I'm unable to reset password on mobile devices

[Pruspat]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I'm not able to finish account recovery on mobile devices?

1. I'm calling GET recovery/api
2. then in the POST request I pass the email address and method "link"
3. I receive an email message with a URL like: "http://127.0.0.1:4433/self-service/recovery?flow=91b83275-f306-463f-92b3-9052cae8ec23&token=Z5ehZKrk7sWaFBRxi8aI5xDlgYViXaWO"

In a web application, if you will GET the URL below, you will receive cookies which makes it possible to init settings and then change the password, but I'm unable to receive a session token for mobile devices to init setting and then change my password

Reproducing the bug

Run steps that are above

Relevant log output

No response

Relevant configuration

No response

Version

oryd/kratos v0.8.2-alpha.1 and oryd/kratos:v0.10.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[aeneasr]

Hi, thank you for the report! That is indeed the case - there are some open PRs for this but in general we have plans to switch to a code which people will enter in their app, making this process mobile friendly!

For now, your users will have to change the password in the browser :/

[jwmay2012]

For me, the core issue we're running into is we can't get the POST /self-service/recovery endpoint to return a session token. It's instead returning a session cookie.

We're using code recovery.

We have to keep the session cookie around on mobile for the subsequent /settings requests to change the users password, and then re-login to return to using a session token.

Kind of an awkward shuffle, and forces the mobile app user to re-login in order to get a token that works in an Authorization header.

We've essentially implemented a fake browser flow in the mobile app just for password recovery. Unless we're missing something. 😄

[kmherrmann]

@jonas-jonas JFYI as you're drilling into API flows

[sobanieca-redocly]

Hello, I just want to point out that I've run into issue where I'm missing this functionality. I'm creating recovery flow via Native Apps endpoint, but I got stuck when I've validated recovery code, as in result I'm just getting 422 response with cookies for browser redirect to configure new password. It would be awesome if for native apps flow we would receive session token when proper recovery code was sent and using it, we could call settings flow endpoint to set a new password.

[kmherrmann]

Hi, we're improving this and adding native flow support for account recovery. This is well in flight and should land in Ory Network ~ next week and will also go into Kratos with the next release (and land on Main earlier)