=debug msg="Post registration execution hooks completed successfully." identity_id=d39fe51c-e8e4-4f8b-919e-0f3bdd26a45c
kratos_1                      | time="2020-05-22T12:36:07Z" level=info msg="completed handling request" method=GET name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.4:49320" request="/self-service/browser/flows/strategies/oidc/callback/github?code=...&state=... status=302 text_status=Found took=13.8210832s
kratos-selfservice-ui-node_1  | internal/streams/legacy.js:61
kratos-selfservice-ui-node_1  |       throw er; // Unhandled stream error in pipe.
kratos-selfservice-ui-node_1  |       ^
kratos-selfservice-ui-node_1  | 
kratos-selfservice-ui-node_1  | Error: socket hang up
kratos-selfservice-ui-node_1  |     at connResetException (internal/errors.js:609:14)
kratos-selfservice-ui-node_1  |     at Socket.socketOnEnd (_http_client.js:455:23)
kratos-selfservice-ui-node_1  |     at Socket.emit (events.js:333:22)
kratos-selfservice-ui-node_1  |     at endReadableNT (_stream_readable.js:1220:12)
kratos-selfservice-ui-node_1  |     at processTicksAndRejections (internal/process/task_queues.js:84:21) {
kratos-selfservice-ui-node_1  |   code: 'ECONNRESET'
kratos-selfservice-ui-node_1  | }
kratos-selfservice-ui-node_1  | npm ERR! code ELIFECYCLE
kratos-selfservice-ui-node_1  | npm ERR! errno 1
kratos-selfservice-ui-node_1  | npm ERR! [email protected] serve: `node lib/index.js`
kratos-selfservice-ui-node_1  | npm ERR! Exit status 1
kratos-selfservice-ui-node_1  | npm ERR! 
kratos-selfservice-ui-node_1  | npm ERR! Failed at the [email protected] serve script.
kratos-selfservice-ui-node_1  | npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
kratos-selfservice-ui-node_1  | 
kratos-selfservice-ui-node_1  | npm ERR! A complete log of this run can be found in:
kratos-selfservice-ui-node_1  | npm ERR!     /root/.npm/_logs/2020-05-22T12_36_07_942Z-debug.log
kratos_kratos-selfservice-ui-node_1 exited with code 1

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

The reference Auth UI implementation is currently hardcoded to serve from the root.

When initially implementing Ory as part of an existing project, you will almost definitely want to test your initial assumptions under a subdirectory such as /auth/. The reference UI does not support this.

Describe your ideal solution

Route URLs should be configurable through a BASE_URL environment variable that nests the Express routes under an optional given path that defaults to /.

Workarounds or alternatives

There are no easy workarounds in an existing project that has potentially conflicting routes. Using subdomains in particular comes with many configuration changes that you're unlikely to use in the final implementation.

Version

oryd/kratos-selfservice-ui-node:v0.8.0-alpha.4.pre.0

Additional Context

No response

UnauthorizedError: No authorization token was found

I am not able to run the current master of this repository in the Docker Compose Quickstart example, instead I see this error message:

kratos-selfservice-ui-node_1  | _http_outgoing.js:535
kratos-selfservice-ui-node_1  |     throw new ERR_HTTP_HEADERS_SENT('set');
kratos-selfservice-ui-node_1  |     ^
kratos-selfservice-ui-node_1  | 
kratos-selfservice-ui-node_1  | Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
kratos-selfservice-ui-node_1  |     at ServerResponse.setHeader (_http_outgoing.js:535:11)
kratos-selfservice-ui-node_1  |     at ServerResponse.header (/usr/src/app/node_modules/express/lib/response.js:771:10)
kratos-selfservice-ui-node_1  |     at ServerResponse.send (/usr/src/app/node_modules/express/lib/response.js:170:12)
kratos-selfservice-ui-node_1  |     at done (/usr/src/app/node_modules/express/lib/response.js:1008:10)
kratos-selfservice-ui-node_1  |     at Immediate._onImmediate (/usr/src/app/node_modules/express-handlebars/lib/utils.js:26:13)
kratos-selfservice-ui-node_1  |     at processImmediate (internal/timers.js:456:21) {
kratos-selfservice-ui-node_1  |   code: 'ERR_HTTP_HEADERS_SENT'
kratos-selfservice-ui-node_1  | }

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I get an internal server error 500 when attempting to sign in, or sign up using this standalone app, together with kratos service running in Docker (I know I could just use the fully self-contained quickstart version that includes a version of this app already, but wanted to try this way too (i.e. separate app) as was mentioned in README, so as to prepare for doing development, then hit this error). Fixed by making local modification to @ory/integrations as detailed below. Subsequently this app works as expected when served from host machine whilst running Kratos quickstart with docker.

