Hi! I need some help when implementing the settings flow for a react client side SPA. I am having troubles with the succession of api calls and the redirects when the session is no longer valid when updating privileged fields. 1. I am calling self-service/settings/browser 2. I use the return value to get the flow id and the csrf token 3. I call /self-service/settings with the flow id, the csrf token and a NEW PASSWORD 4. I receive error session_refresh_required with a redirect_browser_to url 5. I redirect to the specified url /self-service/login/browser which contains query params for refresh=true and a return_to url that is /self-service/settings 6. I log in with the user's credentials with refresh true 7. I call the /self-service/settings 8. The PASSWORD doesn't seem to be updated I am probably doing something wrong?

the change is only persisted for privileged sessions, so the new password has to be stored after the login with

refresh=true

I think I understand better. So currently the user has to live with the UX that he/she has to submit the new password twice: Once to initiate and a second time after refreshing the session.

We had a private one, so I created https://github.com/ory/kratos/issues/2633