You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a recovery flow with the return_to query parameter the url is not respected when the account has two factor authentication with TOTP or WebAuthn since the user is redirected through the login flow asking for the Two Factor credential. After submitting the two factor credential the user continues to the settings page which is correct, however after submitting the settings page the initial return_to query parameter is not respected and the user is never redirected.
The problem happens between the recovery and settings flow specifically since the recovery flow already creates a session with a settings flow.
The return_to is transferred correctly from the recovery to the settings flow, however, the settings flow has a handler which checks for a session. This handler does not respect carrying over return_to URLs from the flow itself or from the URL.
Preflight checklist
Describe the bug
When creating a recovery flow with the
return_to
query parameter the url is not respected when the account has two factor authentication with TOTP or WebAuthn since the user is redirected through the login flow asking for the Two Factor credential. After submitting the two factor credential the user continues to the settings page which is correct, however after submitting the settings page the initialreturn_to
query parameter is not respected and the user is never redirected.Expected Steps:
return_to
urlreturn_to
urlCurrently the flow ends up being:
return_to
urlThis also seem to relate to ory/kratos#2832
Reproducing the bug
Ensure that the
settings
flow andsessions
flow has therequired_aal
tohighest_available
.It also seems that this can be worked around by setting the
required_aal
toaal1
on both above cases.Relevant log output
No response
Relevant configuration
No response
Version
latest
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
This can be observed by using the Ory Account Experience.
The text was updated successfully, but these errors were encountered: