Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use HTTP 303 instead of 302 for selfservice redirects #598

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/kratos/self-service.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ import DomainWarning from '@site/src/theme/DomainWarning'

<DomainWarning />

Once stored, the Browser is HTTP 302 redirected to the flow's configured UI URL
Once stored, the Browser is HTTP 303 redirected to the flow's configured UI URL
(e.g. `selfservice.flows.login.ui_url`), appending the flow ID as the `flow` URL
Query Parameter. Also included are HTTP cookies such as Anti-CSRF cookies.

Expand Down Expand Up @@ -429,7 +429,7 @@ requests.

:::info

Ory Kratos and your UI must be on the hosted on same top level domain! You can
Ory Kratos and your UI must be hosted on same top level domain! You can
not host Ory Kratos and your UI on separate top level domains:

- `kratos.bar.com` and `ui.bar.com` will work;
Expand Down
14 changes: 7 additions & 7 deletions docs/kratos/self-service/flows/account-recovery.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,7 @@ $ curl -s -i -X GET \
-H "Accept: text/html" \
https://playground.projects.oryapis.com/api/kratos/public/self-service/recovery/browser

HTTP/2 302
HTTP/2 303
date: Fri, 09 Jul 2021 12:50:38 GMT
content-type: text/html; charset=utf-8
content-length: 120
Expand All @@ -288,10 +288,10 @@ vary: Origin
vary: Cookie
strict-transport-security: max-age=15724800; includeSubDomains

<a href="https://playground.projects.oryapis.com/hosted/recovery?flow=33964b22-c364-4217-b6fc-5f381d142d65">Found</a>.
<a href="https://playground.projects.oryapis.com/hosted/recovery?flow=33964b22-c364-4217-b6fc-5f381d142d65">See Other</a>.
```

The server responds with a HTTP 302 redirect to the Recovery UI, appending the
The server responds with a HTTP 303 redirect to the Recovery UI, appending the
`?flow=<flow-id>` query parameter (see the curl example) to the URL configured
here:

Expand Down Expand Up @@ -540,7 +540,7 @@ $ curl -H "Accept: application/json" -s \

The form payloads are then submitted to Ory Kratos which follows up with:

- An HTTP 302 Found redirect pointing to the Registration UI for Browser
- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
Clients;
- An `application/json` response for API Clients and Client-Side Browser
applications (e.g. Single Page Apps).
Expand All @@ -552,7 +552,7 @@ validation errors such as a malformed email:

<CodeTabs items={getFlowMethodLinkWithErrors} />

When validation errors happen, browser clients receive a HTTP 302 Found redirect
When validation errors happen, browser clients receive a HTTP 303 See Other redirect
to the Recovery Flow UI, containing the Recovery Flow ID which includes the
error payloads.

Expand All @@ -568,7 +568,7 @@ On successful submission, an email will be sent to the provided address:
## Unsuccessful Recovery

If the recovery challenge (e.g. the link in the recovery email) is invalid or
expired, the user will be HTTP 302 redirected to the Recovery UI.
expired, the user will be HTTP 303 redirected to the Recovery UI.

:::note

Expand All @@ -586,7 +586,7 @@ Please keep in mind that this part of the flow always involves a Browser!

## Successful Recovery

Completing account recovery always results in a HTTP 302 redirect with a Ory
Completing account recovery always results in a HTTP 303 redirect with a Ory
Kratos Login Session Cookie to the Settings UI with a Settings Flow prompting
the user to update their password or credentials:

Expand Down
12 changes: 6 additions & 6 deletions docs/kratos/self-service/flows/user-login.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
<a href="https://playground.projects.oryapis.com/hosted/login?flow=3fc63726-8461-43f4-974a-5579ff4174f1">See Other</a>.
```

The server responds with a HTTP 302 redirect to the Login UI, appending the
The server responds with a HTTP 303 redirect to the Login UI, appending the
`?flow=<flow-id>` query parameter (see the curl example) to the URL configured
here:

Expand Down Expand Up @@ -476,7 +476,7 @@ $ curl -H "Accept: application/json" -s \

The form payloads are then submitted to Ory Kratos which follows up with:

- An HTTP 302 Found redirect pointing to the Login UI for Browser Clients;
- An HTTP 303 See Other redirect pointing to the Login UI for Browser Clients;
- An `application/json` response for API Clients and Client-Side Browser
applications (e.g. Single Page Apps).

