Oathkeeper returns encoded cookie #1158
Labels
bug
Something is not working.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Ory Network Project
No response
Describe the bug
I'm creating a system composed by 3 parts:
1 - Kratos (password)
2 - Oathkeeper
3 - Next.js server (v14 - app router)
Access to NextJS app and it is URLs are managed via Oathkeeper with cookie_session authenticator.
As all the Kratos flows handled on server side using NextJS server actions, then time to time, we have issue, when raw cookie_session created by Kratos have special chars, like "=". Which get encoded to "%3D" by NextJS.
Oathkeeper take it as is and pass to Kratos to verify cookie_session, and of course it fail.
Is there any way to config Oathkeeper type of cookie conversion: raw or encoded? So, when it is URI encoded it will decode it and already modified.
Or maybe there is something else you would recommend to be able to overcome this problem?
Reproducing the bug
1 - In browser, open login page from Next.js server
2 - Render the login form and enter valid login details
3 - Submit that form using a server action
4 - The server action will set the session cookie and redirect to a home page, for example. That page must be protected by a cookie session authentication service.
In step 4, the session will not be valid as the cookie initially sent by Kratos will not match the one received from Oathkeeper.
Relevant log output
No response
Relevant configuration
Version
Oathkeeper 0.40.7
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered: