ory/kratos

OIDC native login/registration does not query for missing traits

hperl opened this issue · 1 comments

hperl commented

Preflight checklist

Ory Network Project

No response

Describe the bug

When performing a OIDC registration, but traits are missing, Kratos displays UI nodes between the OIDC callback URL and redirecting to the return_to URL.

When performing a native OIDC flow, the client is redirected to the return_to URL without having asked for the missing traits.

Reproducing the bug

  • set up an OIDC provider and an identity schema that contains required traits that the OIDC provider does not supply as part of the identity token / userinfo claims.
  • initialize a self-service native flow with createNativeLoginFlow
  • the flow is updated with updateLoginFlow to an oidc flow, setting a provider
  • forward the user to the provider returned via 422 - errorBrowserLocationChangeRequired
  • the user returns to the provider specific redirect URI

Relevant log output

No response

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

Slack thread: https://ory-community.slack.com/archives/C02MR4DEEGH/p1721651351593399

Sese-Schneider commented

Additional context:

  • after returning to the provider specified redirect URI (https://<project>.projects.oryapis.com/self-service/oidc/callback/<providerId>) and e.g. the JSONNET data mapping failing here
  • the user is redirected to the redirect URI specified when initializing the OIDC flow without a finish token, so the tokens can never be exchanged for a session token

I would at least assume some sort of error detail in the redirect as query params or some other way to distingiush for frontends that an error has happened.

See example redirect trace:

image