https://www.ory.sh/ logo
Join Slack
Powered by
If opting out of implicit `<form>` request l...
# talk-kratos
p
If opting out of implicit 
<form>
request logic when building our own login/consent UI, is there a way of updating login flow and receiving the redirect information without triggering 4XX error codes?
up
n
Browser flows with an accept header of 
application/json
will not redirect but instead respond with HTTP 200 and a application/json body with the signed in identity and a 
Set-Cookie
header on success; HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set; HTTP 400 on form validation errors.
https://www.ory.sh/docs/reference/api#tag/frontend/operation/updateRegistrationFlow Sounds relevant to what you're trying to achieve
p
ill try to override axios client params in the update flow call
feels like the ory/client is what is supposed to expose this duality
I set the 
Accept
header on frontend API updateLoginFlow JS axios call and still got 422.
f
422 is the expected response if you're doing a social sign in (oidc) flow or logging in as part of an OAuth flow.
p
@flat-flower-81031 where would say this is documented or described as far as OAuth standards/practices?
Anyway, question is if 422 is the only and the only correct way to handle this when not making a form post request. I don’t see a way around it in the code but I was wondering if someone can confirm my reasoning. Would be ideal to avoid any 4XX in the network log.
l
Code was recently added here: https://github.com/ory/kratos/pull/3271 Docs for that route say, “`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL. Most likely used in Social Sign In flows.”
p
Yea but I’m entirely sure what that means
l
err.response.data
will have a 
redirect_browser_to
value. You need to redirect to it. It can’t just return a 200 since you need to go somewhere else to finish the flow.
p
I am not trying to be difficult or dense. Just curious. Let me rephrase: is there another endpoint I can call to update login flow with a 
password
payload, where I would receive a 200 back containing a JSON payload with a redirect URL?
l
No, I don’t think so. I assume they choose 422 instead of 200 so you know there is still something else you need to do?
I agree it is a bit weird that it is a non-2xx response.
p
That would make sense re: “more steps needed 🚨 ” — 4XX errors are pretty good when it comes to attracting attention; let’s wait for a response from ORY core contributors regarding the intentions within this design and possible alternatives.
Open in Slack
PreviousNext
Powered by