ory-community #kratos

Channels

announcements

ask-gpt

console-v2

loud-engineer-1276

05/19/2023, 4:43 PM

I'm testing this flow: 1. user attempts to access a protected subdomain

<http://admin.mysite.com|admin.mysite.com>

2. user is not logged in, so they are redirected to

<http://mysite.com/auth|mysite.com/auth>

to login 3. user logs in and is redirected to

<http://admin.mysite.com|admin.mysite.com>

This behavior works 1-3, but adds a 4: 4. the user is redirected infinitely from
<http://admin.mysite.com|admin.mysite.com>
to
<http://mysite.com/auth|mysite.com/auth>
and back. I have oathkeeper managing redirect to kratos and am running the default kratos ui; I have

*.<http://mysite.com|mysite.com>

added as an

allowed_redirect_url

and

<http://mysite.com|mysite.com>

as the cookie domain. are there other configurations I need? do I need to make a change in the client? or should this be working?

loud-engineer-1276

05/19/2023, 8:42 PM

what it looks like is happening is that kratos when queried from oathkeeper returns a redirect for unauthorized (401), but when queried from the node ui, it returns a valid user (recognizes a logged in user). this is validated by the redirect loop (redirects to login, login is already valid, so it redirects back to the

return_to

) and by me accessing

/auth

directly and getting the logged in user dashboard.

loud-engineer-1276

05/20/2023, 1:57 AM

alright... I think I realized the problem; my oathkeeper.yml

check_session_url

was still defaulted to

kratos

, but that service is running as a different name. ✅ -- not sure if authed, but I'm not hitting the service. checking headers comes next.

swift-island-66287

05/21/2023, 7:23 AM

hey team, when I use google (haven't tried other providers) to create an account, I get the following identity ID back

00000000-0000-0000-0000-000000000000

When I create an account using a password, I get a proper ID back. I use this ID in another DB to link to this user. Did I miss something while setting up google OIDC?

glamorous-lamp-83196

05/21/2023, 9:06 AM

Hi, has anyone got transient payloads to work when sending a form as

x-www-form-urlencoded

? I have an input field in the form which I fill with the data I want to pass to a web hook during registration:

<input name="transient_payload.organizations" id="organizations" type="hidden" value="something here" />

But in the

ctx.flow

I see that the data is not there:

'transient_payload': {}

So has anyone got it working or is it something obvious I'm missing?

careful-musician-37298

05/22/2023, 7:17 AM

Hello, I had a few questions for kratos, kratos-migrate and kratos-selfservice-ui-node docker security • Is it possible to add the

read_only

flag for the these services without affecting functionality? • Is it advisable to drop all capabilities by default for these services? • What are the recommended settings for

mem_limit

cpus

pids_limit

cgroup options for these services?

some-addition-86177

05/22/2023, 9:44 AM

Hi all, is there an easy way to implement something like a users block list (e.g. temporarily blocking a certain user from logging in due to malicious activity)

adamant-rocket-9863

05/22/2023, 10:18 AM

Hello Everyone, we use Kratos in our oss project ( Paralus ) and we are adding Trivy vulnerability scanner as part of our CI, when added trivy reported few high issues related to kratos gobinary downloaded from v0.11.1 release. Can someone please take a look and confirm if these are being tracked to closure or can be ignored ? ref: https://github.com/paralus/paralus/actions/runs/4990367815/jobs/8935476380?pr=219#step:13:39

adventurous-jordan-12702

05/22/2023, 12:10 PM

Do you know, if Kratos supports sending a JWT request object when initiating a login flow with OIDC? It is described in the OIDC spec here.

faint-energy-48611

05/22/2023, 2:06 PM

Hi, we're using the current master version of kratos with OIDC support for native apps. Google login works well, but we have a problem with Apple. We are able to get into apple authorization site, but we aren't able to complete it, as we just get stuck on the consent screen right after inputting the password. There are no logs in app, nor in Kratos. We've double-checked our OIDC configuration and return_to urls in apple console. Any tips what can be wrong here?

tall-angle-41306

05/22/2023, 4:00 PM

Any thoughts on why we might encounter this error upon clicking the link in a verification email?

