Apple provider asks to reauthenticate after completing registration flow

[renom]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Apple provider asks to reauthenticate after completing a registration flow with an extra step of providing required schema fields.

Reproducing the bug

1. Signing up with Apple
2. Redirecting to Apple, logging in
3. Logging in is okay but some required fields didn't automatically filled up with .jsonnet file
4. Ory Kratos shows the form to enter the required fields
5. After entering the required fields Ory Kratos redirects to Apple again
6. After logging in for the second time, it's successfully logged in to Ory Kratos

The same flow for Google doesn't ask to authenticate after step 5.

Relevant log output

time=2022-12-26T07:31:30Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:134 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 content-length:296 content-type:application/x-www-form-urlencoded cookie:[csrf_token_581f535b31a28a30283a9bef052d52e626228d1d16654ed0092decb96b1bafc5=7dN7Qh0FMTyZOWaWXVFmOWyaeNbPXmPOOlBbeXyVm0g=; csrf_token_b03b5164ed5dcdbc540f23b276d76db8a848a97d831928c8826ffdb95e30027c=0bKO9DsTvFuYL3ilBjnPiXYauyqdMN8uT7cWUDQ+hnI=; ory_kratos_continuity=MTY3MjAzOTgyNHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fAWEHvNnR5tCiYaOQIM4MovUqo-eKOF8ke0ixF7c0DqJ; ory_kratos_session=MTY3MjAzOTQ2NnxfeVFFaUJLaUxzd0EwUVlVYWJCM0VXQ3FiR042dC1DQ1loamplLVV6QTBNNDNFOTV4N2lqSmxNSV92ZGVJZ3U4NDBTMGZmdE9vMFNGN0Q1UkwzLThTcVN4RFRFYXc4ZFFGbUdWMUpWSWx0SW1aNkxjblowQWRjS3lfWkE3enlUMFl1OVpYNjkwSUdUcFQtVDktZ3JYZGZaeWxRTnBxOTJSUDFfQU1XOS1ESDd6SnJ0Z2Fia182eXFiNkNKU0tMTmdPV0tpaGVoZHUxRmRBQ2ViS1NiVkQwMk1YTnBqSUNMbWRHbmE3QndPanhObGhRdGRVM3RYa20wS3UxVnNMWHJ6eks3aDlaUVlmMGp6fPQcXvUDj_nZPLPjvmaNOmNTjJXfYuvbr03_JIZ68g0I] origin:https://mobile-doctor.diacare-soft.ru referer:https://mobile-doctor.diacare-soft.ru/ory/registration?flow=17987ea7-d331-476d-a548-af2b12e821c4 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-origin sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 x-forwarded-for:10.1.16.212, 10.1.16.209, 172.18.0.23 x-forwarded-port:80 x-forwarded-proto:https x-forwarded-ssl:on x-original-uri:/ory/.ory/kratos/public/self-service/registration?flow=17987ea7-d331-476d-a548-af2b12e821c4 x-real-ip:10.1.16.209] host:mobile-doctor.diacare-soft.ru method:POST path:/self-service/registration query:flow=17987ea7-d331-476d-a548-af2b12e821c4 remote:172.18.0.31:37340 scheme:http]
time=2022-12-26T07:31:30Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:146 http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 content-length:296 content-type:application/x-www-form-urlencoded