https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how to enable magic link in kratos?...
# ory-copilot
b
@chilly-king-10285 how to enable magic link in kratos? (self-hosted version)
b
A message from kapa.ai
To enable magic link authentication in self-hosted Ory Kratos, you need to configure the recovery or verification flows to use the magic link ("link") method. Here’s how you can do it: 1. Edit your Kratos configuration file (e.g., 
config.yml
or 
kratos.yaml
) and set the relevant self-service flow to use the 
link
method. For example, to enable magic link for account recovery:
Copy code
yaml selfservice:   methods:     link:       enabled: true       config:         lifespan: 1h # Optional: how long the link is valid   flows:     recovery:       enabled: true       use: link       lifespan: 1h
- For email verification, you would similarly set 
use: link
under the 
verification
flow. 2. Restart your Kratos instance to apply the configuration changes. Note: Ory recommends using the "one-time code" (
code
) method instead of magic links, as magic links are considered a legacy solution and may be removed in future releases. The "code" method is the default and preferred approach, as it mitigates several drawbacks associated with magic links, such as issues with email scanners and mobile flows. If you decide to use magic links, ensure your UI and user experience are tested accordingly. More details and a comparison of both methods can be found in the documentation: [Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy) and [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). If you need to update the configuration using the Ory CLI, you can use:
Copy code
bash ory patch identity-config <your-project-id> \   --add '/selfservice/flows/recovery/use=link'
But for self-hosted, editing the config file directly is typical. Summary: - Set 
use: link
in the relevant self-service flow in your Kratos config. - Enable the 
link
method under 
selfservice.methods
. - Restart Kratos. For more details, see the official documentation on [account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset) and [choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy).
b
@chilly-king-10285 I tried to enable the 
link
method, but still I get this response when I fetch the flow from kratos (no link group in the resopnse).
Copy code
{
  "id": "bb37744c-59b1-4735-9e7c-f1f561172f84",
  "organization_id": null,
  "oauth2_login_challenge": "12F9w1z4qh1p2Z-hdLFDFbzvOaMWHKk-RF72EL7g-t74bD9J5kRAbJRB58VMAds7MuQzXKzhVhbZlNvdfQQ93rVrsK9z9HFw1oKFGdKB7QSyfCCc8uJgqw0b54hcqYL1-n7FRAECR9MoHt31gTOAfIlBIJPAcKVOPGJy3N76xWxXRN5CD8gTlHYeoA-Rd3DoXUqzSj6d2liJ7EUxEIfFzqDzN5KLmABkqJQ7eUhu42RGjiaIUtvr54ciTaB2Td7-X7t4TZr4eV6aDC-4x2EmZ-V2cE_-SzFku0aZ-1ccGw8Hu9bmdTuH3bjKU5q6N3BwR83P0HXbUuON9sVY0cqfEbeNR34sK-ADNEmEGoEF0BeQsF85vCJFS3wXPBP44Y80RRQ-NJOaTJ503Y3KvNj0dqcptKnF-468A0phBudtZEh2bs3YsbHLA6SRIN6rbVyOQ_PIXHjIyBfOlcgM9LWCP-Ho8EsPGj1mkPoKuEg9zJQlNPMZFTmC_vZFfYQyZASaWzJxQxq14C3JlCFF9D--HcNAb7zHyZcrhefvDyoQkjGTyqJ_JWH3lYWeHPWcQUICHoH4BNEVUYyLCRNR5IxyAsfo4EydVSNI2IzHbqay5bzN39zSP8NUIrRlUZ9LjMhqkxFrVt9rQ7d3YwjngK3IjCv9wi3Ory0i8xPNiwGOlb-OU6vWKtRl5R3Zvc4NLbc7IiP0Jd95Crvi6le0uT3DfO2o5sEuwo1LSYfojui8FAMJU1DviOgoEWTAYivsFIbGracjnQADp5WL2t94CyXgwIkPCryN3qWlRSGXnTkaFHSg6f-8ypaazXEysEEy6CXAW0-Z7EAak4Y0z5eE0hNMnjTKwI9-faSWbtJ71oU65kuePgdL-QJexd_RN7ibMA-sRnKIX2U0W9vnLbbf8AHDynb8MH_xjfGctjvU2NAkcwWUDnSiKKey9p-koIE5miG8QxhBL72wnl-GRrEInWik2XCZq4CXSebgQyZI8S0G7RcoSs7_EsXZyjz5hd0EGHvoSWOC1NvT1_-45oK1aflj1RbKPgLvvboxfscXNbxB1UhEN16r2om6khgJoefQ2jQXgIgcd1GuerCLAdUv-h2iKPXxA_2zsEdH01uBT2DpHJuvnWJH5qYuUZsohFfOQmw-ZnuSsZ52UEq9F0SVrsYpVlvlHIHBasgNpHGvDKBJKm3ejwOGxheOSjr-6OnNDxNUFMW91L04ar9kjGVPmBMtJsOOru0ZzY5j2uTTNVehgmZE7KgUZC7AvNNh8Z8BGosfZeZdvupwRiHt0xPodeiT5lEXp6fD8Zq51EBkxjJSNVd3O0VEANLe4ksXm_aZF5YR552JlwnhoxLpRXpc4icv-UOA5nLgkaSoE_LhFagkcuCWO0GSbAOP1Ev0l3Ge0EMsoATLz_A0ruyxBth5ldK_5V4zcBLS9y__LtQ35kvStf8cm-XGnJGmlkaElZ2xgzzC-5pEKHPeOo8so5jylXTAfmQT3pIBYO_LPdN7GREweOoR-k9et8AYx4Wyk-wLCeZoj4UpG0P7Rv6RcGdVCmukuah6kSLyVzyI6uMv37pA34ZXreNe6ctkkw==",
  "type": "api",
  "expires_at": "2025-05-12T07:51:02.888782712Z",
  "issued_at": "2025-05-12T06:51:02.888782712Z",
  "request_url": "<http://localhost:4433/self-service/login/api?login_challenge=12F9w1z4qh1p2Z-hdLFDFbzvOaMWHKk-RF72EL7g-t74bD9J5kRAbJRB58VMAds7MuQzXKzhVhbZlNvdfQQ93rVrsK9z9HFw1oKFGdKB7QSyfCCc8uJgqw0b54hcqYL1-n7FRAECR9MoHt31gTOAfIlBIJPAcKVOPGJy3N76xWxXRN5CD8gTlHYeoA-Rd3DoXUqzSj6d2liJ7EUxEIfFzqDzN5KLmABkqJQ7eUhu42RGjiaIUtvr54ciTaB2Td7-X7t4TZr4eV6aDC-4x2EmZ-V2cE_-SzFku0aZ-1ccGw8Hu9bmdTuH3bjKU5q6N3BwR83P0HXbUuON9sVY0cqfEbeNR34sK-ADNEmEGoEF0BeQsF85vCJFS3wXPBP44Y80RRQ-NJOaTJ503Y3KvNj0dqcptKnF-468A0phBudtZEh2bs3YsbHLA6SRIN6rbVyOQ_PIXHjIyBfOlcgM9LWCP-Ho8EsPGj1mkPoKuEg9zJQlNPMZFTmC_vZFfYQyZASaWzJxQxq14C3JlCFF9D--HcNAb7zHyZcrhefvDyoQkjGTyqJ_JWH3lYWeHPWcQUICHoH4BNEVUYyLCRNR5IxyAsfo4EydVSNI2IzHbqay5bzN39zSP8NUIrRlUZ9LjMhqkxFrVt9rQ7d3YwjngK3IjCv9wi3Ory0i8xPNiwGOlb-OU6vWKtRl5R3Zvc4NLbc7IiP0Jd95Crvi6le0uT3DfO2o5sEuwo1LSYfojui8FAMJU1DviOgoEWTAYivsFIbGracjnQADp5WL2t94CyXgwIkPCryN3qWlRSGXnTkaFHSg6f-8ypaazXEysEEy6CXAW0-Z7EAak4Y0z5eE0hNMnjTKwI9-faSWbtJ71oU65kuePgdL-QJexd_RN7ibMA-sRnKIX2U0W9vnLbbf8AHDynb8MH_xjfGctjvU2NAkcwWUDnSiKKey9p-koIE5miG8QxhBL72wnl-GRrEInWik2XCZq4CXSebgQyZI8S0G7RcoSs7_EsXZyjz5hd0EGHvoSWOC1NvT1_-45oK1aflj1RbKPgLvvboxfscXNbxB1UhEN16r2om6khgJoefQ2jQXgIgcd1GuerCLAdUv-h2iKPXxA_2zsEdH01uBT2DpHJuvnWJH5qYuUZsohFfOQmw-ZnuSsZ52UEq9F0SVrsYpVlvlHIHBasgNpHGvDKBJKm3ejwOGxheOSjr-6OnNDxNUFMW91L04ar9kjGVPmBMtJsOOru0ZzY5j2uTTNVehgmZE7KgUZC7AvNNh8Z8BGosfZeZdvupwRiHt0xPodeiT5lEXp6fD8Zq51EBkxjJSNVd3O0VEANLe4ksXm_aZF5YR552JlwnhoxLpRXpc4icv-UOA5nLgkaSoE_LhFagkcuCWO0GSbAOP1Ev0l3Ge0EMsoATLz_A0ruyxBth5ldK_5V4zcBLS9y__LtQ35kvStf8cm-XGnJGmlkaElZ2xgzzC-5pEKHPeOo8so5jylXTAfmQT3pIBYO_LPdN7GREweOoR-k9et8AYx4Wyk-wLCeZoj4UpG0P7Rv6RcGdVCmukuah6kSLyVzyI6uMv37pA34ZXreNe6ctkkw==>",
  "ui": {
    "action": "<http://127.0.0.1:4433/self-service/login?flow=bb37744c-59b1-4735-9e7c-f1f561172f84>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "oidc",
        "attributes": {
          "name": "provider",
          "type": "submit",
          "value": "google",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010002,
            "text": "Sign in with google",
            "type": "info",
            "context": {
              "provider": "google",
              "provider_id": "google"
            }
          }
        }
      },
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {}
      },
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info",
            "context": {
              "title": "E-Mail"
            }
          }
        }
      },
      {
        "type": "input",
        "group": "code",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "code",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010015,
            "text": "Send sign in code",
            "type": "info"
          }
        }
      }
    ]
  },
  "created_at": "2025-05-12T06:51:02.892829Z",
  "updated_at": "2025-05-12T06:51:02.892829Z",
  "refresh": false,
  "requested_aal": "aal1",
  "state": "choose_method"
}
b
A message from kapa.ai
Based on the knowledge sources, enabling the magic link (
link
) method in Ory Kratos requires two things: 1. Enabling the 
link
method in your configuration under 
selfservice.methods.link.enabled: true
. 2. Configuring the relevant flow (e.g., login, recovery, or verification) to use the 
link
method. However, the login flow in Ory Kratos does not support the magic link (
link
) method. The magic link (
link
) method is only supported for the recovery and verification flows, not for login. For login, the supported methods are typically 
password
, 
oidc
, and 
code
(passwordless one-time code), but not 
link
(magic link). This is confirmed in the documentation and is also reflected in your flow response: you see 
code
and 
oidc
options, but not 
link
. This is expected behavior for the login flow. If you want to use magic links, you can only do so for account recovery or email verification, not for direct login flows. Ory also recommends using the 
code
method over 
link
, as the 
link
method is considered legacy and may be removed in the future [Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy) [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). Summary: - Magic link (
link
) is not available for the login flow in Ory Kratos. - You can use magic link for recovery and verification flows only. - For login, use 
code
(passwordless), 
password
, or 
oidc
. If you need passwordless login, use the 
code
method, which is the recommended and supported approach. If you need more details or want to enable magic link for recovery or verification, refer to the official documentation: - [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset) - [Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy)
b
@chilly-king-10285 was 
link
an option for login flow in the past?
b
A message from kapa.ai
I'm sorry, but the knowledge sources do not contain explicit information about whether the 
link
(magic link) method was ever an option for the login flow in Ory Kratos in the past. The available documentation and API references only mention the 
link
method as being supported for recovery and verification flows, and not for login flows. If you need a definitive historical answer, you may need to consult Ory's release notes or GitHub repository history, which are not included in the provided sources.
b
@chilly-king-10285, How do I enable oidc flow with a custom frontend?
b
A message from kapa.ai
To enable the OIDC (OpenID Connect) flow with a custom frontend in Ory Kratos, follow these steps: 1. Enable OIDC in your Kratos configuration In your Kratos config file, make sure the OIDC method is enabled:
Copy code
yaml    selfservice:      methods:        oidc:          enabled: true
2. Configure OIDC providers Add your OIDC providers (e.g., Google, GitHub) in the configuration. Example:
Copy code
yaml    selfservice:      methods:        oidc:          config:            providers:              - id: google                provider: google                client_id: <your-client-id>                client_secret: <your-client-secret>                issuer_url: <https://accounts.google.com>                mapper_url: "base64://<your-base64-encoded-jsonnet>"                scope:                  - openid                  - email                  - profile
For more details on provider configuration, see the [OIDC configuration guide](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). 3. Implement the OIDC flow in your custom frontend - Create the registration or login flow by calling the appropriate endpoint (browser or API, depending on your app type). - Fetch the flow and render the UI nodes. The OIDC providers will appear as submit buttons in the flow's UI nodes with the group 
"oidc"
. - Handle the OIDC provider button: When the user clicks a provider button (e.g., "Sign in with Google"), submit the form to the action URL provided in the flow. This will redirect the user to the OIDC provider for authentication. Example (React/TypeScript):
Copy code
typescript    import { Configuration, FrontendApi } from "@ory/client"     const frontend = new FrontendApi(      new Configuration({        basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,      }),    )     // Fetch the login flow    export async function getLogin(id: string) {      return await frontend.getLoginFlow({ id })    }
When rendering the flow, map the UI nodes with group 
"oidc"
to buttons. Submitting these will start the OIDC flow. See [custom UI integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) and [registration flow example](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#get-registration-flow). 4. Handle the callback After successful authentication with the OIDC provider, the user will be redirected back to your frontend with the flow ID in the URL. Fetch the flow again and complete the process as needed. Summary: - Enable and configure OIDC in Kratos. - In your custom frontend, create and fetch the flow, render OIDC provider buttons, and handle form submission to start the OIDC flow. - Handle the callback to complete the authentication. For more details and code samples, see the [custom UI integration documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) and [OIDC configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc).
b
@chilly-king-10285 can I find an example in next.js (react) with a form submission using oidc flow?
b
A message from kapa.ai
New message text here
b
@chilly-king-10285, this is my js action to handle the oidc login:
Copy code
const handleOidcLogin = () => {
    // if flow.ui.action is not set, fail
    if (!flow?.ui.action || !flow.id) {
      setError("Something went wrong, please try again.")
      return
    }

    const form = document.createElement('form');
    form.method = flow?.ui.method || 'POST';
    form.action = flow?.ui.action || '' ;

    const flowParam = new URLSearchParams({ flow: flow.id }).toString();
    const actionWithFlow = `${flow.ui.action}${flow.ui.action.includes('?') ? '&' : '?'}${flowParam}`;
    form.action = actionWithFlow;

    const input = document.createElement('input');
    input.type = 'submit';
    input.name = 'provider';
    input.value = 'google';
    form.appendChild(input);

    document.body.appendChild(form);
    form.submit();
    document.body.removeChild(form);
  };
However, the browser gets redirected to: http://127.0.0.1:4433/self-service/login?flow=5add5415-4aed-4b58-a4f0-ff33d8484ecd&amp;flow=5add5415-4aed-4b58-a4f0-ff33d8484ecd and it contains a json response like this:
Copy code
{
  "id": "3c503b99-aa0c-410f-b9c0-b8d72ebd23a6",
  "organization_id": null,
  "oauth2_login_challenge": "udiJvey-dYEzULMTFNKwIbvZYFAc1P5_WCSHAAulxVq83LcQYx_jMUj27naV6ZphP2aDPzS4WZgi7Dl1tlCMFDiqcXhpe0xNOx7AL5vUKTSiOfOoV-BdY1kCaAMe767FOvVq8SRzWo8kkeKupZWNB9aiRj7wrI9PpazyodNdqCFbF8p2kRljKibMXw3X3vrad4GpHh2lwq-D04z3iqysCqyAKueL5YoDMMXc3BWWc-8U4UajGYxj6h8pg59U7pKGkIEBrI0_ZW_yvm8sXKJKOMVgNzAsJWOA5Vt5NU2kvkGOJQ40L5NYgRhLvI5hkAf5ANr2wRcNskJqMPeyM7RNdITIDTKpj6nyZbvgdAl1rM-2cveAnUxxliIh1U97HiR8zE2MPsgwBwYF_1YNrDkj_Re95JS_AmXwnI41lpHdtmTyxecBlDHetgfkp3yN-gXteBAEwUl4qfAGFc5r6eg2g4K--tl2Y7RdTONHbARXxc6xzAjE0nl5-gqzFoBsDr_lozxZqHYw_PnRPJ6iBxSxKrni7SrKzgsmLQXJCR4vpwv8fPDi8vq79k2jcbsgTkN9V8Uk-q5WBb_5700ItfBLW3pjCOBMLnOCuaxR6c8MLwgC-IFZTcf8JqGCxYAvTLwFn_hua4w46U9lNFx4SNrZPDNdQG2TcQ6MztDiHzhP45KCNZ8AogLbe5vU6TooQpezZ_N0_f3ZqO-t1imh3v5Xo9wKxqsrtOXw_rESEYDGJ6skyo3UQCrHcKwTS52BnKLRMX772dl9vRBTWMwfa3qx9Yw5zAXIGMj5IhUmkHbBwL9wHiZg0A0z7RDOh7pqYbgeiZONzo8-H5juVQZ71eisiquiDIv1SGPhpDjegkzZZZa4IZi5_g54KXEHm9EGJ7SbYQrvtu0YYs8PQwQ8BvIBgrSpYh-K7INGU8AomCElX5WKoiaSFSkeQxih6SX35nt8QgfQz0sGw-UOmSmBeqcZ9E40nGnpqYscqfFEHFvc62KQjakKdJ-f5NFKdnAiNXyOz9gX8HWDae7cdoKUuc1-2L-qx0yMy91HneyqqYm7MqIFeQHyYjTpuAUHnoscItd0qXvYXmAYSurs9aik7l1moNQ-6sO-scas5X9l9pdI3RA_C3MV2PqpC-GyYsqPGWvxrXz0XYe8xeukK5_bMAZsWUic10q8z3d3VEreuhn8qCXxS1Hp-9QDmO1y_gMG0jbyd7ME7PtqHMwOb3bdEAOEDOK-_EHqCncT2hSu9dLZNeD2GRFL0zFmufFcwLTCaF_0Vsv5ObwakU3Rq8FSWkS639ubPOBnKQ9CXEDm-Lh9T-Mwew0Hos-_II0jVXEuhepu8_dWkuesP_97_QXRrqUqQQV2iXtAE6H1HDT-japf_iHJAo6nn-yRRvcw-Gz4WK5PjjHJDxa4pqjFly4drGMYfx0d3F1rCfVODOiiqiG0ko2obWZp_ONFQf9TmHAcS-53yGw2LJjT3YEZUOHEdUQrh96i6yA7ft7K6JoAGJD-f4ultc1u8mF_MnFKa5l7a32FAshnswfO7-9qrg==",
  "type": "api",
  "expires_at": "2025-05-12T09:03:33.391758587Z",
  "issued_at": "2025-05-12T08:03:33.391758587Z",
  "request_url": "<http://localhost:4433/self-service/login/api?login_challenge=udiJvey-dYEzULMTFNKwIbvZYFAc1P5_WCSHAAulxVq83LcQYx_jMUj27naV6ZphP2aDPzS4WZgi7Dl1tlCMFDiqcXhpe0xNOx7AL5vUKTSiOfOoV-BdY1kCaAMe767FOvVq8SRzWo8kkeKupZWNB9aiRj7wrI9PpazyodNdqCFbF8p2kRljKibMXw3X3vrad4GpHh2lwq-D04z3iqysCqyAKueL5YoDMMXc3BWWc-8U4UajGYxj6h8pg59U7pKGkIEBrI0_ZW_yvm8sXKJKOMVgNzAsJWOA5Vt5NU2kvkGOJQ40L5NYgRhLvI5hkAf5ANr2wRcNskJqMPeyM7RNdITIDTKpj6nyZbvgdAl1rM-2cveAnUxxliIh1U97HiR8zE2MPsgwBwYF_1YNrDkj_Re95JS_AmXwnI41lpHdtmTyxecBlDHetgfkp3yN-gXteBAEwUl4qfAGFc5r6eg2g4K--tl2Y7RdTONHbARXxc6xzAjE0nl5-gqzFoBsDr_lozxZqHYw_PnRPJ6iBxSxKrni7SrKzgsmLQXJCR4vpwv8fPDi8vq79k2jcbsgTkN9V8Uk-q5WBb_5700ItfBLW3pjCOBMLnOCuaxR6c8MLwgC-IFZTcf8JqGCxYAvTLwFn_hua4w46U9lNFx4SNrZPDNdQG2TcQ6MztDiHzhP45KCNZ8AogLbe5vU6TooQpezZ_N0_f3ZqO-t1imh3v5Xo9wKxqsrtOXw_rESEYDGJ6skyo3UQCrHcKwTS52BnKLRMX772dl9vRBTWMwfa3qx9Yw5zAXIGMj5IhUmkHbBwL9wHiZg0A0z7RDOh7pqYbgeiZONzo8-H5juVQZ71eisiquiDIv1SGPhpDjegkzZZZa4IZi5_g54KXEHm9EGJ7SbYQrvtu0YYs8PQwQ8BvIBgrSpYh-K7INGU8AomCElX5WKoiaSFSkeQxih6SX35nt8QgfQz0sGw-UOmSmBeqcZ9E40nGnpqYscqfFEHFvc62KQjakKdJ-f5NFKdnAiNXyOz9gX8HWDae7cdoKUuc1-2L-qx0yMy91HneyqqYm7MqIFeQHyYjTpuAUHnoscItd0qXvYXmAYSurs9aik7l1moNQ-6sO-scas5X9l9pdI3RA_C3MV2PqpC-GyYsqPGWvxrXz0XYe8xeukK5_bMAZsWUic10q8z3d3VEreuhn8qCXxS1Hp-9QDmO1y_gMG0jbyd7ME7PtqHMwOb3bdEAOEDOK-_EHqCncT2hSu9dLZNeD2GRFL0zFmufFcwLTCaF_0Vsv5ObwakU3Rq8FSWkS639ubPOBnKQ9CXEDm-Lh9T-Mwew0Hos-_II0jVXEuhepu8_dWkuesP_97_QXRrqUqQQV2iXtAE6H1HDT-japf_iHJAo6nn-yRRvcw-Gz4WK5PjjHJDxa4pqjFly4drGMYfx0d3F1rCfVODOiiqiG0ko2obWZp_ONFQf9TmHAcS-53yGw2LJjT3YEZUOHEdUQrh96i6yA7ft7K6JoAGJD-f4ultc1u8mF_MnFKa5l7a32FAshnswfO7-9qrg==>",
  "ui": {
    "action": "<http://127.0.0.1:4433/self-service/login?flow=3c503b99-aa0c-410f-b9c0-b8d72ebd23a6>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "oidc",
        "attributes": {
          "name": "provider",
          "type": "submit",
          "value": "google",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010002,
            "text": "Sign in with google",
            "type": "info",
            "context": {
              "provider": "google",
              "provider_id": "google"
            }
          }
        }
      },
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {}
      },
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info",
            "context": {
              "title": "E-Mail"
            }
          }
        }
      },
      {
        "type": "input",
        "group": "code",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "code",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010015,
            "text": "Send sign in code",
            "type": "info"
          }
        }
      }
    ],
    "messages": [
      {
        "id": 4000001,
        "text": "Unable to decode HTTP Request Body because its HTTP Header \"Content-Length\" is zero.",
        "type": "error",
        "context": {
          "reason": "Unable to decode HTTP Request Body because its HTTP Header \"Content-Length\" is zero."
