https://www.ory.sh/ logo
Join Slack
Powered by
I would like to use the SettingsFlow to update a u...
# talk-kratos
a
I would like to use the SettingsFlow to update a users password. When I try I get the following Error: “The login session is too old and thus not allowed to update these fields. Please re-authenticate.” What is the correct way to re-authenticate? Like I said: I’m using the kratos-client SDK for Typescript in react-native and react-native-web.
I sure want to task our users for their current password before they can change their current password to a new password. But with which flow can I re-authenticate without forcing the user to log out and back in again.
d
You can set 
privileged_session_max_age
to something really low so that actions like this that require a privileged session will ask the user to give their password/authenticate again if they haven’t just logged in.
a
My current problem is, that I am past the max age but don’t know how I tell Ory to re-authenticate the user.
I have a logged in user with a session. I would like to ask the user for the current password and a new password. Then I somehow re-authenticate the user with the current password and then use the settings flow to set the new password. I know how to use the settings flow. I don’t know how to re-authenticate.
i
We're using the kratos-client SDK and when we hit this error this is what we do. When we get the message 
The login session is too old and thus not allowed to update these fields. Please re-authenticate
there is a 
redirect_browser_to
parameter defined in the flow with a URL to our selfservice login. The URL also has a query parameter to refresh the session (re-authenticate) as well as a 
return_to
URL so it returns to the settings flow/page. The 
redirect_browser_to
URL looks something like this 
<https://localhost/auth/self-service/login/browser?refresh=true&return_to=https%3A%2F%2Flocalhost%2Fauth%2Fself-service%2Fsettings%3Fflow%[uuid]>
. The login flow that we get back once the redirect has happened re-authenticates the user and then takes them back to the settings flow. The login flow has a message defined that the user needs to re-authenicate to carry out the action.
p
Hi @ancient-judge-84558 You can force the user to re-auth using the 
refresh=true
query parameter. This is only applicable when the user already has a session. https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#refreshing-user-session
a
@important-fall-74969 Thanks for your idea, but it’s not the process/flow we would like to follow. We rather want a single UI, where the user enters current and new password and it is changed for the user.
@proud-plumber-24205 Thanks for the pointer. I already know about that. I think I found a way to do what I want now. Once that’s verified, maybe I can/should do a small writeup of what I did, since I think it might be helpful for others as well.
i
Would love to hear how you solved it! ☺️
m
Great you figured it out @ancient-judge-84558 Let me know if I can support with the writeup, maybe we can even publish a small blogpost about your usecase if you want.
a
Sorry, that it took a little white. So here is what I did. I created a static UI with two fields and a button (old password, new password and submit) I start two flows: 1. A LoginFlow with refresh=true 2. A SettingsFlow When the users submits, I transfer the csrf_token field and the identity field from the initialised LoginFlow to an updateLoginFlowBody and do the update. After that I copy the csrf_token from the initialised SettingsFlow to an updateSettingsFlowBody, add the new password and call update SettingsFlow. In the native version, I don’t need to copy over the csrf_token but use a session token instead.
77 Views
Open in Slack
PreviousNext
Powered by