Create Login Flow for Browsers
GET {{baseUrl}}/self-service/login/browser?refresh=<boolean>&aal=<string>&return_to=<string>&login_challenge=<string>&organization=<string>&via=<string>
This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate cookies and anti-CSRF measures required for browser-based flows.
If this endpoint is opened as a link in the browser, it will be redirected to
selfservice.flows.login.ui_url with the flow ID set as the query parameter ?flow=. If a valid user session
exists already, the browser will be redirected to urls.default_redirect_url unless the query parameter
?refresh=true was set.
If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
case of an error, the error.id of the JSON response body can be one of:
session_already_available: The user is already signed in.
session_aal1_required: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.
security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration!
The optional query parameter loginchallenge is set when using Kratos with Hydra in an OAuth2 flow. See the oauth2provider.url configuration option.
This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
More information can be found at Ory Kratos User Login and User Registration Documentation.
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
refresh | string | Refresh a login session |
If set to true, this will refresh an existing login session by
asking the user to sign in again. This will reset the
authenticated_at time of the session. |
| aal | string | | Request a Specific AuthenticationMethod Assurance Level
Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This
allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,
the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ...
you would set this to "aal2". |
| return_to | string | | The URL to return the browser to after the flow was completed. |
| login_challenge | string | | An optional Hydra login challenge. If present, Kratos will cooperate with
Ory Hydra to act as an OAuth2 identity provider.
The value for this parameter comes from login_challenge URL Query parameter sent to your
application (e.g. /login?login_challenge=abcde). |
| organization | string | | An optional organization ID that should be used for logging this user in.
This parameter is only effective in the Ory Network. |
| via | string | | Via should contain the identity's credential the code should be sent to. Only relevant in aal2 flows. |
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Cookie | string | HTTP Cookies |
When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
sent by the client to your server here. This ensures that CSRF and session cookies are respected. |
| Accept | string | | |
RESPONSES
status: OK
{"id":"\u003cuuid\u003e","type":"\u003cstring\u003e","expires_at":"\u003cdateTime\u003e","issued_at":"\u003cdateTime\u003e","request_url":"\u003cstring\u003e","ui":{"action":"\u003cstring\u003e","method":"\u003cstring\u003e","nodes":[{"type":"img","group":"default","attributes":{"name":"\u003cstring\u003e","type":"password","disabled":"\u003cboolean\u003e","node_type":"a","autocomplete":"one-time-code","label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}},"onclick":"\u003cstring\u003e","onload":"\u003cstring\u003e","pattern":"\u003cstring\u003e","required":"\u003cboolean\u003e","value":{"description":"The input's value.","nullable":true}},"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}}],"meta":{"label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}}}},{"type":"a","group":"webauthn","attributes":{"name":"\u003cstring\u003e","type":"submit","disabled":"\u003cboolean\u003e","node_type":"input","autocomplete":"one-time-code","label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}},"onclick":"\u003cstring\u003e","onload":"\u003cstring\u003e","pattern":"\u003cstring\u003e","required":"\u003cboolean\u003e","value":{"description":"The input's value.","nullable":true}},"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}}],"meta":{"label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}}}}],"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}}]},"state":{"description":"State represents the state of this request:\n\nchoose_method: ask the user to choose a method to sign in with\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the login challenge was passed."},"active":"password","created_at":"\u003cdateTime\u003e","oauth2_login_challenge":"\u003cstring\u003e","oauth2_login_request":{"challenge":"\u003cstring\u003e","client":{"access_token_strategy":"\u003cstring\u003e","allowed_cors_origins":["\u003cstring\u003e","\u003cstring\u003e"],"audience":["\u003cstring\u003e","\u003cstring\u003e"],"authorization_code_grant_access_token_lifespan":"\u003cstring\u003e","authorization_code_grant_id_token_lifespan":"\u003cstring\u003e","authorization_code_grant_refresh_token_lifespan":"\u003cstring\u003e","backchannel_logout_session_required":"\u003cboolean\u003e","backchannel_logout_uri":"\u003cstring\u003e","client_credentials_grant_access_token_lifespan":"\u003cstring\u003e","client_id":"\u003cstring\u003e","client_name":"\u003cstring\u003e","client_secret":"\u003cstring\u003e","client_secret_expires_at":"\u003clong\u003e","client_uri":"\u003cstring\u003e","contacts":["\u003cstring\u003e","\u003cstring\u003e"],"created_at":"\u003cdateTime\u003e","frontchannel_logout_session_required":"\u003cboolean\u003e","frontchannel_logout_uri":"\u003cstring\u003e","grant_types":["\u003cstring\u003e","\u003cstring\u003e"],"implicit_grant_access_token_lifespan":"\u003cstring\u003e","implicit_grant_id_token_lifespan":"\u003cstring\u003e","jwks":{"description":"OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together."},"jwks_uri":"\u003cstring\u003e","jwt_bearer_grant_access_token_lifespan":"\u003cstring\u003e","logo_uri":"\u003cstring\u003e","metadata":{},"owner":"\u003cstring\u003e","policy_uri":"\u003cstring\u003e","post_logout_redirect_uris":["\u003cstring\u003e","\u003cstring\u003e"],"redirect_uris":["\u003cstring\u003e","\u003cstring\u003e"],"refresh_token_grant_access_token_lifespan":"\u003cstring\u003e","refresh_token_grant_id_token_lifespan":"\u003cstring\u003e","refresh_token_grant_refresh_token_lifespan":"\u003cstring\u003e","registration_access_token":"\u003cstring\u003e","registration_client_uri":"\u003cstring\u003e","request_object_signing_alg":"\u003cstring\u003e","request_uris":["\u003cstring\u003e","\u003cstring\u003e"],"response_types":["\u003cstring\u003e","\u003cstring\u003e"],"scope":"\u003cstring\u003e","sector_identifier_uri":"\u003cstring\u003e","skip_consent":"\u003cboolean\u003e","skip_logout_consent":"\u003cboolean\u003e","subject_type":"\u003cstring\u003e","token_endpoint_auth_method":"\u003cstring\u003e","token_endpoint_auth_signing_alg":"\u003cstring\u003e","tos_uri":"\u003cstring\u003e","updated_at":"\u003cdateTime\u003e","userinfo_signed_response_alg":"\u003cstring\u003e"},"oidc_context":{"acr_values":["\u003cstring\u003e","\u003cstring\u003e"],"display":"\u003cstring\u003e","id_token_hint_claims":{"sit_b":{}},"login_hint":"\u003cstring\u003e","ui_locales":["\u003cstring\u003e","\u003cstring\u003e"]},"request_url":"\u003cstring\u003e","requested_access_token_audience":["\u003cstring\u003e","\u003cstring\u003e"],"requested_scope":["\u003cstring\u003e","\u003cstring\u003e"],"session_id":"\u003cstring\u003e","skip":"\u003cboolean\u003e","subject":"\u003cstring\u003e"},"organization_id":"\u003cstring\u003e","refresh":"\u003cboolean\u003e","requested_aal":"aal2","return_to":"\u003cstring\u003e","session_token_exchange_code":"\u003cstring\u003e","transient_payload":{},"updated_at":"\u003cdateTime\u003e"}