ory
feat: redirect to OIDC providers only once in registration flows
When doing a social sign-in, but some required identity fields are not provided by the social provider, Kratos switches to a registration flow in order to fill the missing data.
As https://github.com/ory/kratos/issues/2863 describes it, the idea is that instead of redirecting back to the social provider when submitting the registration form, we handle the registration directly by Kratos and the previously stored OIDC data.
The main rationale is that it feels very unusual for users to select twice your Google account (for instance) during social sign-in. Or even more if more errors occur on the registration form.
Three steps fix this issue:
- Store OIDC data when processing the registration: provider ID, tokens and claims are stored
- When submitting an OIDC registration form, when OIDC data is stored, do not redirect to the provider, but instead load this data to process the registration. ⚠️ This has the side-effect that API calls (in e2e tests for instance) that previously were redirected to the social provider and became browser calls, now remain API calls.
- When completed, delete the OIDC data from .
Related issue(s)
Fixes https://github.com/ory/kratos/issues/2863
Core code based on https://github.com/ory/kratos/pull/3416
Checklist
- [x] I have read the contributing guidelines.
- [x] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
- [x] I have added tests that prove my fix is effective or that my feature works.
- [ ] I have added or changed the documentation.
