kratos
kratos copied to clipboard
ory
Recovery flow redirect after success not working as expected
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
On a self-service instance of Kratos, using http redirects, we can add selfservice.flows.<login[registration|recovery...>.after.default_browser_return_url to redirect the user after completing a flow. It works properly for flows like login or registration but doesn't for recovery flow.
As explained in documentation, a successful recovery does a HTTP 303 redirect to a settings flow, however we can't override it.
Reproducing the bug
- Update your kratos configuration file with after keyword:
selfservice:
...
flows:
....
recovery:
enabled: true
ui_url: ${kratos_ui_recovery}
after:
default_browser_return_url: ${kratos_ui_recovery_redirect}
settings:
ui_url: ${kratos_ui_settings}
- Run a Kratos self-service instance with this configuration
- Register yourself & request a password recovery
- When clicking mail link to recover password, you'll be redirected to
${kratos_ui_settings}instead of${kratos_ui_recovery_redirect}
Relevant log output
No response
Relevant configuration
version: v0.8.0-alpha.3
dsn: memory
cookies:
domain: localhost
path: /
same_site: None
serve:
public:
base_url: http://localhost:4433
cors:
enabled: true
allowed_origins:
- http://localhost:3000
- http://localhost
- http://127.0.0.1:4455
- http://localhost:4455
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Content-Type
- Authorization
- Cookie
exposed_headers:
- Content-Type
- Set-Cookie
#options_passthrough: true
debug: true
admin:
base_url: http://kratos:4434/
selfservice:
default_browser_return_url: http://localhost:3000/u/dashboard
whitelisted_return_urls:
- http://localhost:3000
- http://localhost:4455
methods:
password:
enabled: true
oidc:
enabled: true
config:
providers:
- id: gitlab
provider: gitlab
client_id: redacted
client_secret: redacted
mapper_url: file:///etc/config/kratos/oidc.gitlab.jsonnet
scope:
- api
- openid
- email
flows:
error:
ui_url: http://localhost:4455/error
settings:
ui_url: http://localhost:3000/settingss
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: http://localhost:3000/recovery
after:
default_browser_return_url: http://localhost:3000/u/mysupertest
verification:
enabled: true
ui_url: http://localhost:3000/u/verify
after:
default_browser_return_url: http://localhost:4455/
logout:
after:
default_browser_return_url: http://localhost:3000/u/signin
login:
ui_url: http://localhost:3000/u/signin
lifespan: 10m
registration:
lifespan: 10m
ui_url: http://localhost:3000/u/signup
after:
oidc:
hooks:
- hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE #TODO
default:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
hashers:
argon2:
parallelism: 1
memory: 128MB
iterations: 2
salt_length: 16
key_length: 16
identity:
schemas:
- id: default_identity
url: file:///etc/config/kratos/identity.schema.json
default_schema_url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
Version
v0.8.0-alpha.3
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
Kratos version is v0.8.0-alpha.3, but after discussing with David Alexandre on Slack, it is the same on latest version.
Thank you for the report, where would you like to redirect the user to instead? We redirect them to the settings page as users probably want to update their credentials when recovering the account. If I’m not mistaken, the post-recovery redirect triggers once one updates their settings successfully
In our current application, the settings flow is used in two pages (due to UX concerns):
- Editing user profile information (so we remove password related fields)
- Editing user password (we remove user profile related fields)
That's why we expect the user to be redirected to a different page than the settings flow page. We do not expect to be on settings page after clicking on recover link. Moreover, I tried to edit my settings after having completed the recovery flow, and it did not redirect to recovery.after.default_browser_return_url as you stated
I see, it’s possible that the final redirect doesn’t work yet.
Regarding the update, it should be possible (e.g. by checking the messages) to identify that a settings flow is initiated by recovery, you can then filter out all the irrelevant fields in the UI!
You are right, the settings flow has a message when created by recovery flow.
About the issue, I understood that after keyword should be used as a redirect after completing the settings flow generated by the recovery. Our application is an SPA, so we expected the user to be redirected while clicking on recovery link.
After thinking about it, I can't confirm that your statement about final redirection is false, as we don't redirect the user after settings flow submission (XHR calls). This final redirection isn't documented, so I guess some details about recovery flow can be added (I can spend time to it if needed). Also, the final redirection needs to be tested to ensure it works, and that this issue can be closed as it's not a bug.
We can keep it open until your issue has been resolved :) For SPAs, we usually indicate redirects with a specific error type that indicates that a redirect is required. However, for success flows we just return 200 OK as it’s up to the app to decide what to do. Most SPAs for example choose to show some type of flash message using the tooling of their choice - so yes, it’s completely possible that we do not indicate the redirect properly. I’m wondering however how we could do that? If you have any ideas please let us know :)
Just bumped into this as well on Kratos 1.0.0. I'm using the recovery flow to generate invite links, and would like to control the destination URL the user is redirected to after they click the invite link.
I tried setting recovery.after.default_browser_return_url and adding a return_to query parameter to the recovery URL, but in both cases I was redirected to the settings page. Is there any way to control the redirect destination?
Same here !
It would be nice to have both an intermediary redirect (after the user clicks the invite link, or successfully submits the recovery code that they received by email) and a final redirect that works (after the user successfully changes their password. At the moment I believe the final redirect does not work either as per my tests and I'm not sure which default_browser_return_url it will default to).
Thank you and keep up the amazing work please !
[Edit]
I was able to make the final redirect work by setting the selfservice.flows.recovery.after.default_browser_return_url or by specifying a returnTo thanks to the sdk
ory
.createBrowserRecoveryFlow({
returnTo: String(returnTo || ""),
})
Couldn't find a way for the intermediary redirect though.
