Hi < chilly king 10285> after successful password recovery k Ory Community #ory-copilot

Hi <@U04UQ68083H>, after successful password recov...

helpful-fish-56090

03/12/2025, 2:39 PM

Hi @chilly-king-10285, after successful password recovery, kratos does not revoke the active sessions and it does not redirects to https://local.wlw.de/ui/login. It directly redirects to https://local.wlw.de with active session. Is there any mistakes in following configuration for settings flow?

Copy code

settings:
      lifespan: 2h
      privileged_session_max_age: 15m
      required_aal: highest_available
      after:
        password:
          default_browser_return_url: <https://local.wlw.de/ui/login>
          hooks:
            - hook: revoke_active_sessions
        hooks:
          - hook: web_hook
            config:
              # url: <http://localhost:10805/foo?flow=settings> # sets via SELFSERVICE_FLOWS_SETTINGS_AFTER_HOOKS_0_CONFIG_URL
              method: "POST"
              body: file:///app/hook.segment_identify.jsonnet
              response:
                ignore: true

brief-egg-61061

03/12/2025, 2:39 PM

A message from kapa.ai

brief-egg-61061

03/12/2025, 2:39 PM

Based on the knowledge sources, I can identify a few issues with your configuration for the recovery flow. ## Issue 1: Recovery Flow Redirection The recovery flow in Ory Kratos doesn't respect the

default_browser_return_url

configuration in the same way as login or registration flows. After a successful recovery, Kratos automatically redirects to the settings flow, not to your configured redirect URL. As mentioned in the documentation: > The Post-Recovery redirect isn't supported and will automatically redirect the user to the Settings UI URL. Use the Post-Settings redirect for Post-Recovery flows. [Link to Redirects documentation](https://www.ory.sh/docs/concepts/redirects#redirect-flows) ## Issue 2: Session Revocation After Recovery To revoke active sessions after recovery, you need to add the

revoke_active_sessions

hook to the recovery flow configuration, not just to the settings flow. Your current configuration only has it in the settings flow. According to the documentation:

Copy code

yaml selfservice:   flows:     recovery:       enabled: true       ui_url: <http://your.ui/recovery>       after:         hooks:         - hook: revoke_active_sessions

[Link to Account recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) ## Issue 3: AAL Configuration Your configuration uses

required_aal: highest_available

which might be causing issues with the flow. When using this setting with MFA enabled, there are known issues with redirection after recovery. As noted in a GitHub issue: > It also seems that this can be worked around by setting the

required_aal

aal1

on both above cases. [Link to GitHub issue](https://github.com/ory/network/issues/222) ## Recommended Changes 1. Add the

revoke_active_sessions

hook to the recovery flow configuration 2. Consider changing

required_aal

aal1

if you're experiencing issues with MFA 3. For the redirect after recovery, you'll need to handle this in your UI since Kratos automatically redirects to the settings flow Your updated configuration might look like:

Copy code

yaml recovery:   enabled: true   ui_url: <https://local.wlw.de/recovery>   after:     hooks:     - hook: revoke_active_sessions  settings:   lifespan: 2h   privileged_session_max_age: 15m   required_aal: aal1  # Changed from highest_available   after:     password:       default_browser_return_url: <https://local.wlw.de/ui/login>       hooks:         - hook: revoke_active_sessions

helpful-fish-56090

03/12/2025, 2:47 PM

@chilly-king-10285 Is revoke_active_sessions allowed in recovery flow? Kratos is showing error when configuring hooks for recovery

brief-egg-61061

03/12/2025, 2:48 PM

A message from kapa.ai

brief-egg-61061

03/12/2025, 2:48 PM

Yes, the

revoke_active_sessions

hook is allowed in the recovery flow in Ory Kratos. This is explicitly documented in the Kratos documentation for account recovery and password reset. According to the documentation:

Copy code

yaml selfservice:   flows:     recovery:       enabled: true       ui_url: <http://your.ui/recovery>       after:         hooks:         - hook: revoke_active_sessions

[Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) documentation specifically mentions this use case: > In some scenarios it can be useful to revoke all active sessions of the user when they recover their account. This forces anyone with access to the account to re-authenticate using the new password set up in the recovery process. If you're encountering an error when configuring this hook, it could be due to: 1. Syntax issues in your YAML configuration 2. Using an older version of Kratos that doesn't support this feature 3. Incorrect placement of the hook in the configuration structure The proper way to add this hook is to use the Ory CLI:

Copy code

ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

Then add the hook configuration:

Copy code

yaml selfservice:   flows:     recovery:       enabled: true       ui_url: <http://your.ui/recovery>       after:         hooks:         - hook: revoke_active_sessions

And update the configuration:

Copy code

ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

If you're still experiencing issues, please share the specific error message you're receiving for more targeted assistance.

helpful-fish-56090

03/12/2025, 2:50 PM

@chilly-king-10285 Here is the configuration:

Copy code

settings:
      lifespan: 2h
      privileged_session_max_age: 15m
      required_aal: aal1
      after:
        password:
          default_browser_return_url: <https://local.wlw.de/ui/login>
          hooks:
            - hook: revoke_active_sessions
        hooks:
          - hook: web_hook
            config:
              # url: <http://localhost:10805/foo?flow=settings> # sets via SELFSERVICE_FLOWS_SETTINGS_AFTER_HOOKS_0_CONFIG_URL
              method: "POST"
              body: file:///app/hook.segment_identify.jsonnet
              response:
                ignore: true

    recovery:
      enabled: true
      use: code
      lifespan: 2h
      notify_unknown_recipients: false
      after:
        hooks:
          - hook: revoke_active_sessions
          - hook: web_hook
            config:
              # url: <http://localhost:10805/foo?flow=recovery> # sets via SELFSERVICE_FLOWS_RECOVERY_AFTER_HOOKS_0_CONFIG_URL
              method: "POST"
              body: file:///app/hook.segment_identify.jsonnet
              response:
                ignore: true

brief-egg-61061

03/12/2025, 2:50 PM

A message from kapa.ai

brief-egg-61061

03/12/2025, 2:51 PM

Looking at your configuration, I can see you've set up both the settings and recovery flows with hooks. Let me analyze the potential issues with your configuration. ## Issue with Hook Order in Recovery Flow The main issue I see is with the order of your hooks in the recovery flow. According to the documentation, when using multiple hooks, the order matters significantly - especially when using the

session

hook or similar hooks that modify the HTTP response. As explained in the troubleshooting documentation: > If an Ory Action webhook fails to trigger, verify whether the sign in after registration

session

hook is activated. Because the

session

hook modifies the HTTP response, no other hooks are executed after it. If you want to execute other hooks besides the

session

hook, you need to make sure that it is executed last. [Troubleshoot Ory Actions Webhook issues](https://www.ory.sh/docs/troubleshooting/troubleshoot-actions) In your recovery flow configuration, you have:

Copy code

yaml after:   hooks:     - hook: revoke_active_sessions     - hook: web_hook       config:         # url configuration...

The

revoke_active_sessions

hook should work fine, but it might be affecting the execution of the subsequent

web_hook

. ## Recommendations 1. Change the hook order: Try placing the

web_hook

before the

revoke_active_sessions

hook:

Copy code

yaml after:   hooks:     - hook: web_hook       config:         # url configuration...     - hook: revoke_active_sessions

2. Check for session hook: Make sure there's no implicit

session

hook being added to your recovery flow. The documentation and GitHub issues indicate that hooks like

session

that modify HTTP responses prevent subsequent hooks from executing. 3. Verify webhook configuration: Ensure your webhook URL is correctly set through the environment variable you've commented out. 4. Check logs: Look at the Kratos logs to see if there are any specific errors related to the hooks execution during the recovery flow. If you're still experiencing issues after these changes, it might be helpful to export your complete configuration using the Ory CLI and review it for any conflicting settings or unexpected hook configurations. The configuration structure itself looks correct, with the

revoke_active_sessions

hook properly placed in both the settings and recovery flows as recommended in the [documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions).

helpful-fish-56090

03/12/2025, 2:51 PM

@chilly-king-10285 Here is the error

Copy code

Usage:
  kratos serve [flags]

Flags:
  -c, --config strings   Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file.
      --dev              Disables critical security features to make development easier
  -h, --help             help for serve
      --sqa-opt-out      Disable anonymized telemetry reports - for more information please visit <https://www.ory.sh/docs/ecosystem/sqa>
      --watch-courier    Run the message courier as a background task, to simplify single-instance setup

Usage:
  kratos serve [flags]

Flags:
  -c, --config strings   Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file.
      --dev              Disables critical security features to make development easier
  -h, --help             help for serve
      --sqa-opt-out      Disable anonymized telemetry reports - for more information please visit <https://www.ory.sh/docs/ecosystem/sqa>
      --watch-courier    Run the message courier as a background task, to simplify single-instance setup

I[#/selfservice/flows/recovery/after] S[#/properties/selfservice/properties/flows/properties/recovery/properties/after/$ref] doesn't validate with "#/definitions/selfServiceAfterRecovery"
  I[#/selfservice/flows/recovery/after/hooks] S[#/definitions/selfServiceAfterRecovery/properties/hooks/$ref] doesn't validate with "#/definitions/selfServiceAfterRecoveryHooks"
    I[#/selfservice/flows/recovery/after/hooks] S[#/definitions/selfServiceAfterRecoveryHooks] validation failed
      I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceWebHook] validation failed
            I[#/selfservice/flows/recovery/after/hooks/0/hook] S[#/definitions/selfServiceWebHook/properties/hook/const] value must be "web_hook"
            I[#/selfservice/flows/recovery/after/hooks/0/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "method"
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/selfServiceSessionRevokerHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceSessionRevokerHook/additionalProperties] additionalProperties "config" not allowed
      I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/recovery/after/hooks/1/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "url"
        I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/selfServiceSessionRevokerHook"
          I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceSessionRevokerHook] validation failed
            I[#/selfservice/flows/recovery/after/hooks/1/hook] S[#/definitions/selfServiceSessionRevokerHook/properties/hook/const] value must be "revoke_active_sessions"
            I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceSessionRevokerHook/additionalProperties] additionalProperties "config" not allowed
I[#/selfservice/flows/recovery/after] S[#/properties/selfservice/properties/flows/properties/recovery/properties/after/$ref] doesn't validate with "#/definitions/selfServiceAfterRecovery"
  I[#/selfservice/flows/recovery/after/hooks] S[#/definitions/selfServiceAfterRecovery/properties/hooks/$ref] doesn't validate with "#/definitions/selfServiceAfterRecoveryHooks"
    I[#/selfservice/flows/recovery/after/hooks] S[#/definitions/selfServiceAfterRecoveryHooks] validation failed
      I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceWebHook] validation failed
            I[#/selfservice/flows/recovery/after/hooks/0/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "method"
            I[#/selfservice/flows/recovery/after/hooks/0/hook] S[#/definitions/selfServiceWebHook/properties/hook/const] value must be "web_hook"
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/selfServiceSessionRevokerHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceSessionRevokerHook/additionalProperties] additionalProperties "config" not allowed
      I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/recovery/after/hooks/1/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "url"
        I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/selfServiceSessionRevokerHook"
          I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceSessionRevokerHook] validation failed
            I[#/selfservice/flows/recovery/after/hooks/1/hook] S[#/definitions/selfServiceSessionRevokerHook/properties/hook/const] value must be "revoke_active_sessions"
            I[#/selfservice/flows/recovery/after/hooks/1] S[#/definitions/selfServiceSessionRevokerHook/additionalProperties] additionalProperties "config" not allowed

brief-egg-61061

03/12/2025, 2:51 PM

A message from kapa.ai

brief-egg-61061

03/12/2025, 2:51 PM

Based on the error message, I can see there are validation issues with your recovery flow hooks configuration. Let me break down the problems: ## Main Issues 1. Hook Type Validation: - For the first hook (

revoke_active_sessions

), the error indicates it's expecting a

web_hook

type but found something else - For the second hook (

web_hook

), there are missing required properties 2. Configuration Properties: - The

revoke_active_sessions

hook should not have a

config

property - The

web_hook

hook is missing required properties like

url

and

method

## How to Fix Your Configuration Your recovery flow hooks configuration should look like this:

Copy code

yaml recovery:   enabled: true   use: code   lifespan: 2h   notify_unknown_recipients: false   after:     hooks:       - hook: revoke_active_sessions       - hook: web_hook         config:           url: "<http://your-webhook-url>"  # Required property           method: "POST"                  # Required property           body: file:///app/hook.segment_identify.jsonnet           response:             ignore: true

The key points to fix: 1. The

revoke_active_sessions

hook should be a simple declaration without any config properties 2. The

web_hook

hook must have the required

url

property (which seems to be commented out in your configuration) This aligns with what's documented in the [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) documentation, where the

revoke_active_sessions

hook is shown as a simple declaration without additional configuration. If you're using environment variables to set the webhook URL, make sure those environment variables are properly set and accessible to Kratos when it starts up.

helpful-fish-56090

03/12/2025, 3:12 PM

@chilly-king-10285 please tell me what is the mistake in the following config:

Copy code

settings:
      lifespan: 2h
      privileged_session_max_age: 15m
      required_aal: aal1
      after:
        password:
          default_browser_return_url: <https://local.wlw.de/ui/login>
          hooks:
            - hook: revoke_active_sessions

    recovery:
      enabled: true
      use: code
      lifespan: 2h
      notify_unknown_recipients: false
      after:
        hooks:
          - hook: revoke_active_sessions

Copy code

I[#/selfservice/flows] S[#/properties/selfservice/properties/flows] validation failed
  I[#/selfservice/flows/settings/after] S[#/properties/selfservice/properties/flows/properties/settings/properties/after/$ref] doesn't validate with "#/definitions/selfServiceAfterSettings"
    I[#/selfservice/flows/settings/after/hooks] S[#/definitions/selfServiceAfterSettings/properties/hooks/$ref] doesn't validate with "#/definitions/selfServiceHooks"
      I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/selfServiceHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/selfServiceHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/selfServiceWebHook] validation failed
            I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/selfServiceWebHook/required] missing properties: "hook"
            I[#/selfservice/flows/settings/after/hooks/0/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "method"
        I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/selfServiceHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/b2bSSOHook"
          I[#/selfservice/flows/settings/after/hooks/0] S[#/definitions/b2bSSOHook/required] missing properties: "hook"
  I[#/selfservice/flows/recovery/after] S[#/properties/selfservice/properties/flows/properties/recovery/properties/after/$ref] doesn't validate with "#/definitions/selfServiceAfterRecovery"
    I[#/selfservice/flows/recovery/after/hooks] S[#/definitions/selfServiceAfterRecovery/properties/hooks/$ref] doesn't validate with "#/definitions/selfServiceAfterRecoveryHooks"
      I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf] anyOf failed
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/0/$ref] doesn't validate with "#/definitions/selfServiceWebHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceWebHook] validation failed
            I[#/selfservice/flows/recovery/after/hooks/0/hook] S[#/definitions/selfServiceWebHook/properties/hook/const] value must be "web_hook"
            I[#/selfservice/flows/recovery/after/hooks/0/config] S[#/definitions/selfServiceWebHook/properties/config/required] missing properties: "method"
        I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceAfterRecoveryHooks/items/anyOf/1/$ref] doesn't validate with "#/definitions/selfServiceSessionRevokerHook"
          I[#/selfservice/flows/recovery/after/hooks/0] S[#/definitions/selfServiceSessionRevokerHook/additionalProperties] additionalProperties "config" not allowed

brief-egg-61061

03/12/2025, 3:12 PM

A message from kapa.ai

brief-egg-61061

03/12/2025, 3:12 PM

Based on the error message, there are two main issues with your configuration: ## Issue 1: Settings Flow Configuration In your settings flow configuration, there's a problem with the hooks structure:

Copy code

yaml settings:   after:     password:       default_browser_return_url: <https://local.wlw.de/ui/login>       hooks:         - hook: revoke_active_sessions     hooks:  # This is causing an error       - hook: ...  # Missing hook definition

The error indicates that there's a

hooks

array under

settings.after

that's missing the required

hook

property and method configuration. However, I don't see this in your provided configuration, which suggests there might be additional configuration not shown or a parsing issue. ## Issue 2: Recovery Flow Configuration For the recovery flow, the error is more specific:

Copy code

yaml recovery:   after:     hooks:       - hook: revoke_active_sessions  # This is causing an error

The error message indicates that: 1. The

revoke_active_sessions

hook is being validated against

selfServiceWebHook

schema, which expects the hook type to be "web_hook" 2. The schema is also looking for a

config

property with a

method

field 3. When validated against

selfServiceSessionRevokerHook

, it complains that the hook has a

config

property which is not allowed This suggests that in your Kratos version, the

revoke_active_sessions

hook might not be supported in the recovery flow as documented. ## Recommended Fix Based on the [documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) and the error message, try this configuration:

Copy code

yaml settings:   lifespan: 2h   privileged_session_max_age: 15m   required_aal: aal1   after:     password:       default_browser_return_url: <https://local.wlw.de/ui/login>       hooks:         - hook: revoke_active_sessions  recovery:   enabled: true   use: code   lifespan: 2h   notify_unknown_recipients: false   # Remove the hooks section from recovery if not supported in your version

If you need to implement session revocation after recovery, you might need to: 1. Update to a newer version of Kratos that supports this feature 2. Use a web hook instead that calls your own API to handle session revocation 3. Check the exact schema requirements for your specific Kratos version The error suggests that your Kratos version's schema doesn't support the

revoke_active_sessions

hook in the recovery flow in the way you've configured it.

3 Views

Open in Slack

Previous Next