Reproducing the bug

1. Run the quickstart

git clone https://github.com/ory/kratos.git
cd kratos
git checkout v0.9.0-alpha.3
docker-compose -f quickstart.yml -f quickstart-standalone.yml --build --force-recreate

2. Kill the standalone ui container

docker container kill <ID of kratos-selfservice-ui-node container>

3. Build & run the standalone app

git clone https://github.com/ory/kratos-selfservice-ui-node.git
cd kratos-selfservice-ui-node
npm install
npm run build
npm start

4. Navigate to localhost:4455/welcome and then click on either sign in, or sign up (same problem either way) - a page reporting an internal error has occurred and a pair of empty curly brackets in the text display area.

Relevant log output

Log from `npm start`

TypeError: Cannot read property 'text' of undefined
    at Object.getNodeLabel (/home/tim/sources/kratos-selfservice-ui-node/node_modules/@ory/integrations/src/ui/index.ts:29:31)
    at Object.wrapper (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/internal/wrapHelper.js:10:19)
    at Object.eval (eval at createFunctionContext (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/compiler/javascript-compiler.js:265:23), <anonymous>:13:114)
    at main (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/runtime.js:230:22)
    at ret (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/runtime.js:250:12)
    at ret (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/compiler/compiler.js:548:21)
    at Object.invokePartial (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/runtime.js:405:12)
    at Object.invokePartialWrapper [as invokePartial] (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/runtime.js:82:39)
    at eval (eval at createFunctionContext (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/compiler/javascript-compiler.js:265:23), <anonymous>:10:31)
    at prog (/home/tim/sources/kratos-selfservice-ui-node/node_modules/handlebars/lib/handlebars/runtime.js:333:12)

Relevant configuration

as per quickstart for docker (ignoring the bit about make quickstart-dev which fails due to missing quickstart)

Version

v0.9.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Other

Additional Context

@ory/integrations is pinned at v0.1.2 in package.json.

Fixed locally by modifying the function getNodeLabel in node_modules/@ory/integrations/src/ui/index.js

const getNodeLabel = (node) => {
  const attributes = node.attributes;
  if (isUiNodeAnchorAttributes(attributes)) {
    return attributes.title.text;
  }
  if (isUiNodeImageAttributes(attributes)) {
    if (node.meta.label){
    return node.meta.label.text;
}
  }
  if (isUiNodeInputAttributes(attributes)) {
    if (attributes.label) {
      return attributes.label.text;
    }
  }
  if (node.meta.label) {
  return node.meta.label.text; 
}
return ''
};

I also had a look at just upgrading to the latest version of integrations, but that had a similar issue (although with typescript version it seemed the other way around, with unneeded use of ?. in a return)

Wondering if the combination of Kratos in docker and standalone UI is an edge case that is not tested, hence these minor issues with handling potentially null values slipped through testing ...?

Describe the bug

When loading the quickstart I can see a large number of 302's for /favicon.ico appear in the stdout logs of kratos self service web UI container

Probably worth including one or fixing the redirection loop?

To Reproduce

Steps to reproduce the behavior:

1. Start the quickstart
2. Navigate to any page

Expected behavior

kratos selfservice UI logs not spam output of 'GET /favicon.ico 302'

Environment

• latest containers following the quickstart
• docker 19.03.12
• on windows

I already have a working selfservice+hydra+kratos integration in my fork which is based based on @jpbogle fork.

Recently #50 was merged into a new feature branch hydra-integration of upstream and I've been trying to make it work in my domain-based (as opposed to port-based) environment. I've asked a question in #50 but further I've encountered bugs while debugging and decided to create this issue to prevent discussing in PR that is already merged.

So #50 contains few more bugs similar to #60 but it's behaviour is far more clear (thank You @k9ert !) - it shows errors instead of looping through redirects infinitely.

Currently I'm working on fixes so just wait for a new PR.

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

UI selfservice can't startup. The error is below.

It easily fixed by adding npm install react-is dependency.