cookie:[csrf_token_581f535b31a28a30283a9bef052d52e626228d1d16654ed0092decb96b1bafc5=7dN7Qh0FMTyZOWaWXVFmOWyaeNbPXmPOOlBbeXyVm0g=; csrf_token_b03b5164ed5dcdbc540f23b276d76db8a848a97d831928c8826ffdb95e30027c=0bKO9DsTvFuYL3ilBjnPiXYauyqdMN8uT7cWUDQ+hnI=; ory_kratos_continuity=MTY3MjAzOTgyNHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fAWEHvNnR5tCiYaOQIM4MovUqo-eKOF8ke0ixF7c0DqJ; ory_kratos_session=MTY3MjAzOTQ2NnxfeVFFaUJLaUxzd0EwUVlVYWJCM0VXQ3FiR042dC1DQ1loamplLVV6QTBNNDNFOTV4N2lqSmxNSV92ZGVJZ3U4NDBTMGZmdE9vMFNGN0Q1UkwzLThTcVN4RFRFYXc4ZFFGbUdWMUpWSWx0SW1aNkxjblowQWRjS3lfWkE3enlUMFl1OVpYNjkwSUdUcFQtVDktZ3JYZGZaeWxRTnBxOTJSUDFfQU1XOS1ESDd6SnJ0Z2Fia182eXFiNkNKU0tMTmdPV0tpaGVoZHUxRmRBQ2ViS1NiVkQwMk1YTnBqSUNMbWRHbmE3QndPanhObGhRdGRVM3RYa20wS3UxVnNMWHJ6eks3aDlaUVlmMGp6fPQcXvUDj_nZPLPjvmaNOmNTjJXfYuvbr03_JIZ68g0I] origin:https://mobile-doctor.diacare-soft.ru referer:https://mobile-doctor.diacare-soft.ru/ory/registration?flow=17987ea7-d331-476d-a548-af2b12e821c4 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-origin sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 x-forwarded-for:10.1.16.212, 10.1.16.209, 172.18.0.23 x-forwarded-port:80 x-forwarded-proto:https x-forwarded-ssl:on x-original-uri:/ory/.ory/kratos/public/self-service/registration?flow=17987ea7-d331-476d-a548-af2b12e821c4 x-real-ip:10.1.16.209] host:mobile-doctor.diacare-soft.ru method:POST path:/self-service/registration query:flow=17987ea7-d331-476d-a548-af2b12e821c4 remote:172.18.0.31:37340 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:* access-control-expose-headers:Content-Type cache-control:private, no-cache, no-store, must-revalidate location:https://appleid.apple.com/auth/authorize?client_id=ru.diacare-soft.mobile-doctor&redirect_uri=https%3A%2F%2Fmobile-doctor.diacare-soft.ru%2Fory%2F.ory%2Fkratos%2Fpublic%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fapple&response_mode=form_post&response_type=code&scope=email+name+openid&state=MTc5ODdlYTctZDMzMS00NzZkLWE1NDgtYWYyYjEyZTgyMWM0OjU4NTc1Y2QyLWM3NDItNGYxMS04NDM2LTFlMWNhMGFlN2U3Ng set-cookie:[ory_kratos_continuity=MTY3MjAzOTg5MHxEdi1CQkFFQ180SUFBUkFCRUFBQVhfLUNBQUVHYzNSeWFXNW5EQ01BSVc5eWVWOXJjbUYwYjNOZmIybGtZMTloZFhSb1gyTnZaR1ZmYzJWemMybHZiZ1p6ZEhKcGJtY01KZ0FrWmpZM1lXWmxNell0WlRRd09DMDBZVFk1TFdKaU1HRXRObVV5WmpNMU1tRmpNRGN3fP0lb_rn9rK5yp9ckczBoeKbVkEF_qeawYkJ2O7Z-077; Path=/; Expires=Wed, 25 Jan 2023 07:31:30 GMT; Max-Age=2592000; HttpOnly; SameSite=Lax] vary:Cookie] size:0 status:303 text_status:See Other took:20.022827ms]

Relevant configuration

No response

Version

v0.11.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

kratos-selfservice-ui-node

[akkie]

Do you use fields in your schema that the apple providers does not return? If so, then this is the expected behaviour.

[renom]

Is it somehow related to Apple? Because Google does not ask to relogin in the same case.

[jakubfijalkowski]

@renom this also applies to Google, unfortunately. They only seem to behave differently, because Google assumes that you are already signed in and just redirects you back. This won't be the case if you are signed in to two different accounts on Google side - it would then ask you to select the account in step (5).

This is basically the same issue as #2863 and the fix for that is in PR #3416.

[aeneasr]

Correct, dupe of #2863 - closing