Expand All @@ -488,7 +488,7 @@ missing identifier or password, or invalid credentials:

<CodeTabs items={getFlowMethodPasswordWithErrors} />

When validation errors happen, browser clients receive a HTTP 302 Found redirect
When validation errors happen, browser clients receive a HTTP 303 See Other redirect
to the Login Flow UI, containing the Login Flow ID which includes the error
payloads.

Expand Down Expand Up @@ -519,14 +519,14 @@ Completing the login behaves differently for Browser and API Clients.

### Server-Side Browser Clients

When the login is completed successfully, Ory Kratos responds with a HTTP 302
When the login is completed successfully, Ory Kratos responds with a HTTP 303
Redirect to the
[configured redirect URL](../../concepts/browser-redirect-flow-completion).
Alongside the HTTP 302 Redirect is a `Set-Cookie` header which contains the Ory
Alongside the HTTP 303 Redirect is a `Set-Cookie` header which contains the Ory
Kratos Login Session Cookie:

```
HTTP/1.1 302 Found
HTTP/1.1 303 See Other
Cache-Control: 0
Location: http://127.0.0.1:4455/
Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly
Expand Down
18 changes: 9 additions & 9 deletions docs/kratos/self-service/flows/user-registration.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ Kratos, your Registration UI, and the end-user's browser:

<SelfServiceBrowserFlow
flows={['registration']}
success="User created and successful HTTP 302 redirect"
success="User created and successful HTTP 303 redirect"
interactions={['"Sign up"']}
/>

Expand All @@ -136,7 +136,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
<a href="https://playground.projects.oryapis.com/hosted/registration?flow=6c2ae96c-8486-42f0-91f9-f654eccd09fb">See Other</a>.
```

The server responds with a HTTP 302 redirect to the Registration UI, appending
The server responds with a HTTP 303 redirect to the Registration UI, appending
the `?flow=<flow-id>` query parameter (see the curl example) to the configured
registration URL.

Expand Down Expand Up @@ -540,7 +540,7 @@ $ curl -H "Accept: application/json" -s \

The form payloads are then submitted to Ory Kratos which follows up with:

- An HTTP 302 Found redirect pointing to the Registration UI for Browser
- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
Clients;
- An `application/json` response for API Clients and Client-Side Browser
applications (e.g. Single Page Apps).
Expand Down Expand Up @@ -589,7 +589,7 @@ validation errors:

<CodeTabs items={getFlowMethodPasswordWithErrors} />

When validation errors happen, browser clients receive a HTTP 302 Found redirect
When validation errors happen, browser clients receive a HTTP 303 See Other redirect
to the Registration Flow UI, containing the Registration Flow ID which includes
the error payloads.

Expand Down Expand Up @@ -700,17 +700,17 @@ typically not an issue if you follow the guidelines in the
### Server-Side Browser Clients

When the registration is completed successfully, Ory Kratos responds with a HTTP
302 Redirect to the
303 Redirect to the
[configured redirect URL](../../concepts/browser-redirect-flow-completion.mdx).

#### With Auto-Login on Registration

If the `session` after hook is enabled, a `Set-Cookie` HTTP Header is set
alongside the HTTP 302 redirect which contains the Ory Kratos Login Session
alongside the HTTP 303 redirect which contains the Ory Kratos Login Session
Cookie:

```
HTTP/1.1 302 Found
HTTP/1.1 303 See Other
Cache-Control: 0
Location: http://127.0.0.1:4455/
Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly
Expand Down Expand Up @@ -803,11 +803,11 @@ When the registration is completed successfully, Ory Kratos responds with a HTTP
#### With Auto-Login on Registration

If the `session` after hook is enabled, a `Set-Cookie` HTTP Header is set
alongside the HTTP 302 redirect which contains the Ory Kratos Login Session
alongside the HTTP 303 redirect which contains the Ory Kratos Login Session
Cookie:

```
HTTP/1.1 302 Found
HTTP/1.1 303 See Other
Cache-Control: 0
Location: http://127.0.0.1:4455/
Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly
Expand Down
14 changes: 7 additions & 7 deletions docs/kratos/self-service/flows/user-settings.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ Kratos, your Settings UI, and the end-user's browser:

<SelfServiceBrowserFlow
flows={['settings']}
success="Identity Updated and HTTP 302 redirect to Success Flow"
success="Identity Updated and HTTP 303 redirect to Success Flow"
interactions={['"Save Profile Changes"']}
/>

