New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: return to oauth flow after switching from login to other flows #3212
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3212 +/- ##
==========================================
+ Coverage 78.11% 78.15% +0.03%
==========================================
Files 324 324
Lines 20754 20762 +8
==========================================
+ Hits 16213 16227 +14
+ Misses 3333 3330 -3
+ Partials 1208 1205 -3
|
8014132
to
122d4ea
Compare
b96083b
to
05f6c49
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the login flow always the entry point, or do we need to add this logic also to registration? I guess not, but I wanted to bring it up anyway.
Follow up:
- consider always adding the OAuth2 server URL to the allow list for
return_to
URLs - if I understand correctly, the UI can be simplified now because it does not have to handle the return to the OAuth2 server anymore, we probably need to adjust that somewhere in the docs
44b9348
to
c2fc3de
Compare
This PR essentially makes it possible for more complex flows, such as OAuth2 flows are always directed to the login page - at least in the normal case. The user might configure Hydra to point to a registration page which would require Kratos to also have this functionality on the registration endpoint. But I think we don't need to worry about it for now. Once the OAuth2 server redirects to the login page, the UI could of course at this point set the OAuth request URL to the The drawbacks of adding it to the Account Experience is due to it not having any access to significant configuration values and it tries to lessen any API calls to reduce latency, so adding another API endpoint for just this key wouldn't be that great. Since Kratos is already being called by the Account Experience, it made sense to have Kratos dictate where the UI should end up at. Another bonus from this integration is that Custom UIs will also benefit from this and not just the Account Experience. The UI must, however, still handle the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code wise this LGTM, but I am not 100% sure I fully understand all consequences of this. Would like for someone else to confirm.
db726a7
to
dd6a88b
Compare
d259b33
to
6e4d5e6
Compare
….override_return_to`
Co-authored-by: Jonas Hungershausen <jonas.hungershausen@ory.sh>
Related issue(s)
ory/network#264
With
oauth2_provider.return_to_enabled = true
the following is possible:An end-user following a login flow from a Single Sign On portal to the OAuth2 provider (Hydra) will always be redirected back to the provider (Hydra) after performing a more complex flow, such as switching from
login
toregistration
orrecovery
flow in Kratos. The OAuth2 provider can then complete the flow and redirect the user accordingly.Note: The provider (Hydra) URL will also need to be added to Kratos's
selfservice.allowed_return_urls
configuration. Anyreturn_to
parameters supplied before the login request is created will be overwritten in Kratos by the OAuth2 provider URL.Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments