I’m encountering a

ECONNREFUSED

connection error while attempting to deploy on a local Kubernetes cluster in Docker-Desktop w/ Helm and using Self Service UI Node (more details in the thread).

Is it safe to have a frontend (UI) trigger the backend to handle communication w/ Kratos? (registration as an example): • Creating the registration (flow_id) • Getting the registration flow and returning redirect to UI registration page • Submitting registration flow w/ identity registration details from UI

Hi, is it possible to run Ory Kratos on a Server to use it for local testing or will there be issues because of "Set Cookie" from another domain ? For example: Kratos runs on server example.com and I want to get csrf and session cookies on my locally hosted instance of my applicatiion, ergo localhost

Maybe an update from me about the client name or ID access in the kratos selfservice ui. I found out that the login flow for example has the client data included. I am thinking about getting that flow and using this information on all the other pages. But this feels like a hack. Is there no other way? And for the logout problem I am facing: my logout URL in hydra was probably not correct. I changed it to self-service/logout/browser which at least forwards to Kratos, but then I am stuck in the browser with the generated logout URL. Do I initially redirect to the hydra logout URL or do I fetch it with an ajax style get request?

Hey Ory team 👋 We have been trying to upgrade our Oathkeeper version to the latest version v0.40.2. And we are struggling with distributed tracing between OpenTelemetry and Datadog (since datadog has been removed as trace backend) We were able to set up sending Oathkeeper OTEL traces to the datadog-agent, and accept them, using this doc: https://docs.datadoghq.com/opentelemetry/otlp_ingest_in_the_agent/?tab=kuberneteshelmvaluesyaml However, the traces are all alone, and they are not correlated with our datadog traces from other previous and called services anymore. Because the X-Datadog-* headers obviously don't match the standard B3 headers. Anyone knows how to let the datadog-agent accept OTEL headers and correlated the traces? 🙂 (we've created https://help.datadoghq.com/hc/en-us/requests/1176629 on the Datadog support)

Is there a way to have Ory services leverage a read-replica connection for certain read-only operations? Would potentially be a good way to reduce database load, especially for keto.

I just found Ory, and it seems to be the perfect fit for my setup. The only issue is that I just cannot get the entire stack working. Does anyone have a complete docker-compose file for the complete Ory stack with Kratos, Hydra, Oathkeeper, Keto and the kratos-selfservice-ui-node for running it in a (semi-)production environment (non-critical infrastructure, just testing for now)? I also need some advice on how I would set up the subdomains/routes on my reverse proxy (Caddy). How should I structure it? For example, should I put everything on a subdomain, like sso.example.com and then expose the different components via paths, such as sso.example.com/hydra etc. or are there better solutions like using different subdomains for each component?

Hey Ory team 👋🏾 How are you ? I am using self-hosted Kratos deployment with Kubernetes using this Helm chart: https://github.com/ory/k8s/tree/master/helm/charts/kratos. The Kratos app version used by this chart is v0.11.1. Is this normal? The current Kratos version is v0.13.0. If the app provider PR is merged to master (https://github.com/ory/kratos/pull/3216), will the self-hosted Kratos be automatically updated with the Helm chart?

Hey team, do any of you have a working example with self-hosted OIDC/Google? The links inside this page send me to nowhere (Social sign-in | Ory)

Hello 👋, I’m trying to deploy Keto in my Kubernetes cluster using the official Helm chart. Everything deploys fine, and I use the official OpenAPI specification to interact with the Keto API. I expose my service properly and can see the incoming requests in the pod logs. The command I used to expose the service is

kubectl --namespace ory port-forward svc/keto-read 4466:80

My issue is that all endpoints I am calling always return a 404 error and I can’t figure out what is going wrong. As I said, I can see the requests in the logs so I suspect that there is a misconfiguration in the endpoints or maybe even in which protocol is used. I try to interact with the API using HTTP. From what I understand, the basic configuration is GRPC. So maybe there is a mismatch on the protocol level ? I am posting my values-yaml file in a thread. Any help would be appreciated!

