https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how to get a valid session token fo...
# ory-copilot
s
@chilly-king-10285 how to get a valid session token for accessing a settings flow after providing a valid recovery code to the existing recovery flow using '...self-service/recovery?flow={storedFlowId}' with body content fields 'code={receivedCodeOnEmail}', 'method=code' without browser redirection?
c
A message from kapa.ai
To get a valid session token for accessing a settings flow after providing a valid recovery code to the existing recovery flow, you need to follow these steps: 1. Submit the recovery flow with the user's email by sending a POST request to the 
/self-service/recovery
endpoint. For this, you need to send all cookies and the CSRF token in the request body. The CSRF token value is a hidden input field called 
csrf_token
. The recovery flow can have a second submit step if the recovery method is set to 
code
. In such a case, the recovery flow shows a field to submit the received code the user gets after they submit their email. Here is an example of how to do this using cURL:
Copy code
bash curl -X POST -H 'Content-Type: application/json' \     -H 'Accept: application/json' \     -d '{"method":"code","email":"[email protected]","csrf_token":"your-csrf-token"}' \     -b cookies.txt \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<your-flow-id>>"
Replace 
<your-flow-id>
with the stored flow ID and 
your-csrf-token
with the CSRF token you received. Also, replace 
[email protected]
with the email you used to initiate the recovery flow. 2. After successfully submitting the recovery flow, you should receive a session token. This token can be used to access the settings flow. To get the settings flow, send a GET request to the 
/self-service/settings/flows
endpoint. Make sure to set the Ory Kratos Session Token in the request header. Here is an example of how to do this using cURL:
Copy code
bash curl -s -X GET \     -H "Accept: application/json" \     -H "Authorization: bearer $sessionToken" \     "<https://playground.projects.oryapis.com/self-service/settings/flows?id=$flowId>"
Replace 
$sessionToken
with the session token you received and 
$flowId
with the ID of the settings flow. Please note that these steps are for API flows and not for browser flows. Using API flows in Single-Page-Apps as well as server-side apps opens up several potential attack vectors, including Login and other CSRF attacks. Sources: - [Submit recovery flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-recovery-flow) - [Get Settings Flow](https://www.ory.sh/docs/reference/api) - [Initialize settings flow](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#initialize-settings-flow) - [User and profile settings updates for API clients and clients without browsers](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#user-and-profile-settings-updates-for-api-clients-and-clients-without-browsers)
s
@chilly-king-10285 I'm doing this in a native app so I guess I don't need to provide any csfr token or cookies. And yes I'm doing a second request with the code that I received in my email message. After submitting the code, I'm not getting any session token but receive a message about 'browser_location_change_required;
c
A message from kapa.ai
A message from kapa.ai
In a native application, you're correct that you don't need to provide a CSRF token or cookies. Native applications use API flows which don't set any cookies. The response contains all data required to render the UI. On successful login, Ory issues a session token that can be used to authenticate following requests to Ory. However, the message 'browser_location_change_required' indicates that the flow was initiated in a browser context and needs to be completed in a browser context. This is a security measure to prevent Cross-Site Request Forgery (CSRF) attacks. In a native app, you should use the 
/self-service/{flow_type}/api
endpoint to initialize flows such as sign in, registration, profile changes, and so on. When using this endpoint, no CSRF cookies will be issued by Ory. Instead, Ory issues an Ory Session Token instead of an Ory Session Cookie. This token is equivalent to the session cookie and returns the same session response when calling 
ory.toSession({ xSessionToken: "{session-token}" })
. Here is an example of how to submit the recovery flow in a native app:
Copy code
bash curl -X POST \     -H 'Content-Type: application/json' \     -H 'Accept: application/json' \     -d '{"method":"code","email":"[email protected]","code":"your-received-code"}' \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api?flow=<your-flow-id>>"
Replace 
<your-flow-id>
with the stored flow ID and 
your-received-code
with the code you received in your email. Also, replace 
[email protected]
with the email you used to initiate the recovery flow. Sources: - [Browser vs native apps](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#browser-vs-native-apps) - [Native apps](https://www.ory.sh/docs/identities/native-browser) - [Native application](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#native-application)
In a native application, you're correct that you don't need to provide a CSRF token or cookies. Native applications use API flows which don't set any cookies. The response contains all data required to render the UI. On successful login, Ory issues a session token that can be used to authenticate following requests to Ory. However, the message 'browser_location_change_required' suggests that the flow is expecting a browser redirection, which is not applicable in a native app context. For native applications, you should be using the 
/self-service/{flow_type}/api
endpoint. For example, for the recovery flow, you should be using 
/self-service/recovery/api
endpoint. If you're still facing issues, it might be due to the specific implementation or configuration of your application. You might want to check the Ory documentation or community for more specific guidance. Sources: - [Ory Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) - [Ory Kratos Integration Basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#native-application)
s
@chilly-king-10285 I'm using the native app context you provided and still I'm getting the response from the recovery code flow request with browser redirection. Are there any special steps to proceed in a config file or whatever to avoid the redirections and receive the session token instead?
c
A message from kapa.ai
In the context of a native application, you should not be receiving a browser redirection response. If you are, it might be due to a misconfiguration in your setup. Here are a few things you can check: 1. Ensure you're using the correct endpoint for native applications. For the recovery flow, you should be using the 
/self-service/recovery/api
endpoint. 2. Make sure you're sending the correct headers and body content in your request. For example, you should be sending 'Content-Type: application/json' and 'Accept: application/json' headers. 3. Check your Ory Kratos configuration file. Make sure you have correctly configured the settings for self-service flows. Unfortunately, without more specific information about your setup and the exact request you're making, it's hard to provide more specific guidance. If you're still facing issues, I would recommend checking the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/) or reaching out to the Ory community for more specific guidance.
s
@chilly-king-10285 I'm pretty sure that I'm using correct endpoints. What settings should I be aware of in the config file ?
c
A message from kapa.ai
New message text here
13 Views
Open in Slack
PreviousNext
Powered by