could this be the issue? I’m running the api on

localhost:4433

and my app on

localhost:3000

from playing around with the publicly hosted version at

<https://kratos-reference-ui-react-nextjs.vercel.app/>

it appears the api is running on the same domain:

:authority: <http://kratos-reference-ui-react-nextjs.vercel.app|kratos-reference-ui-react-nextjs.vercel.app>
:method: POST
:path: /api/.ory/self-service/registration?flow=939f4dad-a543-45b4-adc3-cc0ed0780f08

and so the cookie is getting sent

I'm looking if there's some way to add some custom metadata to traits in identity schema and can only be consumed by flow.ui.nodes?

Hello @User, I did find a small workaround but am not sure about the security implications to it. Can you please guide me/connect me to the right person who can take a look at the solution?

Have any of the kratos texts based on IDs (errors, labels, ...) been internationalized?

Hey all, when settings some secrets in the kratos config through env vars, do I need to add a dummy value to be overwritten by the env var? I tried with

key: {null value}

, removing the key entirely, and now with a dummy value to be overwritten.

Depends on if you have metrics or haveibeenpwned set up

Hi, Is there are some external calls from kratos to the internet (some schema validation etc.)? Or is it possible to limit egress to: deny all?

• Hello everyone! Is anyone running Ory Kratos on Google Cloud Platform? Are there any recommendations/guides?

Hello all. I’m currently building out a new application in Vue 3 with Kratos. My first assignment is to essentially make a basic application with username/password registration and login. I’ve been more or less translating

@ory/kratos-selfservice-ui-react-nextjs

into Vue. Before I move on into a more in-depth application, I was thinking about forking the repository into an example we can add to the guides. Is that something that I could do for the project? Currently, I’m setting everything up in Docker as well, so I could probably tie all the strings together with a small effort. I could bring it up to feature parity with the React example.

Hey I'm new to the slack o/ I have a question regarding the identity schemas. So I can see the docs say that sensitive information should not be stored in that schema since it's user modifiable. However I'm getting mixed messages as to if I can use it to define system admins verses users or subscribers Can I make a schema for all the different types of users and be assured the user cant just change their schema to admin for example or can the user edit what schema they use also?

Hello, is there a sample demo app that has implemented MFA ? Thank you !

Right now, Kratos does not support Phone no. OTP flow right??

In this schema file what is "ory.sh/kratos". I am confused about this custom key in json schema, how does it work?

{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
---------------------------------------------------------
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
---------------------------------------------------------
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string"
            },
            "last": {
              "title": "Last Name",
              "type": "string"
            }
          }
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}

Hi! I have a question. Can we add “protected” attributes/traits to an user/identity? I want some attributes not to be edited by the user itself, but only from the admin service. Is this currently possible?

My auth app is on

<http://auth.example.com|auth.example.com>

and Kratos is on

<http://kratos.example.com|kratos.example.com>

so without this attribute, I can’t seem to set the cookie properly over multiple subdomains

Hello, in our application, kratos is deployed using helm charts under kubernetes. Currently the environment settings like DSN, which has DB username and password, is passed using k8s secrets. Since the secrets are storing as base64 encoded, it remains less secured, is there any way to pass sensitive environment data securely to kratos? Please share your thoughts.

Has anyone found it useful to work with the identity schema directly in their implementing applications? It seems like a well defined document that could be leveraged in client library implementations. Maybe help the developer more easily map the identity to their internal model? I’m working on a Devise / Warden authentication strategy in Ruby now and I’m exploring my options.

I'm submitting registration form and I'm getting

msg=Encountered self-service flow error. audience=audit error=map[message:I[#/] S[] could not find a strategy to sign up with trace:

Any ideas?

Hello. Do you plan to support returnUrl for logout ? Thanks 🙂

although the live demo link on that page returns this on sign in. Same issue when deploying against an early access account on cloud

{
error: {
code: 404,
status: "Not Found",
request: "ebeaa314-d275-4843-8c97-ee3ec13a05dd",
reason: "The requested Ory Cloud Project does not exist. Please ensure your custom domain or Ory Cloud Project Slug are correct.",
message: "project not found"
}
}

Is kratos able to deal with machine identities? aka that smart fridge on floor 4

Hello there, I need help regarding https://www.ory.sh/kratos/docs/guides/multi-domain-cookies/ my frontend URL is devapp.domain.com and my api url is dev-api.domain.com graphql is implemented for backend APIs, and now "cookie" request header is not getting added for dev-api.domain.com backend APIs can anyone please help. thanks.

Hi I've upgraded an existing installation to newer version. The new self-service-ui https://acc.login.commondatafactory.nl/welcome ends up in a redirect loop once I press login. SO I'm missing some configuration..

What's a good way to add profile pictures in kratos or this should be handled outside?

