The email verification does not work correctly on native platforms

[akjol-rakhmanov]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When I'm trying request verification flow on native platform like this: self-service/verification/api, I'm getting flow id correctly, but when I tried send json data with the flow id, Im getting browser ui index verification page while I expected get json data. On the email im getting correctly the verification code and the verification link.

Reproducing the bug

1. Send request to: self-service/verification/api for get flow id
2. Using the flow id send request like this: self-service/verification?flow=the_flow_id with the json body: {"email":"my@email.com", "method":"code"}
3. You will get web ui which written in configuration: ui_url: https://id.test.domain.com/verify instead json data.

Relevant log output

No response

Relevant configuration

version: v0.13.0

dsn: memory

serve:
  public:
    base_url: https://id.test.domain.com/
    cors:
      enabled: true
      allowed_origins:
        - https://*.test.domain.com
        - https://*.id.test.domain.com
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
  admin:
    base_url: http://kratos.id:4434/

selfservice:
  default_browser_return_url: https://id.test.domain.com/login/
  allowed_return_urls:
    - https://id.test.domain.com
    - https://www.test.domain.com
    - http://local.test.domain.com
    - https://admin.test.domain.com
  

  methods:
    
    password:
      enabled: true
    profile:
      enabled: true
    totp:
      config:
        issuer: domain
      enabled: true
    lookup_secret:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true

  flows:
    error:
      ui_url: https://id.test.domain.com/error

    settings:
      ui_url: https://id.test.domain.com/settings
      privileged_session_max_age: 20m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: https://id.test.domain.com/recovery
      use: code

    verification:
      enabled: true
      ui_url: https://id.test.domain.com/verify
      use: code
      after:
        default_browser_return_url: https://id.test.domain.com/login

    logout:
      after:
        default_browser_return_url: https://id.test.domain.com/login

    login:
      ui_url: https://id.test.domain.com/login
      after:
        hooks:
          - hook: require_verified_address
        default_browser_return_url: https://id.test.domain.com/settings
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: https://id.test.domain.com/registration
      after:
        default_browser_return_url: https://id.test.domain.com/callback/success

log:
  level: warning
  format: json
  leak_sensitive_values: true

cookies:
  domain: test.domain.com

session:
  cookie:
    domain: test.domain.com

secrets:
  cookie:
    - EFE6BDD292685A2112323139F59FED65B5E61B
  cipher:
    - JgbYwLNNddJMasnQzsG8zVseCfDuLjgdG3mherK

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_id: customer_v1
  schemas:
    - id: customer_v1
      url: file:///etc/config/kratos/schemas/v1/customer.schema.json
    - id: seller_v1
      url: file:///etc/config/kratos/schemas/v1/seller.schema.json
    - id: admin_v1
      url: file:///etc/config/kratos/schemas/v1/admin.schema.json

courier:
  template_override_path: /etc/config/kratos/templates
  templates:
    recovery_code:
      valid:
        email:
          body:
            html: file:///etc/config/kratos/templates/recovery/valid/body.gotmpl
      invalid:
        email:
          body:
            html: file:///etc/config/kratos/templates/recovery/invalid/body.gotmpl
    verification_code:
      valid:
        email:
          body:
            html: file:///etc/config/kratos/templates/verification/valid/body.gotmpl
      invalid:
        email:
          body:
            html: file:///etc/config/kratos/templates/verification/invalid/body.gotmpl

Version

v0.13.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

[vinckr]

Hm I was not able to reproduce this using Ory Network.

Can you maybe share the curl equivalent for the requests, so I can make sure I do the same procedure?

[MichaelMarner]

I have seen this behaviour if the request is missing the Accept: application/json header. Make sure you're setting this header when making the request.