Open luflow opened 1 year ago
We are encountering a related issue when using the browser flow and the user is not logged in.
Thank you for the report, it looks like as if some existing cookie from the previous flow is messing with the return value. Any help towards why this could be is greatly appreciated!
We are encountering a related issue when using the browser flow and the user is not logged in.
If you are experiencing the same issue please feel free to add details on the flow so it is easier to find it. If you are experiencing a different issue, please create an issue that is as detailed as the one here. Otherwise it will not be possible to understand what your problem or observed bug is.
@aeneasr Trying to understand the logic here to dig deeper and maybe come up with a solution
Is the redirect_to
not pulled from the kratos database for a flow but instead always from the browser cookie (if available)? In kratos the correct redirect_to
URLs are persisted in the database actually.
Shouldn't kratos prefer the database data when redirecting? Pointing me to the right piece of kratos code where this magic happens, may help with debugging - currently I am totally in the dark with this because I am also new to the codebase.
Preflight checklist
Ory Network Project
selfhosted
Describe the bug
We found a strange behavior in Kratos thats somehow leading to ignoring our set
redirect_to
URL and always falling back to thedefault_browser_return_url
. It happens in the case where a session in a browser is already established, but afterwards an API native flow is started with a 3rd-party Login. The app opens the browser, the session at the 3rd party is still valid so redirects are taking place and then I suddenly land ondefault_browser_return_url
instead of theredirect_to
specified in the API call.Reproducing the bug
Steps to reproduce behavior:
Precondition: You need a native app where the native login flow can be executed with the Kratos API
allowed_return_urls
anddefault_browser_return_url
for your selfservice flowsredirect_to
tomyapp://module/login
myapp://module/login
but instead todefault_browser_return_url
Somehow it looks like the redirect_to information gets lost on the way?
As soon as I logout in the browser manually and start from Step 5 again - everything works as intended and the native app flow gets completed correctly.
Relevant log output
Relevant configuration
Version
Kratos v1.0
On which operating system are you observing this issue?
Android & iOS (if login flow AND inapp browser is used with established session. Does not happen if you have the session in the safari app, because iOS separates inapp browser and safari app sessions)
In which environment are you deploying?
Kubernetes
Additional Context
No response