Unable to link accounts when logging in via an OIDC generic provider (Okta)

[modulitos]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I'm following these docs for a generic provider (Okta in this case): https://www.ory.sh/docs/kratos/social-signin/generic

and I have my app redirecting to the following URL to sign in via Okta:
https://my-okta-login.example.com/oauth2/v1/authorize?client_id=${oidcClientId}&redirect_uri=${publicKratosBaseUrl}/self-service/methods/oidc/callback/okta-test&response_type=code&scope=email+profile+openid&state=ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh

A couple things to note about this URL:

1. The redirect_uri is using the Kratos endpoint: <kratos-public-url>/self-service/methods/oidc/callback/okta-test which is not documented in the Kratos HTTP API docs, but is referenced in the social-sign-in troubleshooting page
2. I'm not sure what to use for the state parameter, so I created a string via echo -n "d3fb9679-fe21-4565-8c4e-b8935c4f592f:somedata" | basenc --base64url which outputs ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh used in the URL

But after logging into Okta, I'm seeing the following error in the Kratos logs and no Kratos cookies are set:

level=error msg=An error occurred and is being forwarded to the error user interface. func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application error=map[debug: message:Unable to locate the resource reason: stack_trace:...

I posted this question on the Ory slack #talk-kratos channel:
https://ory-community.slack.com/archives/C012RJ2MQ1H/p1700644210740809
and I was recommended to file this bug report.

Reproducing the bug

Repro:

1. Run Kratos with the config specified below
2. Configure an Okta application, which specifies the following redirect uri: http://127.0.0.1:4433/self-service/methods/oidc/callback/okta-test and OIDC login
3. Navigate to our "webapp" (hosted on http://127.0.0.1:8091, in this case). It's basically an HTML page with a "login" button that redirects to: https://my-okta-login.example.com/oauth2/v1/authorize?client_id=${oidcClientId}&redirect_uri=${publicKratosBaseUrl}/self-service/methods/oidc/callback/okta-test&response_type=code&scope=email+profile+openid&state=ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh
4. We are redirected to the Okta sign in page. Complete the Okta login.
5. The browser redirects (302) to http://127.0.0.1:4433/self-service/methods/oidc/callback/okta-test?code=<code>&state=<state>

Expected:
I would expect a redirect to my app, on http://127.0.0.1:8091, with some kind of cookies set that contain my Okta credentials. Perhaps a ory_kratos_session cookie?

Or perhaps some kind of hook should be called, where I have the opportunity to store an access code as a cookie.

Actual:
Kratos handles that self-service/methods/oidc/callback/okta-test endpoint, which outputs the logs below, including an error like No active session was found in this request, and returns a 303 which redirects the browser to http://127.0.0.1:4455/error?id=<error-uuid>

The browser renders an error message (see attached screenshot)

