Hey 👋, I'm interested in using Kratos purely as a headless API. I have a question about the OIDC flow. We can start the login flow through our own API with Kratos' createBrowserLoginFlow method (https://www.ory.sh/docs/reference/api#tag/frontend/operation/createBrowserLoginFlow). I'm looking for a method that can convert the return from the OIDC provider into an ory session, but I can't find it. I think the method I'm looking for is in the Kratos source code, here: https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L243 👀

Hi @silly-evening-67657 The Browser flows create a session cookie by default and for OIDC, you need to redirect the user to the provider (e.g. Sign in with Google) which will then upon completion redirect the user back to Kratos with the access code in the query parameters which Kratos exchanges for an access token server-side. After this exchange Kratos issues a session cookie to the client directly. The flow looks something like this: browser (app) -> createBrowserLoginFlow -> kratos (returns json or redirects to login UI) browser (app) -> getBrowserLoginFlow -> kratos (returns json ui nodes) browser (app) -> shows form data based on json ui nodes browser (app) -> submit form for OIDC -> kratos (provider_url) -> provider provider -> authenticate user -> redirect to kratos with access code kratos exchange code for token and issue session cookie -> browser (app)

Thank you very much for your detailed answer @proud-plumber-24205 👏 . As an open-source package maintainer, I really appreciate the community support you have provided us. Great job! ❤️ We have implemented the entire flow, but we are trying to prevent Kratos from redirecting to the 'kratos_base_url/register?flowId=xxxx' page with a new register flow when it encounters a 'duplicate identifier' error during OIDC login. This is because we think that when the OIDC flow starts from localhost domain, the user should be redirected to 'localhost/register?flowId=xxxx'. Is there a way to achieve this?

It's no problem 🙂 I fixed the redirect to registration within this PR https://github.com/ory/kratos/pull/3151 a while back. It should be redirecting you to

base_url/login?flow=?

if you are using the latest version (v0.13.0). As for the redirect back to localhost, this can only work if you are rewriting the cookies and URLs for the localhost client from kratos. I'm assuming you have Kratos hosted on a domain (example.com) and you want to do local testing against it?

Hello @proud-plumber-24205, basically, yes, we are trying to test the app locally. Can we rewrite return urls for localhost somehow? AFAIK, we have a single base URL that can't be overriden. So basically, what we do is, we created "proxy" endpoints on our api. example.com/api/v1/kratos And this endpoint has kratos paths, "browser/login", etcc .. When user initiated the flow, we are keeping request.referer in a state map with

state

query from OIDC flow. Later we use this to correctly redirect user to either localhost or example.com Basically, requests are always going to example.com/.kratos/xxxx, but depends on the value in the state map, we are redirecting to localhost/.ory/xxx or example.com/.ory/xxx On local, we created a proxy to handle that. Our local proxy, proxies requests to example.com/.ory When user redirected to localhost, we successfully write cookies. For example example.com//self-service/methods/oidc/callback/:provider Does the following redirect:

const redirectURI = StateMap.get(state);

res.redirect(
`${redirectURI}.ory/self-service/methods/oidc/callback/${provider}?${new URLSearchParams(
            query,
          )}`,

redirectURI is localhost in that case, and we have proxy redirecting

.ory

to remote ORY installation. So when user redirected to this URL(example.com/.ory/xxx), we are getting redirect uri from this map (localhost/.ory/xxx). This works fine as. long as we have

state

, but however, when there is an error, it redirects and creates registration flow and starts a new one redirects to example.com/registration (Set from kratos URL) We think about to use continuity token for this case, for example, when user started the flow, we keep continuity token in the Map and record it';s referrer. If we are redirected to this URL, get referer from map and redirect user either to localhost/xxx or example.com/xxx, so cookie rewrites will work.

It seems you have most of the wiring already done for this. You can take a look at https://github.com/ory/cli since the CLI does the rewrite between local dev and Ory Network. For Social sign in this is a bit more difficult and how we resolved it is unfortunately closed source inside the Ory Network.

We created a proxy for ourselves to handle cookie rewrite already, and it works for happy path. Our problem is with error flows, if user already logged in with a@example.com with GitHub and tries to login with the same email with Google, kratos redirects to registration flow, which is a new flow and we don't have referer (Just pushed a commit that persists continuity token with original referrer and handle redirect.) Do you think creating a Different kratos instances connecting to the same db would be an ideal solution? One last thing, I know it's closed source, but are you allowed to share some "tips" about how to fix social sign in for Local?

I unfortunately can't share anything we do inside the Ory Network. Yes you can spin up a local kratos instance with a localhost base url connected to the same DB. This should work afaik.

Thank you very much for your support ❤️