/sessions/whoami cannot authorise a JWT-tokenized sessions

[tamtakoe]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

http://localhost:4433/sessions/whoami returns 401 if I'm using session token instead of cookie

{
    "error": {
        "code": 401,
        "status": "Unauthorized",
        "reason": "No valid session credentials found in the request.",
        "message": "The request could not be authorized"
    }
}

Reproducing the bug

1. Setup Kratos to use session token according https://www.ory.sh/docs/identities/session-to-jwt-cors

session:
  whoami:
    required_aal: aal1
    tokenizer:
      templates:
        api_token:
          ttl: 1h
          jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'

2. Get session token by cookie

curl --location 'http://localhost:4433/sessions/whoami?tokenize_as=api_token' \
--header 'Cookie: csrf_token_689af3ef6c442bd243df094e1d655035a08b6b22fc8ad5f5c24168a747cf69ba=m3evGLg2xyMyakE3PaHiT3mEdWsGtyCRrv2S4tebFyI=; ory_kratos_session=MTcyNzU0MzkzNHw5ckdiOUdRWHFzTWxQZlVtWVJDdERLMjJYMjFsc18tbmRjS2J3dmFBdHprWk9iRTIxbUl3VkZpd2JHUmU0b0FTMjgzcUFnMHZ1M0xYRnhQS0dPOWdzQ2NEdy1yaDBzT3Z6NjlpOEFhS1l6dHJPVnZFRGFKSnJueENQOTBFMUVLeHFTcGtHc3ZWSWRuaWxTNDgtT0ROVGRIRE15ZWFzc0htdmF4N2tWdkdCUzRSUnRxQnlXNjh2S3doNWRTODBEUVdRdV9JWUxsZTZQLVItNks2RWtlT3BFX1d1VnpPVFFiZXVoSXcwcHF5Y1BLdlU0MkJGTkM1Xzlzdi16TWxYR20tUlEzT2JoM1VCeU1UOWZYQ1lpeTB8nrc8HBLb1umgDFA34EDbj_tpYb0GCJTdAFZByT53akc='

3. Make request with session token from tokenized field of previous response

curl --location 'http://localhost:4433/sessions/whoami' \
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTI4ODQsImlhdCI6MTcyNzU0OTI4NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiNjc0MjE4ZWEtOTJhMS00OWUxLTllYTgtMDA3NzMxNjY5NzYzIiwibmJmIjoxNzI3NTQ5Mjg0LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.kCN73R7BSf-GE7GpiZiUE0LHfiil9exoJFY1vImBWHWk-mWPBkriU4KcGVp6G6huBPwI4vaFS3FaJZTDLglbHg'

4. See 401 response

{
    "error": {
        "code": 401,
        "status": "Unauthorized",
        "reason": "No valid session credentials found in the request.",
        "message": "The request could not be authorized"
    }
}

Relevant log output

time=2024-09-28T18:53:50Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json accept-encoding:gzip, deflate, br authorization:[Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjMwNDU2MzFiLTk1YTgtNDMzYy1hYjU0LTkzZmE1MmE1NWVhOCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3Mjc1NTMwNDUsImlhdCI6MTcyNzU0OTQ0NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMzIiwianRpIjoiYjk0NTIzZGYtYTQxYy00OTY2LWE3N2ItNzU5NTQ0MGZlZDQ5IiwibmJmIjoxNzI3NTQ5NDQ1LCJzaWQiOiIzNmI1NWU5Ny0xNDM4LTQ5MGYtOWE4NS1jYTk1MmU1ZmU4YTgiLCJzdWIiOiJhZDE3NjIxYS03NmEwLTRiZTQtOWIwOS1jODdkOGRhMzA2YTIifQ.Ja25NjG0MZJ-Q-RY62UfhUSmiCTfUhwZS_0WD19ZsmrnGMBEz2h7wQ2CjMRH8EUj6CRUs4cRt6MBu4DD-FZCow] connection:keep-alive postman-token:9c4927b5-ccb2-4d0e-98e0-334752b754a2 user-agent:PostmanRuntime/7.38.0] host:localhost:4433 method:GET path:/sessions/whoami query:<nil> remote:10.0.0.2:21140 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json vary:Origin] size:157 status:401 text_status:Unauthorized took:1.064377ms]

### Relevant configuration

```yml
version: v0.13.0

dsn: memory
dev: true

serve:
  public:
    base_url: http://localhost:4433
    cors:
      enabled: true
      allow_credentials: true
      allowed_origins:
        - http://localhost:4455
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Accept
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
  admin:
    base_url: http://kratos:4434/

selfservice:
  default_browser_return_url: http://localhost:4455/
  allowed_return_urls:
    - http://localhost:4455/

  methods:
    password:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true
    lookup_secret:
      enabled: true
            
  flows:
    error:
      ui_url: http://localhost:4455/error

    settings:
      ui_url: http://localhost:4455/settings
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: http://localhost:4455/recovery

    verification:
      enabled: true
      use: code
      ui_url: http://localhost:4455/verification
      after:
        default_browser_return_url: http://localhost:4455/

    logout:
      after:
        default_browser_return_url: http://localhost:4455/login

    login:
      ui_url: http://localhost:4455/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: http://localhost:4455/registration
      after:
        password:
          hooks:
          - hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v1
      url: file:///etc/config/kratos/identity.schema.json

session:
  whoami:
    required_aal: aal1
    tokenizer:
      templates:
        api_token:
          ttl: 1h
          jwks_url: 'base64://eyJzZXQiOiJleGFtcGxlLWtleS1zZXQiLCJrZXlzIjpbeyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2IiwiZCI6IlhkTy00T2tkRHhzT2hVX1h3WUZBekVnMVozRGZROExod2l2SmVGcS1wcG8iLCJraWQiOiIzMDQ1NjMxYi05NWE4LTQzM2MtYWI1NC05M2ZhNTJhNTVlYTgiLCJrdHkiOiJFQyIsInVzZSI6InNpZyIsIngiOiJBQVl4cmpQTnQ2TS1YQlkxSDU3TWNfNm1vaUVUa2dfQ2YyZWdIWFBPRUdvIiwieSI6Im1OWDlVQ0JhODJHTnJ2SUlIRkZOeHN3LUxQS2tzYndDTW9hSXlieVdNRVkifV19'
  earliest_possible_extend: 1h

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

Version

oryd/kratos:v1.2.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

[nguyenhy]

Same question here? any update for this issue?
@tamtakoe Did you solve the issue?

Update:

• this document explain exactly how to get/use session token