Hello guys 👋🏾 how are you doing? I need help again 😞 I successfully configured Google and Discord sign-in. But when I am trying to configure Apple Sign In and followed this documentation https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple. However, when I configure my yaml file:

oidc:
  config:
    providers:
      - id: apple
        provider: apple
        client_id: "<http://xxx.xxxx.xxx|xxx.xxxx.xxx>"
        apple_team_id: "xxxxxxxxxx"
        apple_private_key_id: "xxxxxxxxxx"
        apple_private_key: |
          -----BEGIN PRIVATE KEY-----
          xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          xxxxxxxx
          -----END PRIVATE KEY-----
        issuer_url: "<https://appleid.apple.com>"
        mapper_url: "file:///etc/config/apple.jsonnet"
        scope:
          - email

I get this error in Kratos.

The configuration contains values or keys which are invalid:

I don't know what i am doing wrong 😔

Hello Guys 👋🏾, How are you? Do you know how I can build the new version with my Helm configuration for Kubernetes? Or do you know when the next Kratos release will be? (I really need this Feature: https://github.com/ory/kratos/pull/3216) 🙏🏾

We currently use Self Hosted Keto and Oathkeeper in Kubernetes. We authenticate with Dex IDP which we also self host in Kubernetes. Is moving towards Ory cloud with Oathkeeper/Keto/Kratos more viable?

My post-registration webhook returns

{"identity":{"metadata_admin":{"groups":[{"id":1,"role":"user"}]}}}

(verified it) with correct headers and Kratos debug logs says "ExecutePostRegistrationPrePersistHook completed successfully.". According to the docs (link) Kratos should update the admin metadata of this user, but the content doesn't change – and no errors in the logs. How to best debug this? 🙏 I already have logs set to debug but I can't see any issues.

@blue-caravan-99316 you can only mutate metadata_public using hooks, if you want to mutate the metadata_admin you need to do a separate patch request

I reported the issue here https://github.com/ory/kratos/issues/3192

HI, I'm trying to implement SPA local (development) email+password login flow but when I do the login call (after initializing with

createBrowserLoginFlow

, filling the data and using the provided

action

url) I get a CORS error response. Here is my kratos.yml:

version: v0.13.0

dsn: memory

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
      allowed_origins:
        - <http://127.0.0.1:3000> # ui
        - <http://127.0.0.1:4433>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        - OPTIONS
      allowed_headers:
        - Authorization
        - Content-Type
        - X-Session-Token
        - Cookie
        - Access-Control-Allow-Origin
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
  admin:
    base_url: <http://kratos:4434/>

selfservice:
  default_browser_return_url: <http://127.0.0.1:3000>
  allowed_return_urls:
    - <http://127.0.0.1:3000>

  methods:
    password:
      enabled: true
    totp:
      config:
        issuer: Kratos
      enabled: true
    lookup_secret:
      enabled: true
    link:
      enabled: true
    code:
      enabled: true

  flows:
    error:
      ui_url: <http://127.0.0.1:3000/auth>

    settings:
      ui_url: <http://127.0.0.1:3000/auth>
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: <http://127.0.0.1:3000/auth>
      use: code

    verification:
      enabled: true
      ui_url: <http://127.0.0.1:3000/auth>
      use: code
      after:
        default_browser_return_url: <http://127.0.0.1:3000/auth>

    logout:
      after:
        default_browser_return_url: <http://127.0.0.1:3000/auth>

    login:
      ui_url: <http://127.0.0.1:3000/auth>
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: <http://127.0.0.1:3000/auth>
      after:
        password:
          hooks:
            - hook: session
            - hook: show_verification_ui

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: <smtps://test:test@mailslurper:1025/?skip_ssl_verify=true>

Can you help me?

