[Kratos] Config to disable redirect after login and registration

duytruong · May 20, 2020, 7:46am

Hi there,

Currently I have a SPA web app, a self-service for communicating with Kratos and a Oathkeeper proxy in front of my API (I didn’t deploy Oathkeeper before web frontend).

I want to handle redirect in my web app instead of delegating redirection to Kratos.
I use promise based HTTP client, which get pending after login in Chrome, but not in Firefox.

I have disabled redirect job after login and registration. But I found that there is another config urls.default_return_to and I can’t disable it, So my web app always return to this url and get stuck. Is there any work-around so that I can disable redirect?

We use axios javascript http client.
Frontend URL: https://web.dev.myorg.com
API URL: https://api.dev.myorg.com

Many thanks!

hackerman · April 12, 2020, 11:54am

So instead of using a form request you want to POST the data using your client-side app, right? Are you sending a JSON payload or a Form payload?

You are right that it is currently not possible to deactivate this behavior because, if misconfigured, people would just end up at a blank screen.

I think adding a JSON handler would help probably? It could include the user session or something. What do you think?

duytruong · April 12, 2020, 12:25pm

Yest, we used POST to send form payload (application/x-www-form-urlencoded) using javascript http client in the beginning. But now we changed to form, added some processing in the frontend and managed to use return_to option successfully.

JSON handler means Kratos will return a JSON with user session (set by session after job) without a redirection, right?

duytruong · April 12, 2020, 12:34pm

Btw, it would be great if you can add some documents for relation between after job redirection and default redirection when session is authenticated (in the session/handler.go#RedirectOnAuthenticated method) and recommend configuration for scenario that api url and web url is different. Currently the self-service is for server side rendering which use same url.

hackerman · April 12, 2020, 12:41pm

Yeah, that makes sense!

I think so, we haven’t fully decided yet but it’s on the roadmap!

duytruong · April 12, 2020, 12:55pm

Acutally we follow the self-service arch, server-side exposes login/registration apis and redirect to public api endpoints for browser flows, when we have the request uuid, we make request to admin api. Client is a static page hosting on firebase (or cloudfront in the future). We haven’t tried the flow for client side app mentioned in the docs yet, so my concerns may not be reasonable.

duytruong · April 16, 2020, 6:59am

I think this is a good feature, nowadays people use javascript http client in SPA, and mostly they use JSON, so if Kratos returns session, errors or redirect url in a JSON response, frontend guys can handle more easily. For example when user enter wrong credentials, Kratos will return a 400 response with a JSON body contains errors and a return_to field (the address can be configured), all web app need to do is follow the return_to and show a popup indicates that user entered wrong credentials.

hackerman · April 16, 2020, 8:26am

There was a patch merged which responds with application/json automatically, if the HTTP header has Accept: application/json in its request.