Inconsistentcy in doc

[ChaserZ98]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

The current documentation contains a lot of descriptions which are inconsistent with the actual behavior of the latest kratos version. This issue tries to list them progressively based on my own experience when integrating kratos.

Reproducing the bug

Please see each listed point.

Relevant log output

No response

Relevant configuration

No response

Version

v1.3.1

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker

Additional Context

The kratos is running in the docker container created with the official image oryd/kratos:v1.3.1.

[ChaserZ98]

Identifier Group Mismatch

Current behavior

The identifier is placed in default group along with csrf_token.

Consistent doc

get-login-browser.json in Get Login Flow The returned json result has identifier in default group.

Inconsistent doc

• Perform registration, login, and logout The returned json result has identifier in password group.
• Login with username/email and password The returned json result has identifier in password group.
• UI Node Groups

  the "default" group which typically contains the CSRF token.
  

  According to the current behavior, it typically contains the CSRF token and the identifier now.

[ChaserZ98]

Incorrect error.id description in /self-service/login/browser API endpoint

Current behavior

If the requested ?return_to address is not allowed to be used, it will return a response with error id self_service_flow_return_to_forbidden rather than security_identity_mismatch. It applies to either the selfservice.default_browser_return_url address in the configuration or the return_to address in the search param is not included in the selfservice.allowed_return_urls in the configuration.

Clarification needed

Based on the above behavior, the situation which returns security_identity_mismatch is incorrect and needs to be clarified.

[ChaserZ98]

TypeScript SDK error for missing redirect_browser_to action

Current behavior

The current version (1.2.1) of @ory/kratos-client and @ory/kratos-client-fetch will both raise error when the response has continue_with field with action set to redirect_browser_to because the SDK is missing the code logic of handling it. Using the SDK will break any flow that is dependent on redirect_browser_to such as login flow, registration flow, recovery flow, setting flow and verification flow. Basically all the important flows are influenced.

Reference doc

Under some api doc such as Update Login Flow and Update Registration Flow, there is clear note indicating that their action will always be redirect_browser_to.

Related issue

Please see ory/sdk#384