OIDC sign in that creates account does not redirect to after-registration URL

[aran]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When signing in with oidc, if an account does not exist, Kratos treats it as a registration and creates an account. It calls the post-registration hook, but there are other differences from the true registration flow. In particular, it does not request the scopes provided in selfservice.methods.oidc.config.providers[].scope, and it does not redirect to selfservice.flows.registration.after.default_browser_return_url.

Reproducing the bug

1. Create an Ory project with google oidc. Include some additional OAuth scopes and a selfservice.flows.registration.after.default_browser_return_url in the config.
2. On Web, Sign in with Google (not Sign up with Google). Observe no permissions requests from Google and observe not redirected to the configured post-registration url

Relevant log output

No response

Relevant configuration

No response

Version

Kratos 1.1

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[jonas-jonas]

In particular, it does not request the scopes provided in selfservice.methods.oidc.config.providers[].scope

This is interesting, as I can't immediately tell from the code why this would be. We use the same config in both registration and login, and thus the same code URL for the OIDC provider. The translation from login -> registration only happens in the OIDC callback after the OIDC provider has redirected the user to Ory/Kratos. Any additional information you might have would help!

and it does not redirect to selfservice.flows.registration.after.default_browser_return_url.

Yes, this is true, because the login flow fully wraps the registration flow, and after it completes, does the after login flow redirect. If you have a page welcoming new users, they wouldn't be redirected as Kratos treats the flow as a login flow, leading to weird UXs. So I agree that this should either be configurable or just be changed (though this would be an unexpected breaking change, IMO).

[aran]

This is interesting, as I can't immediately tell from the code why this would be. We use the same config in both registration and login, and thus the same code URL for the OIDC provider. The translation from login -> registration only happens in the OIDC callback after the OIDC provider has redirected the user to Ory/Kratos. Any additional information you might have would help!

This turns out to likely be my mistake - our registration flow unconditionally manually sets upstream_parameters to force the scopes fetch, and our login flow doesn't, and I should be able to configure our login flow to do it. So the only real issue is the "wrong" after login url when login is actually a registration.

In our case, you are absolutely right - after a registration, we drop the user into an welcoming onboarding flow intended to finish configuration for new users, so if they happened to click "Sign In" instead of "Sign Up", they don't get our welcoming page unless we hack that state outside of the Kratos system.

[aran]

Retitled for specificity.

Another solution that would work— less preferable, but maybe easier—would be allowing us to disable creating accounts on sign in.