Relevant log output

kratos-kratos-selfservice-ui-node-1  |
kratos-kratos-selfservice-ui-node-1  | > @ory/[email protected] serve
kratos-kratos-selfservice-ui-node-1  | > node lib/index.js
kratos-kratos-selfservice-ui-node-1  |
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=warning msg=
kratos-kratos-1                      |
kratos-kratos-1                      | YOU ARE RUNNING Ory KRATOS IN DEV MODE.
kratos-kratos-1                      | SECURITY IS DISABLED.
kratos-kratos-1                      | DON'T DO THIS IN PRODUCTION!
kratos-kratos-1                      |
kratos-kratos-1                      |  func=github.com/ory/kratos/cmd/serve.NewServeCmd.func1 file=/project/cmd/serve/root.go:32 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=Courier worker started. func=github.com/ory/kratos/cmd/courier.Watch file=/project/cmd/courier/watch.go:94 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=Software quality assurance features are enabled. Learn more at: https://www.ory.sh/docs/ecosystem/sqa func=github.com/ory/x/metricsx.New file=/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:176 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=TLS has not been configured for admin, skipping func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=TLS has not been configured for public, skipping func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=Starting the admin httpd on: 0.0.0.0:4434 func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T18:59:15Z level=info msg=Starting the public httpd on: 0.0.0.0:4433 func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-selfservice-ui-node-1  | Listening on http://0.0.0.0:4455
kratos-kratos-1                      | time=2023-11-22T19:00:25Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:134 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 connection:keep-alive dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0] host:127.0.0.1:4433 method:GET path:/self-service/methods/oidc/callback/okta-test query:code=XJshBwJROsCCb1xymn7PfAr8YmXGLpPVvn9DbD-veng&state=ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh remote:172.19.0.1:52554 scheme:http]
kratos-kratos-1                      | time=2023-11-22T19:00:25Z level=error msg=An error occurred and is being forwarded to the error user interface. func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/[email protected]/logrusx/helper.go:125 audience=application error=map[debug: message:Unable to locate the resource reason: stack_trace:
kratos-kratos-1                      | github.com/ory/x/sqlcon.HandleError
kratos-kratos-1                      |  /go/pkg/mod/github.com/ory/[email protected]/sqlcon/error.go:76
kratos-kratos-1                      | github.com/ory/kratos/persistence/sql.(*Persister).GetSettingsFlow
kratos-kratos-1                      |  /project/persistence/sql/persister_settings.go:40
kratos-kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateFlow
kratos-kratos-1                      |  /project/selfservice/strategy/oidc/strategy.go:262
kratos-kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback
kratos-kratos-1                      |  /project/selfservice/strategy/oidc/strategy.go:293
kratos-kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback
kratos-kratos-1                      |  /project/selfservice/strategy/oidc/strategy.go:377
kratos-kratos-1                      | github.com/ory/kratos/selfservice/strategy.disabledWriter
kratos-kratos-1                      |  /project/selfservice/strategy/handler.go:28
kratos-kratos-1                      | github.com/ory/kratos/selfservice/strategy.IsDisabled.func1
kratos-kratos-1                      |  /project/selfservice/strategy/handler.go:33
kratos-kratos-1                      | github.com/ory/kratos/x.NoCacheHandle.func1
kratos-kratos-1                      |  /project/x/nocache.go:21
kratos-kratos-1                      | github.com/ory/kratos/x.NoCacheHandle.func1
kratos-kratos-1                      |  /project/x/nocache.go:21
kratos-kratos-1                      | github.com/julienschmidt/httprouter.(*Router).ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
kratos-kratos-1                      | github.com/ory/nosurf.(*CSRFHandler).handleSuccess
kratos-kratos-1                      |  /go/pkg/mod/github.com/ory/[email protected]/handler.go:234
kratos-kratos-1                      | github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/ory/[email protected]/handler.go:191
kratos-kratos-1                      | github.com/urfave/negroni.Wrap.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
kratos-kratos-1                      | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
kratos-kratos-1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
kratos-kratos-1                      | github.com/ory/kratos/x.glob..func1
kratos-kratos-1                      |  /project/x/clean_url.go:15
kratos-kratos-1                      | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
kratos-kratos-1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:284
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:142
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:92
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
kratos-kratos-1                      |  /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:104
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:234
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1
kratos-kratos-1                      |  /go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:115
kratos-kratos-1                      | net/http.HandlerFunc.ServeHTTP
kratos-kratos-1                      |  /usr/local/go/src/net/http/server.go:2122
kratos-kratos-1                      | github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
