CSRF value not present in session cookie in ory hydra login flow

[KishanRavindran]

Hi All,
I am trying to get an access token value with just login function. I have followed the steps as in this URL (https://github.com/ory/hydra-login-consent-node). I have my login form in angular 6 and backend is node service.
The login service is

app.get('/', function (req, res, next) {
  
    var query = req.query;
   
    var challenge = query.login_challenge;
    
    hydra.getLoginRequest(challenge).then(function (response) {
        
        if (response.skip) {
            ;
            return hydra.acceptLoginRequest(challenge, {
                subject: response.subject
            }).then(function (response) {
                
                res.redirect(response.redirect_to);

            });
        } else {
            csrftoken.create('generate csrf token here').then(token => {
                const csrfvalue = token;
                console.log('entering into else part')
                res.status(200)
                
                const body = {
                    challenge: challenge,
                    csrfToken : csrfvalue
                }
                res.send(body);
            })
        }
      

    })
        .catch(function (error) {
            next(error)
        });
});

app.post('/', function (req, res, next) {
    var challenge = req.body.challenge;
   
    if (!(req.body.username === 'admin' && req.body.password === 'admin')) {
        res.send('login?' + challenge);
        
        return;
    }
    

    hydra.acceptLoginRequest(challenge, {
        subject: 'admin',
    }).then(function (response) {
        
        res.redirect(response.redirect_to);
    })
        .catch(function (error) {
            next(error);
        })
});

module.exports = app;

I am able to do login and get a login challenge value [(http://localhost:4200/login?login_challenge=546dc17d7cab452a86608ea4d4f2f4db)]

After i enter the login creds and click login it is doing this api call which is

[http://localhost:4444/oauth2/auth?client_id=test-client&login_verifier=6f7a9cbee5cb45e4bc475367f75e0f00&max_age=0&nonce=kzjgtoephiovcowucidxzign&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A4446%2Fcallback&response_type=code&scope=openid+offline&state=hogacxsaujnbbngilccwijny]

Also when i check the console i found this

Access to XMLHttpRequest at 'http://localhost:4444/oauth2/auth?client_id=test-client&login_verifier=a35c8536d07849ce95b715b0ad85e069&max_age=0&nonce=kyiherpwruvnolvxercwahvw&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A4446%2Fcallback&response_type=code&scope=offline&state=virnuionfneembdfdqduoezy' (redirected from 'http://localhost:8080/login') from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

which is going in options and not in get call so i tried the above url in postman by doing a get request and this is the response i am getting in postman

<html>
    <body>
        <h1>An error occurred</h1>
        <h2>request_forbidden</h2>
        <p>The request is not allowed</p>
        <p>No CSRF value available in the session cookie</p>
    </body>
</html>

Can some one tell me what i am doing wrong here. What i trying to do is to get access token value with just login function. Any help is much appreciated I am been banging at this issue for past three days.

[aeneasr]

Seems like you're confusing some of the requests and doing AJAX requests where the browser should be used. Feel free to ask in the chat or community forums for more guidance :)

[KishanRavindran]

Hi, @aeneasr can you please elaborate on the "some of the requests and doing AJAX requests where the browser should be used" what I am trying to do is just a log token which can communicate to ory hydra and return be back with an access token for that. And I have posted this question in the community https://community.ory.sh/t/can-consent-flow-be-done-without-csrf-token/926

[aeneasr]

You're calling the oauth2 auth URL from ajax (thus cors), that's not how OAuth2 works. Check the docs: https://www.ory.sh/docs/hydra/oauth2#the-flow-from-a-user-s-point-of-view

Please note that issues are not intended general advice or support but only on technical issues in the project, not the depending implementation.

[KishanRavindran]

Hi, @aeneasr I have gone through the link which you have given and I find that I stuck in the part where after the user login's successfully how to make a call to thehttp://hydra/oauth2/auth?client_id can you please guide me.

[KishanRavindran]

I figured this out I don't know how I missed this so much embarrassed.

[meysam81]

I figured this out I don't know how I missed this so much embarrassed.

How did you solve this @KishanRavindran ? I am stuck too.

[KishanRavindran]

I figured this out I don't know how I missed this so much embarrassed.

How did you solve this @KishanRavindran ? I am stuck too.

Sorry for the late reply meysam81.
I solved this issue by making the sending the url to the frontend and making a windows.open() call for the url. As aensar mentioned we can't make a ajax call. We should handle it in the front end.

[naresh229]

@KishanRavindran , You mean we need to send loginAccept to hydra from back end and the response from Hydra contains redirect url which we need to forward to front end where we open window with the redirect url ?