Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi :wave: we have a self-hosted Kratos instance and for one use-case we call the `/admin/recovery/code` <https://www.ory.sh/docs/kratos/reference/api#tag/identity/operation/createRecoveryCodeForIdentity|endpoint> to create a recovery code (via another service in our cluster), which is later given to the user via email.
The problem: when following this recovery from the email, the end user can inspect sensitive information from the infrastructure, like the `request_url` (you can inspect that in the network tab, example: `<https://kratos-admin.namespace.svc.cluster.local:PORTNUMBER/admin/recovery/code`>), which is something everyone wants to prevent. I tried to apply some configuration via the Helm Chart, but that had no effect (and I also see no matching config for this). Imo, the cause is rather simple: the requested url is technically correct, but in a self-hosted scenario, with a non-public admin service, the info should be somehow anonymized, but isn't). Any advise? :pray: