search

ory / network

Ory runs a global end-to-end security infrastructure for humans, robots, and servers. We build and use open source software.
Apache License 2.0
81 stars 6 forks source link

SPA flows do not continue with OAuth flow after registration #352

Closed Benehiko closed 1 year ago

Benehiko commented 1 year ago

Preflight checklist

Ory Network Project

No response

Describe the bug

When performing an OAuth2 flow the user might not have an existing account. This would lead to the user switching to the registration flow. When including the login_challenge in the request to create a registration flow the response correctly shows that the flow is part of an OAuth2 flow.

After completing the OAuth2 flow using a password method, the response will include a continue_with to continue to the verification flow, as shown below:

{
"session":{
"id":"7dda364e-54a0-41da-8349-2c3fbd1db419",
"active":true,"expires_at":"2023-10-09T15:25:52.828420977Z",
"authenticated_at":"2023-10-06T15:25:52.828429583Z",
"authenticator_assurance_level":"aal1",
"authentication_methods":[{"method":"password","aal":"aal1","completed_at":"2023-10-06T15:25:52.828420743Z"}],
"issued_at":"2023-10-06T15:25:52.828420977Z",
"identity":{"id":"2edb98b9-d576-4334-bc68-90df84181e70",
"schema_id":"preset://email",
"schema_url":"http://localhost:4000/schemas/cHJlc2V0Oi8vZW1haWw",
"state":"active",
"state_changed_at":"2023-10-06T15:25:52.412681123Z",
"traits":{"email":"alano+1314@ory.sh"},
"verifiable_addresses":[{"id":"09806fc3-a5de-4c6f-b3a8-d42dbaff38f2",
"value":"alano+1314@ory.sh",
"verified":false,
"via":"email",
"status":"sent",
"created_at":"2023-10-06T15:25:52.414937Z",
"updated_at":"2023-10-06T15:25:52.414937Z"}],
"recovery_addresses":[{"id":"ba5b28bc-3258-4699-83ab-8deab0a2f07f","value":"alano+1314@ory.sh","via":"email","created_at":"2023-10-06T15:25:52.518052Z","updated_at":"2023-10-06T15:25:52.518052Z"}],
"metadata_public":null,"created_at":"2023-10-06T15:25:52.413428Z","updated_at":"2023-10-06T15:25:52.413428Z","organization_id":null},
"devices":[{"id":"97ab0033-6e63-4484-9b1c-77ae5e927f5a","ip_address":"127.0.0.1","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36","location":"Munich, DE"}]},"identity":{"id":"2edb98b9-d576-4334-bc68-90df84181e70","schema_id":"preset://email","schema_url":"http://localhost:4000/schemas/cHJlc2V0Oi8vZW1haWw","state":"active","state_changed_at":"2023-10-06T15:25:52.412681123Z","traits":{"email":"alano+1314@ory.sh"},
"verifiable_addresses":[{"id":"09806fc3-a5de-4c6f-b3a8-d42dbaff38f2","value":"alano+1314@ory.sh","verified":false,"via":"email","status":"sent","created_at":"2023-10-06T15:25:52.414937Z","updated_at":"2023-10-06T15:25:52.414937Z"}],
"recovery_addresses":[{"id":"ba5b28bc-3258-4699-83ab-8deab0a2f07f","value":"alano+1314@ory.sh","via":"email","created_at":"2023-10-06T15:25:52.518052Z","updated_at":"2023-10-06T15:25:52.518052Z"}],"metadata_public":null,"created_at":"2023-10-06T15:25:52.413428Z","updated_at":"2023-10-06T15:25:52.413428Z","organization_id":null},
"continue_with":[{"action":"show_verification_ui","flow":{"id":"fe3696d4-012f-4a10-b607-d5e728f62c77","verifiable_address":"alano+1314@ory.sh","url":"/ui/verification?flow=fe3696d4-012f-4a10-b607-d5e728f62c77"}}]
}

Following the verification flow will then result in a redirect to the default /ui/welcome page.

Interestingly with the one-time code method, the OAuth flow continues as normal to the /consent route.

Reproducing the bug

  1. Setup a custom UI or follow https://github.com/ory/elements/tree/main/examples/react-spa#ory-oauth-flows
  2. Ensure the password flow is enabled and verification flow is also enabled.
  3. Ensure the Ory Network project uses the custom UI
  4. Create an OAuth flow through the Ory tunnel (localhost:4000)
  5. Perform the flow by switching from login -> registration
  6. Submit a password
  7. The UI will just show you here the session information, but the API will contain a continue_with object. 8 . *optional - in case the UI shows the verification UI, perform it and you will be redirected to /ui/welcome

Relevant log output

No response

Relevant configuration

No response

Version

latest

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

I used Ory Elements react-spa to test this out.

sunib commented 1 year ago

We would love to see this fixed as it's hurting our signup-flow!

Droxx commented 1 year ago

To add some more details to this issue. We are seeing a similar problem, but at a different part of the flow.

When a new user access our site e.g. www.site.com, and they are not authenticated, they go to the login screen, with a return_to=www.site.com query parameter. We currently have two paths from this point.

If that user signs in, they are then returned to www.site.com.

If that user does not have an account, and registers, they are sent to the registration flow, which is requested with .../registration/browser?return_to=www.site.com. The return_to persists here.

But once they have registered, they are then sent to the verification flow. But the return_to is not included in this flow. It is being dropped somewhere. So after verification, our user is instead routed to the ory welcome page.

If this is not in the scope of this issue, then I am happy to make a new one.

Benehiko commented 1 year ago

I'll start investigating this today