Hi everyone gohack, I'm hitting a bit of a brick wall in my browser application where the redirect url "return_to" is not being respected when a user registers with a social sign-in account and the email is already associated with an identity in our system (created with email + pass), it rather uses the ui_url from the kratos configuration. Is there a security reason for doing it this way or am I missing something? Relevant code Line 93 in selfservice/flow/registration/error.go

if f.Type == flow.TypeAPI || x.IsJSONRequest(r) {
    s.d.Writer().WriteError(w, r, expired)
} else {
	http.Redirect(w, r, expired.GetFlow().AppendTo(s.d.Config().SelfServiceFlowRegistrationUI(r.Context())).String(), http.StatusSeeOther)
}
return

To go into a bit more detail we have essentially two browser applications (hosted on separate subdomains, kratos.example.com, ui-1.example.com and ui-2.example.com)one for users and another one for admins. We'd like to be able to redirect the users to the browser application where the login/registration/etc flow was initiated from. Each application has it's own login ui page.

Just a shot in the dark but as a temporary solution, could you run two Kratos instances 'kratos-1.domain.com' & 'kratos-2.domain.com' for the respective UI's and in the configs adjust the 'default_browser_return_url' & 'ui_url' etc

Just to document my current solution: • Login specific app that can handle all flows on login.example.com • app1.example.com and app2.example.com can initiated flows and handle success with the return_to parameter but errors will be handle by login.example.com which will redirect user to app1 or app2 on error resolve.