Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

hey just wondering what the recommended approach is for handling 403 `session_refresh_required` responses when updating Settings flows in a single page app? We can check for this error ID and route the app to perform a refresh login flow. But what’s the recommended way of getting back to the settings flow? This information isn’t in the error payload, and the `redirect_browser_to` field has a Kratos URL, eg:

```"redirect_browser_to": "<http://KRATOS/self-service/login/browser?refresh=true>\u0026return_to=http%3A%2F%2FKRATOS%2Fself-service%2Fsettings%3Fflow%3Df96a92d9-06d3-473d-9df4-58e5eba810f1"```
Are we supposed to parse this URL ourselves, extract and parse the `return_to`, convert it to a route in our SPA? We can’t use as-is because it will cause a bunch of page reloads which we don’t want in an SPA.

I would have thought Kratos would set a return_to to our actual app’s settings URL in this case, but it wants to redirect via a kratos frontend URL first

the example React Native UI also doesn’t handle the 403 redirect, it just logs the user out: <https://github.com/ory/kratos-selfservice-ui-react-native/blob/master/src/helpers/form.tsx#L153>