kratos-kratos-1                      |  /go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:41 status:Not Found status_code:404] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 connection:keep-alive dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0] host:127.0.0.1:4433 method:GET path:/self-service/methods/oidc/callback/okta-test query:code=XJshBwJROsCCb1xymn7PfAr8YmXGLpPVvn9DbD-veng&state=ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh remote:172.19.0.1:52554 scheme:http] service_name=Ory Kratos service_version=v1.0.0
kratos-kratos-1                      | time=2023-11-22T19:00:25Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:146 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 connection:keep-alive dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0] host:127.0.0.1:4433 method:GET path:/self-service/methods/oidc/callback/okta-test query:code=XJshBwJROsCCb1xymn7PfAr8YmXGLpPVvn9DbD-veng&state=ZDNmYjk2NzktZmUyMS00NTY1LThjNGUtYjg5MzVjNGY1OTJmOnNvbWVkYXRh remote:172.19.0.1:52554 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:text/html; charset=utf-8 location:http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58 set-cookie:[csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=; Path=/; Max-Age=31536000; HttpOnly; SameSite=Lax] vary:Origin] size:94 status:303 text_status:See Other took:24.580064ms]
kratos-kratos-1                      | time=2023-11-22T19:00:25Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:134 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:kratos:4433 method:GET path://self-service/errors query:id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58 remote:172.19.0.7:48376 scheme:http]
kratos-kratos-1                      | time=2023-11-22T19:00:25Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:kratos:4433 method:GET path:/self-service/errors query:id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58 remote:172.19.0.7:48376 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:[csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=vuWiuXdIfvZFHCVdnZBWGy5NK2/oReQ5CUdDJOnYbz0=; Path=/; Max-Age=31536000; HttpOnly; SameSite=Lax] vary:Origin] size:216 status:200 text_status:OK took:14.533829ms]
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","meta":{"req":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","query":{"id":"1e860dca-adbd-4ee6-aaeb-39d6b13bff58"},"url":"/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58"},"res":{"statusCode":200},"responseTime":60}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/normalize.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/normalize.css","query":{},"url":"/assets/normalize.css"},"res":{"statusCode":200},"responseTime":6}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/inter-font.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/inter-font.css","query":{},"url":"/assets/inter-font.css"},"res":{"statusCode":200},"responseTime":6}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/jetbrains-mono-font.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/jetbrains-mono-font.css","query":{},"url":"/assets/jetbrains-mono-font.css"},"res":{"statusCode":200},"responseTime":6}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/fa-brands.min.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/fa-brands.min.css","query":{},"url":"/assets/fa-brands.min.css"},"res":{"statusCode":200},"responseTime":7}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/fa-solid.min.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/fa-solid.min.css","query":{},"url":"/assets/fa-solid.min.css"},"res":{"statusCode":200},"responseTime":6}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/fontawesome.min.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/fontawesome.min.css","query":{},"url":"/assets/fontawesome.min.css"},"res":{"statusCode":200},"responseTime":7}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /theme.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/theme.css","query":{},"url":"/theme.css"},"res":{"statusCode":200},"responseTime":1}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /style.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/style.css","query":{},"url":"/style.css"},"res":{"statusCode":200},"responseTime":7}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /main.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/main.css","query":{},"url":"/main.css"},"res":{"statusCode":200},"responseTime":3}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /auth-layout.css","meta":{"req":{"headers":{"accept":"text/css,*/*;q=0.1","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/auth-layout.css","query":{},"url":"/auth-layout.css"},"res":{"statusCode":200},"responseTime":2}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /ory-small.svg","meta":{"req":{"headers":{"accept":"image/avif,image/webp,*/*","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/ory-small.svg","query":{},"url":"/ory-small.svg"},"res":{"statusCode":200},"responseTime":1}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /favico.png","meta":{"req":{"headers":{"accept":"image/avif,image/webp,*/*","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/error?id=1e860dca-adbd-4ee6-aaeb-39d6b13bff58","sec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/favico.png","query":{},"url":"/favico.png"},"res":{"statusCode":200},"responseTime":1}}
kratos-kratos-selfservice-ui-node-1  | {"level":"info","message":"HTTP GET /assets/inter/Inter-Regular.woff2?v=3.19","meta":{"req":{"headers":{"accept":"application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8","accept-encoding":"identity","accept-language":"en-US,en;q=0.5","connection":"keep-alive","cookie":"csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=3RYG/TmlMxLhHqJaX1cvmcvgfTzANqgM2INX6QyDVEw=","dnt":"1","host":"127.0.0.1:4455","referer":"http://127.0.0.1:4455/assets/inter-font.css","sec-fetch-dest":"font","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"},"httpVersion":"1.1","method":"GET","originalUrl":"/assets/inter/Inter-Regular.woff2?v=3.19","query":{"v":"3.19"},"url":"/assets/inter/Inter-Regular.woff2?v=3.19"},"res":{"statusCode":200},"responseTime":1}}

