Oathkeeper returns encoded cookie
c0d3rm0n opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
I'm creating a system composed by 3 parts:
1 - Kratos (password)
2 - Oathkeeper
3 - Next.js server (v14 - app router)
Access to NextJS app and it is URLs are managed via Oathkeeper with cookie_session authenticator.
As all the Kratos flows handled on server side using NextJS server actions, then time to time, we have issue, when raw cookie_session created by Kratos have special chars, like "=". Which get encoded to "%3D" by NextJS.
Oathkeeper take it as is and pass to Kratos to verify cookie_session, and of course it fail.
Is there any way to config Oathkeeper type of cookie conversion: raw or encoded? So, when it is URI encoded it will decode it and already modified.
Or maybe there is something else you would recommend to be able to overcome this problem?
Reproducing the bug
1 - In browser, open login page from Next.js server
2 - Render the login form and enter valid login details
3 - Submit that form using a server action
4 - The server action will set the session cookie and redirect to a home page, for example. That page must be protected by a cookie session authentication service.
In step 4, the session will not be valid as the cookie initially sent by Kratos will not match the one received from Oathkeeper.
Relevant log output
No response
Relevant configuration
Kratos 1.0.0 / 1.1.0
Oathkeeper 0.40.7
Version
Oathkeeper 0.40.7
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response