ory · jonas-jonas · Jan 29, 2025 · Jan 29, 2025
@@ -4,6 +4,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

@@ -110,12 +110,6 @@ func WithOrganizationID(organizationID uuid.NullUUID) FlowOption {
 	}
 }
 
-func WithRequestedAAL(aal identity.AuthenticatorAssuranceLevel) FlowOption {
-	return func(f *Flow) {
-		f.RequestedAAL = aal
-	}
-}
-
 func WithInternalContext(internalContext []byte) FlowOption {
 	return func(f *Flow) {
 		f.InternalContext = internalContext

@@ -144,13 +144,11 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h
 			registrationFlow.OrganizationID = loginFlow.OrganizationID
 			registrationFlow.IDToken = loginFlow.IDToken
 			registrationFlow.RawIDTokenNonce = loginFlow.RawIDTokenNonce
-			registrationFlow.RequestURL, err = x.TakeOverReturnToParameter(loginFlow.RequestURL, registrationFlow.RequestURL)
 			registrationFlow.TransientPayload = loginFlow.TransientPayload
 			registrationFlow.Active = s.ID()
 
-			if err != nil {
-				return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
-			}
+			// We are converting the flow here, but want to retain the original request URL.
+			registrationFlow.RequestURL = loginFlow.RequestURL
 
 			if _, err := s.processRegistration(ctx, w, r, registrationFlow, token, claims, provider, container); err != nil {
 				return registrationFlow, err

@@ -272,10 +272,12 @@ func (s *Strategy) registrationToLogin(ctx context.Context, w http.ResponseWrite
 		return nil, err
 	}
 
-	lf.RequestURL, err = x.TakeOverReturnToParameter(rf.RequestURL, lf.RequestURL)
-	if err != nil {
-		return nil, err
-	}
+	// In this scenario, we are performing account linking. The request URL is set to the "original" registration URL
+	// the user used to try and sign up (which triggered the account linking flow).
+	//
+	// In this scenario we want to keep the original request url instead of the current request url, as the current
+	// request url is an "in-between" state where we are half-way through performing account linking.
+	lf.RequestURL = rf.RequestURL
 	lf.TransientPayload = rf.TransientPayload
 	lf.Active = s.ID()
 	lf.OrganizationID = rf.OrganizationID

@@ -1578,6 +1578,7 @@ func TestStrategy(t *testing.T) {
 				assert.True(t, gjson.GetBytes(body, "ui.nodes.#(attributes.name==password)").Exists(), "%s", body)
 				assert.Equal(t, "[email protected]", gjson.GetBytes(body, "ui.messages.#(id==1010016).context.duplicateIdentifier").String())
 				assert.Equal(t, gjson.GetBytes(body, "organization_id").String(), orgID.String())
+				assert.NotContains(t, gjson.GetBytes(body, "request_url").String(), "code=")
 				linkingLoginFlow.ID = gjson.GetBytes(body, "id").String()
 				linkingLoginFlow.UIAction = gjson.GetBytes(body, "ui.action").String()
 				linkingLoginFlow.CSRFToken = gjson.GetBytes(body, `ui.nodes.#(attributes.name=="csrf_token").attributes.value`).String()