Are there any recommendations for how to configure secrets within the

selfservice.methods.oidc.config.providers

list for the Kratos helm chart? As mentioned here: https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc#environment-variables The only option seems to be exporting the whole config via:

export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[<bunch of json>]'

which isn't recommended in the docs due to the complexity. Is there a recommended alternative? If I can't override a secret that's nested within that list, and overriding the entire list isn't recommended, I wonder if there's a more reasonable option 🤔

i want to use ory hydrator mutator such that is i want to sent only specific user information from a cookie to my backend server? But i am getting this error: "message": "json: cannot unmarshal string into Go value of type authn.AuthenticationSession"

Hello everyone, Testing out the kratos-selfservice-ui-node I noticed that the “resend code”-button is only available if starting a new verification by sending in an email address, but if registration is configured to have a after hook to

show_verification_ui

the email that the user registered with is not included and there is no “resend code”-button available. Is this a reason for why these views are different between the two use cases or was this use case not considered in the happy path during the implementation of verification via one time codes (https://github.com/ory/kratos/issues/2824) Thanks in advance for answers!

Hello everyone, I'm in the process of running ORY Kratos locally using Docker and connecting it to my React Next.js app. However, I've been facing a series of errors throughout the setup. Currently, I find myself stuck in a CORS error, despite having configured everything according to the documentation. Appreciate any assistance or insights you can provide.

I am struggling to get courier to speak to a simple, development SMTP server with no authentication, and no TLS (and of course no x509 cert). This is only for dev, not for production, but still, it should work... My kratos.yml contains: courier: smtp: connection_uri: connection_uri: smtp://smtp.xxx.yyy:25/?disable_starttls=true?skip_ssl_verify=true which results in log entries like this: time=2023-11-29T152123Z level=error msg=Unable to send email using SMTP connection. func=github.com/ory/kratos/courier.(*courier).dispatchEmail file=/project/courier/smtp.go:215 audience=application error=map[messagetls failed to verify certificate: x509: certificate signed by unknown authority stack_trace:stack trace could not be recovered from error type *tls.CertificateVerificationError] message_from=no-reply@ory.kratos.sh message_id=c1e5c47d-b079-4b2b-8eee-58e20e263bb8 message_nid=b97b5f72-0490-4ed9-8046-c32dc4e57216 service_name=Ory Kratos service_version=v1.0.0 smtp_server=smtp.xxx.yyy:25 smtp_ssl_enabled=false To me this looks like it is trying to do an x509 certificate validation even though startTLS and ssl_verify are disabled (excuse the negative logic) anyone seen anything like this?

Hi all ,can anyone help here, Problem i am facing: I have 2 apps with individual client id and client secret,Both the application are individually handling there session when i set remember_me in the accept consent to true in one app ory hydra is trying to logs me in correctly, but since the remember_me is true in the second app i automatically get logged in as hydra is creating session in background , but i don't want this behavior , that is i don't want hydra to create session , if i set remember_me to false , hydra is not creating session, but because of this it is always showing the consent screen on every login request i make , because skip is never becoming true in this case The Behavior i want : skip should become true , when the user is already given consent to the application and this should work with remember_me as false as i don't want hydra to keep track of session.

Hello all can anyone guide me how to deploy ory kratos on kubernetes?

Good morning I'm hoping someone will have some insights as to what our issue is we are having, We have most of the ory suite setup kratos/oathkeeper/hydra, were having a problem on 1.0 kratos with MFA and recovery paths, where the return URL doesn't include the aal=aal2 (it's blank aal=), which then causes infinite redirect errors. If I take the url it gives me for the redirect and add aal=aal2 I get back to the mfa screen to continue the recovery so it looks like just a config bug on our side but for the life of me can't figure it out. s Let me know what parts of config(s) you need to see I can grab them for you. It's running in Kubernetes we have nginx ingress for the ingress to oathkeeper rule => kratos/auth ui (self service node ui)

Hi! Hopefully a very quick question 😉 In the configuration for Kratos, everything in the settings `after`hook seems to be unrecognised in helm version 0.35. I can't find anything in the configuration or elsewhere. Who has the golden tip 🥇

flows:
        settings:
          required_aal: highest_available
          ui_url: <http://localhost:3000/settings>
          privileged_session_max_age: 15m
          after:
            password:
              default_browser_return_url: <http://localhost:3000/test>
            totp:
              default_browser_return_url: <http://localhost:3000/settings/2fa-app>

error:

The configuration contains values or keys which are invalid:
  selfservice.flows.settings.after: map[totp:map[default_browser_return_url:<http://localhost:3000/settings/2fa-app]]>                                          
                                      ^-- additionalProperties "totp" not allowed

HIi team, Greetings to all, Actually I wanted to kow How can we implement singin with google or social media with oAuth in ory.sh I have implemented in teh custom sdk given ory.sh but actually not able to figure it out how to implement same with custom Nest js backend is there any oryCient I can do it? Can anyone help me with this ? Below is the demo code that I have implemented for ory.sh with Nest js for signin with google.

import { Controller, Get, Post, Body } from '@nestjs/common';
import axios from 'axios'; // For making HTTP requests

@Controller('auth')
export class AuthController {
  private readonly googleAuthEndpoint = '<https://www.googleapis.com/oauth2/v3/tokeninfo>';

  constructor(private readonly oryClient: OryClient) {} // Initialize your ORY client

  @Post('google-signin')
  async googleSignIn(@Body() { idToken, flowId }: { idToken: string; flowId: string }) {
    try {
      // Verify Google ID Token
      const { data } = await axios.get(`${this.googleAuthEndpoint}?id_token=${idToken}`);
      
      if (data) {
        // Create payload for ORY Hydra updateRegistrationFlow
        const body = {
          idToken,
          method: 'oidc',
          provider: 'google',
        };

        // Submit the updateRegistrationFlow endpoint with the payload
        await this.oryClient.getFrontendApi().updateRegistrationFlow({
          flow: flowId,
          updateRegistrationFlowBody: {
            oneOf: { value1: body },
          },
        });

        return { success: true, message: 'Google sign-in successful' };
      }
    } catch (error) {
      console.error('Google sign-in error:', error.message);
      return { success: false, message: 'Error signing in with Google' };
    }
  }
}

Please if anyone can help me with this it will be a great help thanks to you all, Warm Regards, Deepak A.M Yadav

can anyone help me in the above query?

Hi team, i have a deployed Ory (kratos+keto+oathkeeper) and my application in my kubernetes. I am looking for a way on how to work in localhost environment with my deployed Ory , as it is not working when i am testing it with my localhost application and calling my deployed backend api's protected by Ory

Hi team, is there a way to update the config using an API or the CLI (with the

ory patch

for example) in a self-hosted Ory? To avoid re-write the file, or overriding the config with Env variables...

i am using ory self service ui node ,how can i modify it's ui, means i want to add background image to my login and registration page,how can i modify the ui?

Hello, I have question regarding kratos identity schema. So currently I'm still trying to use kratos with the selfservice-node-ui. But how can I set a default value into a properties? This is my current config

"organization": {
          "title": "Organization ID",
          "type": "string",
          "format": "uuid",
          "default": "00000000-0000-0000-0000-000000000000",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            }
          }
        }

I am trying to go for multitenancy as mentioned in the link https://www.ory.sh/docs/kratos/guides/multi-tenancy-multitenant As mentioned in the link , should i be creating multiple selfservice ui corresponding to each of the kratos and then configure the rules in oathkeeper?

For Keto, I see different imports depending on the webpage. Should we be using @ory/permission-namespace-types or @ory/keto-namespace-types?

Does anyone have good advice and experience making the leap from Hydra 1.x -> 2.x? Those db migrations (throwing everything in to

hydra_oauth2_flow

tables and the addition of

nid

make that migration take forever on larger loads and databases (for example, our

hydra_oauth2_consent_request_handled

table approaches 30MM rows. Smaller databases in test environments go just fine, but testing on a copy of our production database has been running for over 30 hours. Obviously 30 hours of downtime is something we can't handle (and I have some ideas for that), but I'm curious what has worked for others. We can't be the only ones in this position? We don't want to delete too much from

hydra_oauth2_consent_request_handled

since we don't want to reset consent state for our users if we can help it. Our

hydra_oauth2_authentication_request

is over 100MM rows, so we have a process right now to get rid of "dangling" requests (i.e. those that are more than a week old and don't have a

hydra_oauth2_login_request_handled

associated with it), but that's slow going

Hola, quick question! 🙂 Is there a way to see if a Kratos user has 2fa configured. So not if they're logged in using 2fa, but if they have it set up?

And the other one should be something like

COURIER_SMTP_CONNECTION_URI

dsn is

DSN

Hi Yes all config can be pass through env variable

Hi team, We installed kratos via helm on our k8s cluster. We use external secrets operator to get secrets from external secret management systems. As the following files are required in values file - kratos.config.dsn - kratos.config.courier.smtp.connection_uri Is there a better way to set this variables without exposing the sensitive info to values file

Hello every, Starting to play with Keto and got a question regarding OPL. Reading the documentation, the example are all written using Typescript (e.g. https://www.ory.sh/docs/keto/modeling/create-permission-model). But how do I deploy them on self-hosted Keto instance? When having a look a the examples (e.g. https://www.ory.sh/docs/keto/quickstart) in GitHub all relation tuples are defined using JSON. The keto CLI itself only knows JSON (https://www.ory.sh/docs/keto/cli/keto-relation-tuple-create) whereas the ory cli knows TS (https://github.com/ory/keto/blob/master/README.md#create-a-namespace-with-the-ory-permission-language). Tried using the Ory Console, where the Permission Rules are defines using TS. Now I'd like to do this using the self-hosted Keto. As of now I couldn't get any hints in the documentation regarding this topic. Thanks for your help.

Has anyone used Ory in past with a FastAPI backend and Next.js(App router) frontend? I am working on a web-app and want to implement features for my users such as: • sign in with Google • sign in with Facebook • passwordless signin • username password signin • etc. I came to know about Ory from a blogpost, and am wondering if people have experience integrating Ory with a fastapi and nextjs project.. how did it go.. any gotchas.. looking for relevant documentation/tutorials/guides/links etc. I am interested in self-hosting for now. If someone can guide me with very high level steps that I need to take, I should be able to get going. Thanks in advance 🙏

Maybe someone knows this issue? https://ory-community.slack.com/archives/C012RJ2MQ1H/p1697204842824689

Hello everyone, I’ve recently switched from Hydra v1 to v2 (version 2.1.2). However, I’ve started to encountered a CORS issue when making admin API calls from my frontend code. Despite having debug mode set to true, I’m not receiving any debug logs related to CORS. It’s worth noting that the same CORS configuration works perfectly fine with v1. I would greatly appreciate it if someone could assist me in identifying what might be causing this issue. Thanks in advance. Here’s my CORS configuration and the logs for the OPTIONS call to Hydra:

serve:
  admin:
    cors:
      enabled: true
      debug: true
      allowed_origins:
        - <http://127.0.0.1:8082>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
      exposed_headers:
        - Content-Type
  public:
    cors:
      enabled: true
      debug: true
      allowed_origins:
        - <http://127.0.0.1:8082>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
      exposed_headers:
        - Content-Type

logs

time=2023-10-10T10:24:08Z level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br accept-language:en-GB,en-US;q=0.9,en;q=0.8 access-control-request-headers:content-type access-control-request-method:PUT connection:keep-alive origin:<http://127.0.0.1:8082> referer:<http://127.0.0.1:8082/> sec-fetch-dest:empty sec-fetch-mode:cors sec-fetch-site:same-site user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36] host:127.0.0.1:4445 method:OPTIONS path:/admin/oauth2/auth/requests/login/accept query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:192.168.65.1:38544 scheme:http]
time=2023-10-10T10:24:09Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br accept-language:en-GB,en-US;q=0.9,en;q=0.8 access-control-request-headers:content-type access-control-request-method:PUT connection:keep-alive origin:<http://127.0.0.1:8082> referer:<http://127.0.0.1:8082/> sec-fetch-dest:empty sec-fetch-mode:cors sec-fetch-site:same-site user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36] host:127.0.0.1:4445 method:OPTIONS path:/admin/oauth2/auth/requests/login/accept query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:192.168.65.1:38544 scheme:http] http_response=map[headers:map[allow:OPTIONS, PUT] size:0 status:0 text_status: took:23.40675ms]

Hi guys, Could you please take a look at it and let me know if that is expected or not? https://github.com/ory/hydra/issues/3643

Update: REST API works pretty well. I created relation using this endpoint 127.1.27.3:80/admin/relation-tuples