bug: OIDC account linking causes error "session is not resumable"

[harnash]

Describe the bug

So there seems to be some issue with OIDC settings flow. When trying to link any OIDC account kratos generates error:

No resumable session could be found in the HTTP Header.

It seems that when posting a settings form to /self-service/settings it successfully reads and continues with the continuity session. Now browser is redirected to an OIDC provider (say google for example) and there it continues with the flow after which it is redirected back to /self-service/methods/oidc/callback/google where it tries again to resume this session and it fails since the continuity session was destroyed when handling a POST to /self-service/settings. At least that is what I think it is happening and looking at the logs from Kratos.

Reproducing the bug

Steps to reproduce the behavior:

1. Create an identity
2. Go to settings page in the browser UI
3. Try to link an account with any OIDC provider
4. Complete the flow on the OIDC provider site and return to the Kratos
5. Kratos will eventually redirect to /error page

Server logs

Resumable ID (cb8cb957-f1e2-42dc-82ba-071c0e3b3150) from cookie could not be found in the datastore: rid=
error=Unable to locate the resource
reason=
details=map[]
debug=

github.com/ory/x/sqlcon.HandleError
	/go/pkg/mod/github.com/ory/[email protected]/sqlcon/error.go:51
github.com/ory/kratos/persistence/sql.(*Persister).GetContinuitySession
	/go/src/github.com/ory/kratos/persistence/sql/persister_continuity.go:31
github.com/ory/kratos/continuity.(*ManagerCookie).container
	/go/src/github.com/ory/kratos/continuity/manager_cookie.go:114
github.com/ory/kratos/continuity.(*ManagerCookie).Continue
	/go/src/github.com/ory/kratos/continuity/manager_cookie.go:64
github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback
	/go/src/github.com/ory/kratos/selfservice/strategy/oidc/strategy.go:215
github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback
	/go/src/github.com/ory/kratos/selfservice/strategy/oidc/strategy.go:259
github.com/ory/kratos/selfservice/strategy.disabledWriter
	/go/src/github.com/ory/kratos/selfservice/strategy/handler.go:25
github.com/ory/kratos/selfservice/strategy.IsDisabled.func1
	/go/src/github.com/ory/kratos/selfservice/strategy/handler.go:30
github.com/ory/kratos/x.NoCacheHandler.func1
	/go/src/github.com/ory/kratos/x/nocache.go:18
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
	/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
github.com/ory/nosurf.(*CSRFHandler).handleSuccess
	/go/pkg/mod/github.com/ory/[email protected]/handler.go:201
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
	/go/pkg/mod/github.com/ory/[email protected]/handler.go:158
github.com/urfave/negroni.Wrap.func1
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.glob..func1
	/go/src/github.com/ory/kratos/x/clean_url.go:12
github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
	/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96
github.com/rs/cors.(*Cors).Handler.func1
	/go/pkg/mod/github.com/rs/[email protected]/cors.go:207
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:2049
net/http.serverHandler.ServeHTTP
	/usr/local/go/src/net/http/server.go:2867
net/http.(*conn).serve
	/usr/local/go/src/net/http/server.go:1932
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1371

Expected behavior

User can successfully link an existing account to OIDC provider.

Environment

• Version: v0.7.6-alpha.1
• Environment: Kubernetes

[aeneasr]

This is covered and passing in the e2e test suite so it might be something else.

[harnash]

It very likely might be. I need more time and I will come back with more debug info.

[harnash]

I think we can close this one. We probably found a bug and I think it is related to unreleased code. We will test it on the branch with #1527 and apply fix if needed (our current implementation is bit different so it may not be needed).