oauth/SSO: Ory return 400 error message together with a data

[vladyslav2]

During oauth flow when SSO provider return user to the to platform, kratos creates session with a user data from SSO provider. In order to retrieve that data we are doing GET request to kratos /self-service/registration?flow=22d81f5d-1db4-4fbf-82c3-f57f7be4b94b.

Surprisingly, this request returns 400 error together with user data, and error message Object { id: 4000001, text: 'Unable to decode body because HTTP Request Method was "GET" but only [POST PUT PATCH] are supported.', type: "error", … }, which is kind of confusing. Why does we get 400 error together with an information we need to finish sign up process? I do believe it does correlate with #53 this thread too.

Maybe we are doing something wrong and we should get user data differently, but based on our research we are doing it correctly. It just seems like kratos should return 200 instead of 400. Can somebody please explain to me logic of using 400 here?

Thank you

[vinckr]

Hello @vladyslav2

This behavior is actually expected in Ory Kratos, though it can be confusing. When you make a GET request to /self-service/registration?flow=, you're using the correct endpoint to retrieve the flow data, but Kratos returns a 400 status code because it's enforcing that certain operations should only be performed with specific HTTP methods.

Kratos returns different status codes based on the flow state:

• HTTP 200 is only sent when a flow is successfully completed
• HTTP 400 is returned for form validation errors or when the flow is still in progress
• HTTP 422 is returned when a browser location change is required
• Ory Kratos API Reference explains that the registration flow endpoint returns a 400 status code with the flow data when there are validation errors or when the flow is incomplete.

This is a known point of confusion as mentioned in GitHub issue #4052, there are plans to improve this in a future version, see this comment.