Configuring Kratos for Authentication

[Sc0rpi0n101]

Hey folks,

I've recently come across Kratos and I want to use it to handle user management for my app.
While testing with the default configuration provided in the quickstart, after completing the login flow for browsers, I received a session cookie.

I have various microservices which would need to authenticate the user on their own. I want to authenticate the user using the whoami endpoint, which requires the cookie and an Authorization token in the request header. If I send a request without an Authorization token, it throws an Unauthorized error.

But I don't receive an authorization token from the self-service flow anywhere. Do I have to configure it somewhere or something, or is there any other way to fix this?

[Benehiko]

Hi @Sc0rpi0n101

How are you calling the /whoami endpoint?
According to our docs

Reverse proxies and API Gateways Server-side calls - use the X-Session-Token header!

[linfengOu]

Hi @Benehiko ,

Got similar question here - trying to protect some endpoints in my go server with a middleware (code at bottom). Detailed flow as below:

1. login via browser (Kratos quickstart)
2. UI sends a request to a private endpoint provided by my go server
3. http middleware in go server validates if request is with a session, by calling /whoami, with cookie read from request

The kratos go client ToSession API seems doesn't accept session cookie at all, though it's describe here: client-go readme

Note, each API key must be added to a map of map[string]APIKey where the key is: ory_kratos_session and passed in as the auth context for each request.

So questions:

1. can this scenario use session cookie to call /whoami ? if yes, then how?
2. if session token must be used, then where to get session token?

Many thanks!

func Auth() gin.HandlerFunc {
	return func(c *gin.Context) {
		// before request
		configuration := client.NewConfiguration()
		configuration.Servers[0].URL = "http://127.0.0.1:4433"
		configuration.Servers[0].Description = "local test Kratos"
		apiClient := client.NewAPIClient(configuration)
		
		// read cookie
		sessionKey, err := c.Cookie("ory_kratos_session")
		if err != nil {
			fmt.Fprintf(os.Stderr, "No ory_kratos_session found")
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"Message": "Unauthorized"})
			return
		}

		// format APIKey as described in kratos-client-go
		apiKeys := map[string]client.APIKey{
			"ory_kratos_session": {Key: sessionKey},
		}

		session, resp, err := apiClient.PublicApi.ToSession(context.WithValue(c.Request.Context(), client.ContextAPIKeys, apiKeys)).Execute()

		if err != nil {
			fmt.Fprintf(os.Stderr, "Error when calling `PublicApi.ToSession`: %v\n", err)
			fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", resp)
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"Message": "Unauthorized"})
			return
		}
		c.Set("session", session)

		c.Next()
		// after request
		// ...
	}
}

[Benehiko]

Hi @linfengOu @Sc0rpi0n101

I believe this might be related to #1398

You could probably do this without the kratos go client, you just need to make a request to the /whoami endpoint using the net/http package.