Hello, we are having problems with the 

csrf_token

  when working on the registration flow. We are trying to configure our frontend (

Vue

) with Kratos using the quickstart example with Kratos running in docker. We have replaced port 

4455

 in the Kratos config with our frontend port, and changed the registration routes to match our sign-up page. On our registration page we call 

initializeSelfServiceRegistrationFlowForBrowsers

 passing in the 

returnTo

 string and this returns with status 

200

 and gives us the 

csrf_token

 as part of the 

data.ui.nodes

 along with the other form nodes. We can also see the cookie in the Set-Cookie Response Header, however it appears they are different from the ones in the form attributes. Are the cookie and form tokens different because they are values in a pair? When testing the same part of the React example app, we can see that there is a 

Location Header

 in the browser call and the 

csrf_token

 cookie is being set as a cookie when clicking the Sign up button. However, we are not getting the same behaviour in our app. We cannot see a 

Location

 Header, and although we see a 

Set-Cookie

 header, the cookie does not seem to be being set in the browser. Also, when we call

submitSelfServiceRegistrationFlow

passing in the 

csrf_token

 that was initially included in the 

data.ui.nodes

 response from 

initializeSelfServiceRegistrationFlowForBrowsers

 we get a 

403

 error:

"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."

How can we make sure that the tokens match? Our config:

version: v0.7.1-alpha.1

dsn: memory

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
  admin:
    base_url: <http://kratos:4434/>

selfservice:
  default_browser_return_url: <http://127.0.0.1:8084/>
  whitelisted_return_urls:
    - <http://127.0.0.1:8084>

  methods:
    password:
      enabled: true

  flows:
    error:
      ui_url: <http://127.0.0.1:8084/error>

    settings:
      ui_url: <http://127.0.0.1:8084/settings>
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: <http://127.0.0.1:8084/recovery>

    verification:
      enabled: true
      ui_url: <http://127.0.0.1:8084/verification>
      after:
        default_browser_return_url: <http://127.0.0.1:8084/>

    logout:
      after:
        default_browser_return_url: <http://127.0.0.1:8084/login>

    login:
      ui_url: <http://127.0.0.1:8084/login>
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: <http://127.0.0.1:8084/sign-up>
      after:
        password:
          hooks:
            -
              hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  argon2:
    parallelism: 1
    memory: 128MB
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: <smtps://test:test@mailslurper:1025/?skip_ssl_verify=true>

Probably an unusual thing to want, but is it currently possible to create a session for a user without them logging in?

Hi, is there any information regarding the release date of v0.9.0-alpha.1 ? I am currently stuck at implementing the Email-Verification Flow for our platform because the user-password should be set after the verification and I need a session to start the Settings-Flow. Issue https://github.com/ory/kratos/issues/286 would perfectly fit the case and is marked for Milestone v0.9.0-alpha.1 .

On another subject, @User and others here, there is a compelling use case for providing SOME mechanism via the Admin API to import existing users with existing passwords. It is very, very important for the following reasons: • When our customers want to move from another identity management solution to Kratos, it is simply NOT reasonable to expect potentially thousands of users to reset their passwords when a conversion is done. It is very hard to defend that for users regardless of the security concerns. For that reason, perhaps a protected Admin API requiring a special admin key to get access should be considered and an endpoint added supporting this ONLY for the identity system owners. • I have several use cases where we are utilizing the multiple identity schema feature to support scenarios where a customer wants to share a single identity for a group of users. In our last implementation, our customer sells access to content and content management to police departments and other first responder agencies. Each of these agencies shares a single identifier and password for the entire agency. Our back end is multi-tenant, so we key off that identity to ensure that those users access the right content. The sales process involves an agency giving us this information to set up on their behalf. A registration/recovery email workflow is not really appropriate for this. • Our deployment process for the entire suite of microservices that include Kratos sets up a SINGLE administrative "God" user for the system. From there, that God users invites all other users using the standard secure workflow (create identity and invite to complete registration with their password via recovery link). However, the God user must exist first (chicken or the egg). We have solved some of this by building a "sidecar" service/container that, in our Kubernetes installation, activates after Kratos has been been created in the cluster. This sidecar has a "migrate" style feature that, based on configuration, will create that first user when run as an "init container". It also exposes an API that allows for the creation of a user with a password if authorized by a "God" user type (known by JWT using Oathkeeper access rules and mutation). In order to pull this off, however, I have to fake Kratos out by running the entire sequence that would normally be executed by a browser to create the identity, create a recovery link, and then POST to that recovery link with cookies passed along and the

user-agent

set to assure Kratos thinks it is talking to a browser to complete the operation. That is a lot of work and not really proper process--it's a hack. However, it is the only way to automate a necessary process. Any thoughts on that?

Can someone explain what an AuthenticationSession is exactly and what would be an example of an AuthenticationSession object?