Expand Down Expand Up @@ -262,7 +262,7 @@ $ curl -s -i -X GET \
-H "Accept: text/html" \
https://playground.projects.oryapis.com/api/kratos/public/self-service/settings/browser

HTTP/2 302
HTTP/2 303
date: Fri, 09 Jul 2021 11:07:48 GMT
content-type: text/html; charset=utf-8
content-length: 120
Expand All @@ -272,10 +272,10 @@ vary: Origin
vary: Cookie
strict-transport-security: max-age=15724800; includeSubDomains

<a href="https://playground.projects.oryapis.com/hosted/settings?flow=95efce11-0bd2-4f55-abce-180ced8b69d7">Found</a>.
<a href="https://playground.projects.oryapis.com/hosted/settings?flow=95efce11-0bd2-4f55-abce-180ced8b69d7">See Other</a>.
```

The server responds with a HTTP 302 redirect to the Settings UI, appending the
The server responds with a HTTP 303 redirect to the Settings UI, appending the
`?flow=<flow-id>` query parameter (see the curl example) to the configured
settings URL.

Expand Down Expand Up @@ -647,12 +647,12 @@ a future version, which is partially tracked as

The form payloads are then submitted to Ory Kratos which follows up with:

- An HTTP 302 Found redirect pointing to the Registration UI for Browser
- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
Clients;
- An `application/json` response for API Clients and Client-Side Browser
applications (e.g. Single Page Apps).

When validation errors happen, browser clients receive a HTTP 302 Found redirect
When validation errors happen, browser clients receive a HTTP 303 See Other redirect
to the Settings Flow UI, containing the Settings Flow ID which includes the
error payloads. For API Clients, the server typically responds with HTTP 400 Bad
Request `application/json` and the Settings Flow in the response payload as
Expand Down Expand Up @@ -692,7 +692,7 @@ Completing the settings update behaves differently for Browser and API Clients.
### Server-Side Browser Clients

When the profile update is completed successfully, Ory Kratos responds with a
HTTP 302 Redirect to the Settings UI which now contains the success state
HTTP 303 Redirect to the Settings UI which now contains the success state
(`state: success`) as well as the updated identity:

```shell-session
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ $ curl -s -i -X GET \
-H "Accept: text/html" \
https://playground.projects.oryapis.com/api/kratos/public/self-service/verification/browser

HTTP/2 302
HTTP/2 303
date: Fri, 09 Jul 2021 13:08:00 GMT
content-type: text/html; charset=utf-8
content-length: 124
Expand All @@ -265,10 +265,10 @@ vary: Origin
vary: Cookie
strict-transport-security: max-age=15724800; includeSubDomains

<a href="https://playground.projects.oryapis.com/hosted/verification?flow=ba66958a-5f15-4b8f-88f9-52b35020db5c">Found</a>.
<a href="https://playground.projects.oryapis.com/hosted/verification?flow=ba66958a-5f15-4b8f-88f9-52b35020db5c">See Other</a>.
```

The server responds with a HTTP 302 redirect to the Verification UI, appending
The server responds with a HTTP 303 redirect to the Verification UI, appending
the `?flow=<flow-id>` query parameter (see the curl example) to the URL
configured here:

Expand Down Expand Up @@ -562,7 +562,7 @@ $ curl -H "Accept: application/json" -s \

The form payloads are then submitted to Ory Kratos which follows up with:

- An HTTP 302 Found redirect pointing to the Registration UI for Browser
- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
Clients;
- An `application/json` response for API Clients and Client-Side Browser
applications (e.g. Single Page Apps).
Expand All @@ -574,7 +574,7 @@ validation errors such as a malformed email:

<CodeTabs items={getFlowMethodLinkWithErrors} />

When validation errors happen, browser clients receive a HTTP 302 Found redirect
When validation errors happen, browser clients receive a HTTP 303 See Other redirect
to the Verification Flow UI, containing the Verification Flow ID which includes
the error payloads.

Expand All @@ -590,7 +590,7 @@ On successful submission, an email will be sent to the provided address:
## Unsuccessful Verification

If the verification challenge (e.g. the link in the verification email) is
invalid or expired, the user will be HTTP 302 redirected to the Verification UI.
invalid or expired, the user will be HTTP 303 redirected to the Verification UI.

:::note

Expand Down