Reproducing the bug

1. clone project
2. npm install
3. npm start

Relevant log output

Error: Cannot find module 'react-is'
Require stack:
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/styled-components/dist/styled-components.cjs.js
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/@ory/themes/lib/index.js
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/@ory/themes/css/express.js
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/routes/static.ts
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/routes/index.ts
- /Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/index.ts
    at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)
    at Function.Module._resolveFilename.sharedData.moduleResolveFilenameHook.installedValue [as _resolveFilename] (/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/@cspotcode/source-map-support/source-map-support.js:679:30)
    at Function.Module._load (node:internal/modules/cjs/loader:778:27)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at require (node:internal/modules/cjs/helpers:102:18)
    at Object.<anonymous> (/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/styled-components/dist/styled-components.cjs.js:1:145)
    at Module._compile (node:internal/modules/cjs/loader:1103:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1155:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/styled-components/dist/styled-components.cjs.js',
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/@ory/themes/lib/index.js',
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/node_modules/@ory/themes/css/express.js',
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/routes/static.ts',
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/routes/index.ts',
    '/Users/user/Projects/Pet/kartka/poc-with-ory-v1/kratos-selfservice-ui-node/src/index.ts'
  ]
}

Relevant configuration

No response

Version

current master brunch

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

A small error with Dockerfile-dev the version of node image does not exist.
Should be replace by node:18.0-alpine or node:18-alpine to use the latest image of node.

Reproducing the bug

Using compose to deploy local stack ory kratos and ui :

version: '3.7'
services:
  kratos-selfservice-ui-node:
    build:
      context: '[path to the ui project]'
      dockerfile: Dockerfile-dev
    volumes:
      - '[path to the ui project]'
    environment:
      - PORT=4435
      /*...*/

Relevant log output

No response

Relevant configuration

No response

Version

0.10.1

On which operating system are you observing this issue?

No response

In which environment are you deploying?

Docker Compose

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I have followed the Deploy to production :
https://www.ory.sh/docs/kratos/guides/deploy-kratos-example

But I get a 404 Not Found

Reproducing the bug

When running npm start from the /opt/uinode/ui/ folder and I accessing the http://0.0.0.0:3000 page, it works, at least the first page, where I get the "Welcome to Ory" page, but it leads to https://playground.projects.oryapis.com login.

But using the uinode.service file and the nginx configuration, I get an error 404.

Relevant log output

No response

Relevant configuration

No response

Version

0.13

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

None

Additional Context

No response

Describe the bug
The logout link on all pages refer to a page that does not exists

To Reproduce

Steps to reproduce the behavior:

1. login
2. Click logout

Expected behavior

Expect to log out and redirected on the after logout page

Environment

• Version: v0.6.3-alpha.1
• Environment: Docker/kubernetes

Additional context

Add any other context about the problem here.

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I'm using kratos-selfservice-ui-node:v0.10.1 and I'm trying to make it accessible in a subpath, i.e. <my-domain>/website, so I'm setting BASE_PATH to be /website, but the website is not accessible as it redirects to <my_domain>/welcome. From the codebase seems like the env variable is unused, or am I missing something. How can I make the website accessible from a subpath?

Reproducing the bug

I'm running the services using docker-compose and Traefik as ingress

version: '2'
services:

  ingress:
    image: traefik:2.7.1
    command:
      - '--api.insecure=true'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--log=true'
      - '--log.level=DEBUG'
    ports:
      - 80:80
      - 8080:8080
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # this is required so Traefik can listen to the Docker events
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api.rule=Host(`localhost`)'
      - 'traefik.http.routers.api.service=api@internal'
  
  kratos-migrate:
    image: oryd/kratos:v0.10.1
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - ./sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos:ro
    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
    restart: on-failure

  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v0.10.1
    ports:
      - '4433:4433' # public
      - '4434:4434' # admin
    restart: unless-stopped
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
      - LOG_LEVEL=trace
    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
    volumes:
      - ./sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos:ro

  website:
    image: oryd/kratos-selfservice-ui-node:v0.10.1
    environment:
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      # - KRATOS_BROWSER_URL=http://127.0.0.1:4433/
      - PORT=4455
      - SECURITY_MODE=
      - BASE_PATH=/website
      - BASE_URL=/website
    ports:
      - 4455:4455
    restart: on-failure
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.website.rule=Host(`localhost`) && PathPrefix(`/website`)'
      - "traefik.http.routers.website.middlewares=website-strip-prefix@docker"
      - "traefik.http.middlewares.website-strip-prefix.stripprefix.prefixes=/website"
      - "traefik.http.services.website.loadbalancer.server.port=4455"

Relevant log output

No response

Relevant configuration

No response

Version

v0.10.1

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The submit button address of the user interface is incorrect，kratos-76b4cd684c-fh2hjis kratos pod name in a k8s cluster.How to correct it ? Create users also have similar problems.

kratos.yaml:

ciphers:
  algorithm: xchacha20-poly1305
cookies:
  domain: caas.fii-fmc.com
  path: /
  same_site: Lax
courier:
  smtp: {}
hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8
identity:
  default_schema_id: default
  schemas:
  - id: default
    url: file:///etc/config/userSchemaJson
log:
  format: text
  leak_sensitive_values: true
  level: debug
selfservice:
  allowed_return_urls:
  - https://foobar.com
  default_browser_return_url: https://foobar.com/
  flows:
    error:
      ui_url: https://foobar.com/error
    login:
      lifespan: 10m
      ui_url: https://foobar.com/login
    logout:
      after:
        default_browser_return_url: https://foobar.com/login
    recovery:
      enabled: true
      ui_url: https://foobar.com/recovery
    registration:
      after:
        password:
          hooks:
          - hook: session
      lifespan: 10m
      ui_url: https://foobar.com/registration
    settings:
      privileged_session_max_age: 15m
      ui_url: https://foobar.com/settings
    verification:
      after:
        default_browser_return_url: https://foobar.com/
      enabled: true
      ui_url: https://foobar.com/verification
  methods:
    password:
      enabled: true
serve:
  admin:
    port: 4434
  public:
    port: 4433

kratos-selfservice-ui-node pod env parameters:

env:
        - name: KRATOS_PUBLIC_URL
          value: http://kratos-public
        - name: KRATOS_BROWSER_URL
          value: https://public.kratos.foobar.com
        - name: PROJECT_NAME
          value: SecureApp
        - name: BASE_URL
        - name: JWKS_URL
          value: http://oathkeeper-api
        - name: KRATOS_ADMIN_URL
          value: http://kratos-admin
        - name: SECURITY_MODE

Reproducing the bug

helm install --debug kratos --dry-run  ory/kratos \
-f kratos.yaml \
--set-file kratos.identitySchemas.userSchemaJson=user.schema.json

helm install --debug kratos-selfservice-ui-node \       
ory/kratos-selfservice-ui-node

Relevant log output

No response

Relevant configuration

No response

Version

oryd/kratos:v0.10.1&&oryd/kratos-selfservice-ui-node:v0.8.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Getting error when want to login

I have cloned your self-ui app, ran quickstart kratos as docs said, exported global variables, ran "make quickstart-dev" and ran "npm build" to install node modules. then I ran npm start and project created sucessfuly. When project started it gets login forms from server but afterwards when i submit login btn I face below bug from self-ui app:

(node:27206) UnhandledPromiseRejectionWarning: Error: Request failed with status code 404
at createError (/home/ali/Desktop/edited-kratos-selfservice-ui-node/node_modules/axios/lib/core/createError.js:16:15)
at settle (/home/ali/Desktop/edited-kratos-selfservice-ui-node/node_modules/axios/lib/core/settle.js:17:12)
at IncomingMessage.handleStreamEnd (/home/ali/Desktop/edited-kratos-selfservice-ui-node/node_modules/axios/lib/adapters/http.js:260:11)
at IncomingMessage.emit (events.js:326:22)
at endReadableNT (_stream_readable.js:1241:12)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
(node:27206) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 28)

and this error from Kratos:

kratos_1 | time=2021-07-14T08:32:43Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:131 http_request=map[headers:map[accept:application/json, text/plain, / cookie:i18n_redirected=fa; aHR0cDovLzEyNy4wLjAuMTozMDAwLw_csrf_token=xjOmfnudP7DUD0z89HQgG9OtQbdgisAy/Yt+2cJi6Wg=; aHR0cDovLzEyNy4wLjAuMTo0NDMzLw_csrf_token=FE9C1OR48FnZkl6uFZTpTSKjCdSp+pGjipf4333J5ss=; data={%22id%22:%223235ab92-2865-43c6-8a18-13270eec0313%22%2C%22type%22:%22api%22%2C%22expires_at%22:%222021-07-03T10:38:30.095510129Z%22%2C%22issued_at%22:%222021-07-03T10:28:30.095510129Z%22%2C%22request_url%22:%22http://127.0.0.1:4433/self-service/login/api%22%2C%22ui%22:{%22action%22:%22http://127.0.0.1:4433/self-service/login?flow=3235ab92-2865-43c6-8a18-13270eec0313%22%2C%22method%22:%22POST%22%2C%22nodes%22:[{%22type%22:%22input%22%2C%22group%22:%22default%22%2C%22attributes%22:{%22name%22:%22csrf_token%22%2C%22type%22:%22hidden%22%2C%22value%22:%22%22%2C%22required%22:true%2C%22disabled%22:false}%2C%22messages%22:null%2C%22meta%22:{}}%2C{%22type%22:%22input%22%2C%22group%22:%22password%22%2C%22attributes%22:{%22name%22:%22password_identifier%22%2C%22type%22:%22text%22%2C%22value%22:%22%22%2C%22required%22:true%2C%22disabled%22:false}%2C%22messages%22:null%2C%22meta%22:{%22label%22:{%22id%22:1070004%2C%22text%22:%22ID%22%2C%22type%22:%22info%22}}}%2C{%22type%22:%22input%22%2C%22group%22:%22password%22%2C%22attributes%22:{%22name%22:%22password%22%2C%22type%22:%22password%22%2C%22required%22:true%2C%22disabled%22:false}%2C%22messages%22:null%2C%22meta%22:{%22label%22:{%22id%22:1070001%2C%22text%22:%22Password%22%2C%22type%22:%22info%22}}}%2C{%22type%22:%22input%22%2C%22group%22:%22password%22%2C%22attributes%22:{%22name%22:%22method%22%2C%22type%22:%22submit%22%2C%22value%22:%22password%22%2C%22disabled%22:false}%2C%22messages%22:null%2C%22meta%22:{%22label%22:{%22id%22:1010001%2C%22text%22:%22Sign%20in%22%2C%22type%22:%22info%22%2C%22context%22:{}}}}]}%2C%22forced%22:false}; ory_kratos_session=MTYyNjI1MTIwNnxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJR1JLVmtKR1ZFWmlOVWRXWVZscmNXRm5WVXBGZDFOcmRsTnVTekpyT1ZCT3z_UP5VRPCy4Ej2WxffQUZwFgIgS0Tc0XefztVTHLdVuA== user-agent:axios/0.21.1] host:127.0.0.1:4433 method:GET path:/self-service/logout/browser query: remote:172.20.0.1:47356 scheme:http]

I am new to typescript and go so I do not know what this errors mean, but I guess there is something with my ts version or node_modules.

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

ory/network#97

Reproducing the bug

Create a project with schema:

{
  "$id": "https://schemas.ory.sh/presets/kratos/identity.username.schema.json",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "username": {
          "type": "string",
          "title": "Username",
          "maxLength": 100,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              }
            }
          }
        },
        "accepted_tos": {
          "const": true,
          "title": "Accept terms and conditions"
        }
      },
      "required": [
        "username",
        "accepted_tos"
      ],
      "additionalProperties": false
    }
  }
}

Go to the managed UI registration page

Relevant log output

No response

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

No response

especially error messages on the login/registration screen need to be designed:

We need a profile management screen in this app.

I will be documenting how this works in this document: https://github.com/ory/docs/blob/kratos/docs/kratos/selfservice/flows/profile.md

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The welcome first redirect is not working correctly when BASE_PATH is configured.
It is redirecting to the application without the BASE_PATH.
E.g:
/welcome instead of /BASE_PATH/welcome

Reproducing the bug

Set the BASE_PATH to "/auth" and access the application you supposed to be redirected to /auth/welcome but the application is redirecting to /welcome only.

Relevant log output

No response

Relevant configuration

No response

Version

v0.13.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The "Sign in" button on the Registration page is redirecting to the wrong URL. It's redirecting to the apiBaseUrl/login where it should be the kratosBrowserUrl/login, or at least that's how it is in the other pages.

