Hello! I am not really familiar with best practices when it comes to authenticating a user against Kratos and I tend to overoptimize my stuff, so I wanted to ask how bad of a practice it is to verify a users session every single request by querying the whoami endpoint? I am building a GraphQl API and I plan on directly using the Cookies set by Kratos to authenticate the user, that would involve a whoami-request every time the end user does something using my API

I suppose the best answer to this would be a generic YMMV. Doing a direct whoami for every request may fit right within satisfactory operating SLA for your use case. It depends. If hitting the whoami endpoint causes undesirable bottlenecking (almost certainly at some point the bottleneck will be the DB; regardless which you choose) you can always make use of the

session.whoami.tokenizer.templates

key of the

kratos.yml

configuration to

tokenize

your kratos cookie. Also,

oathkeeper

has a configuration for defining

mutators

which (as their name implies) mutate the session token to various alternate forms (i.e., jwt). Links below should assist a little bit. https://www.ory.sh/docs/identities/session-to-jwt-cors https://www.ory.sh/docs/oathkeeper/pipeline/mutator

Thank you very much for your answer, that clears up things massively!

keep in mind if you go the route of

session.whoami.tokenizer.templates

you will likely chase your tail for a few hours trying to figure out why kratos refuses to accept what appears to be perfectly valid configuration. The secret lies in

bash ./script/render-schemas.sh

doing this will update your local

.schemastore/config.schema.json

to a more recent version of the configuration schema which supports

session.whoami.tokenizer.template

. While the code supports processing that key, for some reason, the master version of kratos' config schema validation does not.

Thanks for the warning, I definitely would have hit my head onto my desk a few times once I found that out myself