        }
      }
    ]
  },
  "created_at": "2025-05-12T08:03:33.393923Z",
  "updated_at": "2025-05-12T08:03:33.393923Z",
  "refresh": false,
  "requested_aal": "aal1",
  "state": "choose_method"
}
Why didn't my frontend application get the callback with the appropriate jwts?
b
A message from kapa.ai
New message text here
b
@chilly-king-10285, that's great. Now I got redirected to google to do the login and consent flow. However, when that's done, the user gets redirected to this link: http://127.0.0.1:4433/self-service/methods/oidc/callback/google?state=0a104b29f79d6[…]erinfo.profile+openid&amp;authuser=0&amp;hd=immutable.com&amp;prompt=none with the payload below (all PII was removed):
Copy code
{
  "session_token": "ory_st_**********",
  "session": {
    "id": "********-****-****-****-************",
    "active": true,
    "expires_at": "2025-05-13T08:11:00.923427919Z",
    "authenticated_at": "2025-05-12T08:11:00.923427919Z",
    "authenticator_assurance_level": "aal1",
    "authentication_methods": [
      {
        "method": "oidc",
        "aal": "aal1",
        "completed_at": "2025-05-12T08:11:00.923418336Z",
        "provider": "generic_provider"
      }
    ],
    "issued_at": "2025-05-12T08:11:00.923427919Z",
    "identity": {
      "id": "********-****-****-****-************",
      "schema_id": "default",
      "schema_url": "<http://127.0.0.1:4433/schemas/ZGVmYXVsdA>",
      "state": "active",
      "state_changed_at": "2025-05-02T01:46:55.589948596Z",
      "traits": {
        "email": "<mailto:user@example.com|user@example.com>"
      },
      "verifiable_addresses": [
        {
          "id": "********-****-****-****-************",
          "value": "<mailto:user@example.com|user@example.com>",
          "verified": false,
          "via": "email",
          "status": "pending",
          "created_at": "2025-05-02T01:46:55.591111Z",
          "updated_at": "2025-05-02T01:46:55.591111Z"
        }
      ],
      "recovery_addresses": [
        {
          "id": "********-****-****-****-************",
          "value": "<mailto:user@example.com|user@example.com>",
          "via": "email",
          "created_at": "2025-05-02T01:46:55.591314Z",
          "updated_at": "2025-05-02T01:46:55.591314Z"
        }
      ],
      "metadata_public": null,
      "created_at": "2025-05-02T01:46:55.590752Z",
      "updated_at": "2025-05-02T01:46:55.590752Z",
      "organization_id": null
    },
    "devices": [
      {
        "id": "********-****-****-****-************",
        "ip_address": "<http://xxx.xxx.xxx.xxx:xxxxx|xxx.xxx.xxx.xxx:xxxxx>",
        "user_agent": "Generic User Agent",
        "location": ""
      }
    ]
  },
  "continue_with": null
}
b
A message from kapa.ai
Based on your description and the payload you received, it appears that after completing the OIDC login and consent flow with Google, you are being redirected to the Ory Kratos OIDC callback endpoint and receiving a JSON response containing the session and session token, rather than being redirected back to your custom frontend. This behavior is expected when you are using the API flow (as indicated by 
"type": "api"
in your flow object). In API flows, Ory Kratos returns the session and session token as a JSON response, which is intended for native or mobile applications to handle programmatically. This is different from the browser flow, where Kratos would perform an HTTP redirect to your configured 
return_to
URL or default redirect URL, setting the session cookie in the browser and completing the login flow in a user-friendly way. Key points from the knowledge sources: - API Clients: For API clients, Ory Kratos responds with a JSON payload including the session and session token after a successful login. This is intended for programmatic handling, not for browser-based redirection [API clients](https://www.ory.sh/docs/kratos/self-service/flows/user-login#api-clients). - Browser Clients: For browser-based flows, after successful login, Kratos responds with an HTTP 303 redirect to the configured redirect URL, along with a 
Set-Cookie
header for the session [Successful login](https://www.ory.sh/docs/kratos/self-service/flows/user-login#successful-login). - OIDC Flow Type: If you want the user to be redirected back to your frontend (e.g., a Next.js app) after OIDC login, you must use the browser flow (
/self-service/login/browser
) and not the API flow (
/self-service/login/api
). The browser flow will handle the redirect and session cookie automatically. What you should do: - Use the browser flow endpoints for login and registration in your custom frontend if you want browser-based redirection and session cookies. - Only use the API flow if you are building a native/mobile app or need to handle the session token programmatically. Summary: You are seeing a JSON response because you are using the API flow. To get a browser redirect back to your frontend after OIDC login, use the browser flow endpoints in your frontend integration [Perform registration, login, and logout](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout). If you need to support both browser and API clients, ensure you are initializing the correct flow type for each use case.
3 Views
Open in Slack
PreviousNext
Powered by