Reproducing the bug

Host the selfservice in a sub-path. Go to the login page, click the "Create account" button and then click the "Sing in" button. You should be redirected to 127.0.0.1:4455/login, instead of 127.0.0.1:4455/{sub-path}/login

Relevant log output

no log error

Relevant configuration

services:
  #...
  kratos-selfservice-ui-node:
    image: oryd/kratos-selfservice-ui-node:v0.8.0-alpha.3
    environment:
      - PORT=4455
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      - KRATOS_BROWSER_URL=http://127.0.0.1/.ory/kratos/public/
      - JWKS_URL=http://oathkeeper:3001/.well-known/jwks.json
      - SECURITY_MODE=jwks
    networks:
      - intranet
    restart: on-failure

  kratos:
    image: oryd/kratos:v0.8.0-alpha.3-sqlite
    depends_on:
      - kratos-migrate
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
      - LOG_LEVEL=trace
      - SERVE_PUBLIC_BASE_URL=http://127.0.0.1/.ory/kratos/public/
    command: serve -c "/etc/config/kratos/kratos.yml" --dev --watch-courier
    volumes:
      - type: volume
        source: "kratos-sqlite"
        target: "/var/lib/sqlite"
        read_only: false
      - type: bind
        source: "./config/kratos"
        target: "/etc/config/kratos"
    restart: unless-stopped
    networks:
      - intranet
   #...

Version

v0.8.0-alpha.3

On which operating system are you observing this issue?

No response

In which environment are you deploying?

Docker Compose

Additional Context

No response

Describe the bug

When setting up the quickstart I get the following error

To Reproduce

Steps to reproduce the behavior:

Run quicksart as stated in the docs: https://www.ory.sh/kratos/docs/quickstart/

Expected behavior

To open the login screen that appears in the docs.

Environment

• Version: v0.1.1-alpha.1
• Environment: Amazon Linux 2, Docker

Additional context

Server logs:

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

In the handlebar template for scripts you could add a nonce attribute and also at the same time use CSP header to only allow the scripts to be loaded which have the correct nonce.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script#attr-nonce

Describe your ideal solution

Implement nonce in scripts and set CSP header accordinly.

Workarounds or alternatives

None known

Version

current

Additional Context

No response

Describe the bug

I setup Oathkeeper, Kratos, and the Self Service UI using the Zero Trust with IAP Proxy guide in our testing environment. I am able to login a user using OIDC (as reflected in the Kratos /identities API). But I get an error on the /dashboard page in the Self Service UI. Here's the error log from Self Service UI:

UnauthorizedError: secret or public key must be provided
  at /usr/src/app/node_modules/express-jwt/lib/index.js:105:22
  at /usr/src/app/node_modules/jsonwebtoken/verify.js:106:14
  at getSecret (/usr/src/app/node_modules/jsonwebtoken/verify.js:90:14)
  at Object.module.exports [as verify] (/usr/src/app/node_modules/jsonwebtoken/verify.js:94:10)
  at verifyToken (/usr/src/app/node_modules/express-jwt/lib/index.js:103:13)
  at fn (/usr/src/app/node_modules/async/lib/async.js:746:34)
  at /usr/src/app/node_modules/async/lib/async.js:1213:16
  at /usr/src/app/node_modules/async/lib/async.js:166:37
  at /usr/src/app/node_modules/async/lib/async.js:706:43
  at /usr/src/app/node_modules/async/lib/async.js:167:37

To Reproduce

Here is my current config for kratos-selfservice-ui-node:

HOST=<domain name here>

KRATOS_PUBLIC_URL=http://kratos:4433/
KRATOS_ADMIN_URL=http://kratos:4434/
BASE_URL=https://$HOST
SECURITY_MODE=jwt
JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json
KRATOS_BROWSER_URL=https://$HOST/.ory/kratos/public

The error log makes me think it's a problem with the JWKS_URL setting, but it appears to be set correctly. I also can ping the /.well-known/jwks.json URL manually just fine.

I also further noticed that the Kratos selfservice UI /debug endpoint in testing does show an expected Authorization header as well as the ory_kratos_session cookie. So the UI does seem to be processing the auth correctly, and it seems like it could just be a display issue with the selfservice UI?

Do you guys know any better ways to debug further or have any ideas what could be causing this particular error?

Expected behavior

I expect to see the dashboard like I was able to do locally with the standalone Kratos quickstart.

Environment

Oathkeeper: v0.38.3
Kratos: v0.4.6
Self Service UI: v0.4.6

Is your feature request related to a problem? Please describe.

There should be some very basic design customization.

Describe the solution you'd like

Have options to set some basic parameters like accent color and logo URI.
Provide exemplary defaults.

Additional context

Analog to https://github.com/ory/kratos-selfservice-ui-react/issues/1