{
  "code": 500,
  "status": "Internal Server Error",
  "message": "named insert: ERROR: insert or update on table \"identity_verification_codes\" violates foreign key constraint \"identity_verification_codes_identity_verifiable_addresses_id_fk\" (SQLSTATE 23503)"
}

millions-smartphone-96713

05/22/2023, 4:01 PM

Hi, Does anybody confirm that

session.cookie.domain

https://www.ory.sh/docs/kratos/guides/configuring-cookies#session-cookies is working now? I saw the related code path

UpsertAndIssueCookie

is only called in

PostLoginHook

which looks likes not called from the code path where kratos UI is pointing

kratos/self-service/login/

limited-nail-62136

05/22/2023, 7:51 PM

Hi! We have the specific problem of wanting to forbid certain github IDs from being able to connect through the settings flow linking, and only through registration/login. It seems like there isnt any hook that happens mid-settings flow, and almost every way to remove the OIDC afterwards if I do an after-hook seems to be disabled even for administrators. It seems like the best case to do is do self-hosted and modify the code or the db directly- thoughts ?

wooden-knife-9469

05/23/2023, 6:42 AM

Hi, I need your help with password recovery flow using self service apis with code method. I am successfully receiving the code and passing it in the updateRecoveryFlow method. What I would like to know is how to proceed after this step to the reset password step. Documentation mentions something about privileged authentication. But could not find detailed explanation on how to implement it to reset password in the recovery flow. Right now after submitting code to the updateRecoveryFlow, I am taking new password from user and calling the updateSettingsFlow method with the new password but getting ‘401 authentication’ error. Could you please help me with this issue. Thanks you!

fresh-accountant-49287

05/23/2023, 11:58 AM

Is there a way to handle anonymous signup (non-email identifier)?

straight-zebra-73509

05/23/2023, 10:47 PM

SMS OTP feature. Hi, I want some of my users signup and login using phone number and SMS OTP. I know SMS OTP feature is not natively implemented in Ory Kratos. Is it possible to implement it using webhooks in self-hosted kratos that contacts an API endpoint that sends SMS using a SMS provider like AWS SNS? Has anyone implemented it?

helpful-eve-46197

05/24/2023, 11:11 AM

hello ory team , Frontend origin is https://devapp.stackways.io/ and flow id i am generating via https://dev-api.stackways.io/.ory/kratos/public/self-service/login/browser , When i try to login with https://dev-api.stackways.io/.ory/kratos/public/self-service/login?flow=d14df424-61d5-4a38-838f-8104ea747a5a (Login flow ) getting 403 forbidden . (CSRF token mismatching error gettting) but csrf token is generating and passing correctly in the request body .

faint-energy-48611

05/24/2023, 1:23 PM

Has anything changed regarding return_to URLs handling? After the upgrade to v0.13.0 kratos ignores it and redirects to ui_url after a verification link click. default_browser_return_url also doesn't seem to affect anything anymore :<

faint-energy-48611

05/24/2023, 3:50 PM

Sorry if it's a duplicate question, but searching slack for old messages doesn't work 😞 Is it possible to have the same user identity have both email&password login as well as email&webauthn/oidc login? For example, I have a user that signed up with Google OIDC, can he later set up a normal password and detach from Google?

high-optician-2097

05/24/2023, 4:54 PM

yes!

melodic-night-12395

05/24/2023, 5:16 PM

is there any documentation around creating api keys for self hosted kratos that im missing?

straight-zebra-73509

05/24/2023, 7:06 PM

I used admin.api-endpoint.com/admin/identities to create an identity with email address. The identity is created, but I am not getting any verification link to that email. The smtp courier I have set in kratos.yml is

<smtps://user%40domain.com:password@smtp.domain.com:587/?skip_ssl_verify=true>

(with values substituted properly) Am I missing something?

acoustic-zebra-63757

05/25/2023, 2:48 AM

Hi! When trying to reset their password, some of my users are getting emails with the title "Account access attempted". Looking in my Kratos DB, I can see the users having trouble are missing the

email-recovery

trait. Is there a way to fix this beyond manually adding that trait to every single user? Any ideas on how their getting into this state?