Hi, I want to ask is it possible to make requests to

/admin/...

on a local Docker Kratos API. And if yes how 🙂 I have

CORS error

and in the

kratos.yml

serve.admin.cors

setting is not available... Also is there a way to create API key for the local Docker admin API?

Hi sir. I am local i am using oryd/hydra for oauth2 with my application and its is running prefect with 127.0.0.1, but when i use docker compose and give service-name/ip instead of localhost than i am getting error because callback after pressing login and giving credentials is taking me to 127.0.0.1 but when i change it it is giving error i am stuck in it from more then 1 month please help

hi everyone, I'm trying to configure kratos to communicate with an identity provider through oidc (for test purpose it's a keycloak). I think that I have correctly configure kratos, now I would like to test the solution, Do you have resources, tuto that can explain me how to develop the rest ?

Hello! I'm currently using Ory Kratos and Ory Hydra. I implemented the native way (using API endpoints instead of browser) to authenticate in mobile using kratos. But I don't like to use the Cookie as my session. Is there a way to use the OpenID to generate tokens(access, refresh) in kratos? I don't like to use the OAuth as well in native since it needs to open up a browser which kind of not native way to do it. Is there some kind of documentation for this? Thank you.

Hi everyone, I want to ask is there anyway to prevent user login if user login failed at several times?

Hello everyone, I recently configure kratos to use openidconnect, but I don't know how to add, for example, a field metadata in the identity which will have the value

$kratosConfiguration.selfservice.methods.oidc.config.providers[$oidc_provider_of_the_user].id

do you know a way to do that ? maybe with jsonnet ?

Hello 'm trying to export my users from django to kratos. hash algo is pbkdf2 https://docs.djangoproject.com/en/dev/topics/auth/passwords/#pbkdf2-and-bcrypt this is doc of Kratos https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#hashed-passwords this how i try to get hashed pass hasher = identify_hasher(user.password) password_data = hasher.decode(user.password) "password": { "config": { "hashed_password": f"$pbkdf2-sha256$i={password_data['iterations']},l=64${password_data['salt']}${password_data['hash']}" } } this result $pbkdf2-sha256$i=260000,l=64$izvFshjOXirWGqMWCG8fY4$eRft8tfitqNJbXMLFQy3tg5O0vLnbzDB9KvJ8zl41m4= but in kratos I can not use my password. it sais The provided credentials are invalid, check for spelling mistakes ..

Any way to get a hook every time there is any error in kratos? meaning bad signup/login or something like that. I want to fire an analytics event from the server in this cases

Hey everyone, I have been trying to go through the documentation for setting up Hydra (here) however I have been running into some issues with discrepancies between the Hydra v1 and v2 CLI commands, where some of the commands have either been changed or removed. Does anyone know if there is a tutorial that is specific to Hydra v2?

Hello everyone, I want to setup kratos locally and separate custom UI locally, and make the integration possible. Do you guys have any example/github repo to refer.

Hello, I was trying to setup a kratos server with docker on my server and instead of using nginx, I am trying to work this out through Caddy. Welcome page opens successfully. But when I click on sign in and it open https://accounts.example.in/login in new tab, It says too many redirects. Please find the following configuration for each file in the thread

hooks:
  - hook: web_hook
    config:
    (...)
    response:
      ignore: false
--->  parse: true

No longer supported? Doesn't validate with Kratos v0.28, but according to docs (link) it should. Prevent me from preventing user signups w/o terms and conditions accepted.

Hi, When I try to use mysql as database it is throwing the following error when creating migrations. I am using amzaon RDS Mysql v8.0.32

Error: error executing migrations/sql/20210817181232000006_unique_credentials.mysql.up.sql, sql: ALTER TABLE `identity_credential_identifiers` MODIFY `identity_credential_type_id` char(36) NOT NULL;: Error 1832 (HY000): Cannot change column 'identity_credential_type_id': used in a foreign key constraint 'identity_credential_identifiers_type_id_fk_idx'