It sounds like you're experiencing a redirection issue after successful Passkey authentication in your self-hosted Ory Kratos instance. This 404 error typically occurs when the flow ID expires or when there's a mismatch in the expected endpoints. Based on the knowledge sources, there are a few potential causes and solutions: 1. Flow ID Expiration: Flow IDs have an expiry time. When retrieving flow data using an existing flow ID, it's important to check the response status code. If the flow has expired, you'll need to create a new flow. 2. URL Path Changes: There was a change in Ory's URL structure. As mentioned in one of the issues, the

/api/kratos/public/

prefix has been removed. Make sure you're using the correct endpoints in your implementation. 3. Redirect Configuration: You might need to configure the appropriate redirect URLs in your Kratos configuration. Check your configuration for the login flow:

yaml selfservice:   flows:     login:       after:         default_browser_return_url: <https://your-app-url/>

4. Fetch Existing Flow: If the flow already exists, you can get the flow data using the flow ID through a GET request to

/self-service/login/flows?id=<flowID>

. This is useful when Ory has already initialized the flow and redirected to your application. To debug this issue: 1. Check your network requests to see the exact redirection chain 2. Verify that your Kratos configuration has the correct UI URLs and redirect URLs set 3. Make sure you're using the latest version of Ory Kratos, as some issues might have been fixed in newer releases If you're implementing a custom UI, make sure you're following the [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#fetch-existing-flows) guide for fetching and handling flows correctly.

I understand you've already added the

default_browser_return_url

configuration. In that case, there might be other issues causing the redirection problem with Passkeys authentication in your self-hosted Ory Kratos instance. Based on the knowledge sources, here are some additional considerations: 1. Method-specific redirect URLs: You might need to configure method-specific redirect URLs. For Passkeys (which is similar to WebAuthn), you can try:

yaml selfservice:   flows:     login:       after:         default_browser_return_url: <https://your-app-url/>         passkey:  # or webauthn           default_browser_return_url: <https://your-app-url/specific-path/>

2. Allowed return URLs: Make sure your return URL is in the allowed list:

yaml selfservice:   allowed_return_urls:     - <https://your-app-url>

3. UI URL configuration: Ensure your UI URL is properly configured:

yaml selfservice:   flows:     login:       ui_url: <https://your-app-url/login>

4. Two-step registration issues: If you're using two-step registration, there might be validation issues with the configuration as mentioned in [this discussion](https://github.com/ory/kratos/discussions/3931). 5. Hooks configuration: Check if you have the proper hooks configured for the authentication method:

yaml selfservice:   flows:     login:       after:         passkey:  # or webauthn           hooks:             - hook: session

6. CORS settings: If your UI is on a different domain than Kratos, ensure CORS is properly configured. If you're still experiencing issues, it would be helpful to: - Check the Kratos logs for any specific error messages - Verify the complete redirection chain in your browser's network tab - Confirm that the flow ID in the URL is valid and not expired The knowledge sources indicate that there have been several issues with redirects in Ory, particularly with specific authentication methods and verification flows.

You're right to be concerned about the missing

ory_kratos_session

cookie. After successful authentication with Passkeys, Ory Kratos should indeed create a session cookie. Based on the knowledge sources, here are some potential reasons why the session cookie isn't being created: 1. Missing session hook: The session hook might not be configured properly for your Passkeys authentication method. Make sure you have the session hook configured in your `kratos.yml`:

yaml selfservice:   flows:     registration:       after:         passkey:  # or webauthn           hooks:             - hook: session

2. Cookie persistence settings: As mentioned in [this issue](https://github.com/ory/network/issues/194), Ory Kratos doesn't persist sessions unless

sessions.cookie.persistent

is enabled. Try adding this to your configuration:

yaml session:   cookie:     persistent: true

3. Session creation failure: There might be an issue with the session creation process itself. When a session is successfully created, Kratos should respond with a

Set-Cookie

HTTP header containing the

ory_kratos_session

cookie, as described in the [registration documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#client-side-browser-clients). 4. Redirect issues: The issue you're experiencing with redirects to

/self-service/login?flow=

might be related to the session creation failure. If the session isn't created properly, Kratos might redirect you back to the login flow. To debug this issue: 1. Check your browser's network tab to see if the

Set-Cookie

header is present in any of the responses 2. Verify that your Kratos configuration has the proper session settings 3. Try using the

/sessions/whoami

endpoint to check if a session exists after authentication 4. Look at the Kratos logs for any errors related to session creation If you're using the Ory CLI for testing, you might need to add the

--max-age

parameter as mentioned in [this comment](https://github.com/ory/network/issues/194), which relates to session persistence. Let me know if any of these suggestions help resolve your issue!

I understand you're having an issue with redirects after successful Passkey authentication in your self-hosted Ory Kratos instance. The redirect to

/self-service/login?flow=

suggests there's a configuration issue with your post-authentication redirects. Based on the knowledge sources, here's how you can update the redirect endpoint: 1. Configure the login flow's redirect URLs in your Kratos configuration file:

yaml selfservice:   flows:     login:       after:         default_browser_return_url: <https://your-app-url/dashboard>         # If you want method-specific redirects         passkey:  # or webauthn           default_browser_return_url: <https://your-app-url/after-passkey-login>

2. Ensure your return URLs are whitelisted:

yaml selfservice:   whitelisted_return_urls:     - <https://your-app-url>

The redirect behavior is explained in the [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#redirect-flows) documentation. The configuration allows you to set different redirect URLs based on the authentication method used. If you're using a dynamic redirect, you can also use the

return_to

query parameter when initializing the login flow:

<https://your-kratos-domain/self-service/login/browser?return_to=https://your-app-url/custom-page>

This parameter will override the default redirect URL configured in your Kratos configuration. If you're still experiencing issues after updating these configurations, check your Kratos logs for any specific error messages that might provide more insight into the redirection problem. Let me know if these suggestions help resolve your issue! [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#redirect-flows) [Advanced integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration)

@chilly-king-10285 i just need to replace it with

/api/.ory/self-service/login?flow=

Based on your previous messages, I understand you need to replace the current redirect URL path

/self-service/login?flow=

with

/api/.ory/self-service/login?flow=

after successful Passkey authentication in your self-hosted Ory Kratos instance. This appears to be related to the URL structure changes mentioned in one of the knowledge sources. According to a GitHub issue discussion, Ory has made changes to their URL paths in newer versions: > I see, the URLs have changed since we introduced Ory Cloud. The

/api/kratos/public/

has been removed. To address backwards compatibility, we introduced a redirect. To update the endpoint in your configuration, you'll need to modify your Kratos configuration file. You can do this by setting the UI URL for the login flow:

yaml selfservice:   flows:     login:       # This changes where users are redirected to for the login UI       ui_url: <http://your-domain.com/api/.ory/self-service/login>

This configuration will change where Kratos redirects users for the login UI, which should help resolve your issue with the redirect path. If you're using a custom UI implementation, make sure your application is properly handling requests to this new path. The UI application needs to be configured to serve the login interface at this new URL. [Github Issue](https://github.com/ory/network/issues/124)