alert-painter-66256

05/25/2023, 9:27 PM

Not sure if this is the right place to post. But we use Ory Elements and are not able to get 2FA working

<UserAuthCard
      title={
        !(flow.refresh || flow.requested_aal === 'aal2')
          ? 'Sign In'
          : 'Two-Factor Authentication'
      }
      flowType={'login'}
      // we always need the flow data which populates the form fields and error messages dynamically
      flow={flow}
      // the login card should allow the user to go to the registration page and the recovery page
      additionalProps={{
        forgotPasswordURL: '/auth/recovery',
        signupURL: '/auth/registration'
      }}
      // we might need webauthn support which requires additional js
      // includeScripts={true}
      // we submit the form data to Ory
      onSubmit={({ body }) => submitFlow(body as UpdateLoginFlowBody)}
    />

We use the AuthCard like this, but it shows this: https://tca0.nl/5Gi instead of something like this: https://tca0.nl/QZf

alert-painter-66256

05/26/2023, 12:30 AM

Got it to work now but the solution was a bit hack(ish) by doing this on submit:

orySdk
      .updateLoginFlow({ flow: flow.id, updateLoginFlowBody: body })
      .then(({ data }) => {
        // if the user requested aal2, we redirect to the aal2 login page
        if (!hasAal2 && !data.session.identity) {
          window.location.href = '/auth/login?aal2=true'
          return
        }

        // we successfully submitted the login flow, so lets redirect to the dashboard
        onSuccessfullLogin(data)
      })
      .catch(sdkErrorHandler)
  }

fast-lunch-54279

05/26/2023, 8:39 AM

i'm not deep into the details of Elements, but generally your login flow should have an AAL2 set. this piece is actually buggy:

``` !(flow.refresh || flow.requested_aal === 'aal2')

? 'Sign In'

: 'Two-Factor Authentication'```

and we recently fixed it for Account Experience (but not sure if we fixed all places in elements) - when flow.refresh is true, the message should be "please confirm that it's you", not "two factor auth"

fast-lunch-54279

05/26/2023, 8:39 AM

so the first piece of code actually triggered a session refresh, not step up

fast-lunch-54279

05/26/2023, 8:40 AM

https://www.ory.sh/docs/reference/api#tag/frontend/operation/createBrowserLoginFlow

sparse-vegetable-80161

05/26/2023, 10:02 AM

Hi ! Is there any way to use

md5 hasher

in self-host kratos ? I saw someone implement in the github , but I can't use the md5 hasher in my quick start yaml file . here is my yaml file

version: v0.13.0

dsn: memory

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
  admin:
    base_url: <http://kratos:4434/>
dev: true
selfservice:
  default_browser_return_url: <http://127.0.0.1:4455/>
  allowed_return_urls:
    - <http://127.0.0.1:4455>

  methods:
    password:
      enabled: true
    totp:
      config:
        issuer: Kratos
      enabled: true
    lookup_secret:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true

  flows:
    error:
      ui_url: <http://127.0.0.1:4455/error>

    settings:
      ui_url: <http://127.0.0.1:4455/settings>
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: <http://127.0.0.1:4455/recovery>
      use: code

    verification:
      enabled: true
      ui_url: <http://127.0.0.1:4455/verification>
      use: code
      after:
        default_browser_return_url: <http://127.0.0.1:4455/>

    logout:
      after:
        default_browser_return_url: <http://127.0.0.1:4455/login>

    login:
      ui_url: <http://127.0.0.1:4455/login>
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: <http://127.0.0.1:4455/registration>
      after:
        password:
          hooks:
            - hook: session
            - hook: show_verification_ui

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: md5

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: <smtps://test:test@mailslurper:1025/?skip_ssl_verify=true>

straight-zebra-73509

05/26/2023, 2:43 PM

Ory kratos's config yml file requires me to set public url and admin url. After starting the server, both url give the same response when any api endpoint is called, for ex, creating an identity by calling /admin/identities. What then is the difference between the two urls?