Session ID is 00000000-0000-0000-0000-000000000000 in post-persist webhook call

[robert-sisutech]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I have configured a webhook call to be made after password login. I want to pass the session data (along with transient payload) to another system. The webhook's response section is configured with parse: false and ignore: true as it's just a notification to another system and I don't care about the response and it should not block the login flow. With this configuration I understand the webhook call will be made after session data has been persisted to DB (post-persist).

When looking into the session object in the webhook handler I can see:

• session id is 00000000-0000-0000-0000-000000000000
• device id in the devices array is 00000000-0000-0000-0000-000000000000

This might indicate this webhook call was made pre-persist when the session data was not yet saved to DB. Or it was made post-persist but with pre-persist data.

I was looking around if someone has had a similar problem and I found this issue - #3340 - although it's about registration flow and about identity id. My defined webhook config is mostly the same as in this issue - parse: false and ignore: true - besides not using can_interrupt flag as it's deprecated.

Moreover inside the after-password-login webhook handler if I make an API call back to Kratos to fetch active sessions for the given user the session id and also the device id are defined in the sessions list returned in the response.

Do I have a wrong expectation for the session id to be defined with the actual session id and not 00000000-0000-0000-0000-000000000000 in the post-persist webhook call or is this not how it's supposed to work with given webhook configuration?

Reproducing the bug

1. Use Kratos v1.3.0
2. Set up selfservice-flows-after-password webhook with parse: false and ignore: true and send the session object from context in the request body.
3. Log in with Kratos account
4. In the webhook handler see that session id and also device id in the devices array is 00000000-0000-0000-0000-000000000000.

Relevant log output

Relevant configuration

selfservice:
  flows:
    login:
      after:
        password:
          hooks:
            - hook: web_hook
              config:
                url: http://<webhook call handler URL>
                method: POST
                body: base64://ZnVuY3Rpb24oY3R4KSB7IHNlc3Npb246IGN0eC5zZXNzaW9uIH0=
                response:
                  parse: false
                  ignore: true

Version

1.3.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

[marchetti554]

Hey, any updates on this? I'm facing the same issue

Update: I’ve opened a pull request aimed at addressing this issue. The fix appears straightforward, though I’m slightly concerned there might be implications I’m not yet aware of, the whole suit and a new test I added are running ok.

[vinckr]

Closing as not planned for the time being, see here for an explanation why:
#4496 (review)