Relevant configuration

version: v1.0.0

dsn: memory
selfservice:
  default_browser_return_url: http://127.0.0.1:4455/
  allowed_return_urls:
    - http://127.0.0.1:4455
    - http://127.0.0.1:8091 # my app

  methods:
    password:
      enabled: true
    totp:
      config:
        issuer: Kratos
      enabled: true
    lookup_secret:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true
    oidc:
      config:
        providers:
          - id: okta-test
            provider: generic
            client_id: "myid"
            client_secret: "mysecret"
            issuer_url: https://my-okta-login.example.com

            mapper_url: base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICB1c2VybmFtZTogY2xhaW1zLnVzZXJuYW1lLAogICAgfSwKICB9LAp9Cg==
            scope:
            - openid
            - profile
            - email
      enabled: true
  flows:
    error:
      ui_url: http://127.0.0.1:4455/error

    settings:
      ui_url: http://127.0.0.1:4455/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: http://127.0.0.1:4455/recovery
      use: code

    verification:
      enabled: true
      ui_url: http://127.0.0.1:4455/verification
      use: code
      after:
        default_browser_return_url: http://127.0.0.1:4455/

    logout:
      after:
        default_browser_return_url: http://127.0.0.1:4455/login

    login:
      ui_url: http://127.0.0.1:4455/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: http://127.0.0.1:4455/registration
      after:
        oidc:
          hooks:
            - hook: session
log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

oauth2_provider:
  url: http://hydra:4445

Version

oryd/kratos:v1.0.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[modulitos]

Based on the stack trace, it looks like the error is being raised here:

kratos/selfservice/strategy/oidc/strategy.go

Line 263 in e9ed14f

if ar, err := s.d.LoginFlowPersister().GetLoginFlow(ctx, rid); err == nil {

where it tries to look up the FlowId in the SQL persister.

I think I'm using the wrong value for the state query param, which I'm passing to Kratos' /self-service/methods/oidc/callback/okta-test endpoint (echo -n "d3fb9679-fe21-4565-8c4e-b8935c4f592f:somedata" | basenc --base64url)
I thought the state query param only needed to be random data, but I see it's getting parsed into the oidc package's State struct, where that struct's FlowID has to reference a login flow from the database. But how would I know which login flow I'm supposed to use? 🤔

I'll continue updating this thread as I find out more...

[modulitos]

Looks like I was missing the initial call to /self-service/login/browser, which creates a new FlowID that I can pass into the /self-service/methods/oidc/callback/okta-test endpoint.

I suppose it's obvious in hindsight, but it might be worth mentioning as a "step: 0" in these docs: https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc
otherwise folks might get confused about what state query param to pass into that url.
Documenting the /self-service/methods/oidc/callback/okta-test endpoint would have also helped!

I appreciate the Slack channel support. Sorry for the false alarm :)

[uncvrd]

Hey @modulitos if you have a minute, would you be able to show how you implemented the callback with the flowId? From my understanding the state you should be passing is a base64 encoded state parameter that combines the flowId with some other data so I'm confused how this worked for you haha

For example here's where it parses the state:

kratos/selfservice/strategy/oidc/strategy.go

Line 163 in 52c7d3b

func parseState(s string) (*State, error) {

More context to why I'm asking here if curious: #275 (comment)

Thanks a lot for your time!