https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> when oathkeeper verifies a session ...
# ory-copilot
b
@chilly-king-10285 when oathkeeper verifies a session cookie with kratos, can it at the same time query if the user in question has verified all their verifiable addresses?
c
A message from kapa.ai
No, Ory Oathkeeper does not directly query if a user has verified all their verifiable addresses when it verifies a session cookie with Kratos. Oathkeeper's primary role is to authenticate and authorize requests, not to check the verification status of user addresses. However, once a session is established, the session information, which includes the user's identity and the status of their verifiable addresses, can be retrieved from Kratos. This can be done by making a request to the 
<http://127.0.0.1/sessions/whoami>
endpoint with the session token or cookie. The response will include the 
identity
object, which contains the 
verifiable_addresses
array. Each item in this array represents a verifiable address and includes a 
verified
field that indicates whether the address has been verified. Here is an example of how to check the session information:
Copy code
bash curl -s -H "Authorization: Bearer svX8bE9HTiVpMr7r55TtKtcOkLRhAq1a" \  <https://playground.projects.oryapis.com/sessions/whoami> | jq
In the response, you can check the 
verified
field for each item in the 
verifiable_addresses
array:
Copy code
json "verifiable_addresses": [   {     "id": "3ba119c6-4e9a-466c-8910-40b238229aa6",     "value": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)",     "verified": false,     "via": "email",     "status": "pending",     "verified_at": null   } ]
In this example, the 
verified
field is 
false
, which means the address has not been verified. Please note that this process does not happen automatically in Oathkeeper and would need to be implemented in your application logic. Sources: - [Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login#api-clients) - [Oathkeeper Authenticators](https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session-configuration)
b
@chilly-king-10285 this is on an inbound request to a backend api that oathkeeper is authenticating against kratos, and I'd rahter verify in the backend if the user has verified their addresses, what's the best way to do that?
c
A message from kapa.ai
To verify if a user has verified their addresses in your backend API, you can use the session token provided by Ory Kratos to fetch the session information, which includes the verification status of the user's addresses. Here's a step-by-step guide on how you can do this: 1. When a request comes into your backend API, it should include the Ory Session Token in the 
Authorization
header. 2. Use this session token to make a request to the Kratos 
/sessions/whoami
endpoint. This will return the session information, including the user's identity and the status of their verifiable addresses. Here's an example of how to make this request using `curl`:
Copy code
bash curl -s -H "Authorization: Bearer {session_token}" \  <https://playground.projects.oryapis.com/sessions/whoami> | jq
Replace 
{session_token}
with the actual session token. 3. In the response, look for the 
verifiable_addresses
array in the 
identity
object. Each item in this array represents a verifiable address and includes a 
verified
field that indicates whether the address has been verified. Here's an example of what this part of the response might look like:
Copy code
json "verifiable_addresses": [   {     "id": "3ba119c6-4e9a-466c-8910-40b238229aa6",     "value": "[[email protected]]",     "verified": false,     "via": "email",     "status": "pending",     "verified_at": null   } ]
In this example, the 
verified
field is 
false
, which means the address has not been verified. 4. Based on the 
verified
field, you can then implement your own logic to handle the request depending on whether the user has verified their addresses. Please note that this process does not happen automatically in Ory Oathkeeper and would need to be implemented in your application logic. Sources: - [Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login#api-clients) - [Oathkeeper Authenticators](https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session-configuration)
b
@chilly-king-10285 at the moment oathkeeper is just passing an X-User header to the backend
c
A message from kapa.ai
If Ory Oathkeeper is currently passing an 
X-User
header to your backend, it means that a mutator is configured to add this header. The 
X-User
header typically contains the user's ID or some other identifier. However, Oathkeeper itself does not provide detailed user information such as the verification status of user addresses. To get this information, your backend will need to make an additional request to Ory Kratos using the session token. Here's how you can do this: 1. Extract the session token from the 
Authorization
header of the incoming request. 2. Use this session token to make a request to the Kratos 
/sessions/whoami
endpoint. This will return the session information, including the user's identity and the status of their verifiable addresses. Here's an example of how to make this request using `curl`:
Copy code
bash curl -s -H "Authorization: Bearer {{session_token}}" \  <https://playground.projects.oryapis.com/sessions/whoami> | jq
Replace 
{{session_token}}
with the actual session token. 3. In the response, look for the 
verifiable_addresses
array in the 
identity
object. Each item in this array represents a verifiable address and includes a 
verified
field that indicates whether the address has been verified. Here's an example of what this part of the response might look like:
Copy code
json "verifiable_addresses": [   {{     "id": "3ba119c6-4e9a-466c-8910-40b238229aa6",     "value": "[[email protected]]",     "verified": false,     "via": "email",     "status": "pending",     "verified_at": null   }} ]
In this example, the 
verified
field is 
false
, which means the address has not been verified. 4. Based on the 
verified
field, you can then implement your own logic to handle the request depending on whether the user has verified their addresses. Please note that this process does not happen automatically in Ory Oathkeeper and would need to be implemented in your application logic. Sources: - [Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login#api-clients) - [Oathkeeper Authenticators](https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session-configuration)
f
I have build something similar with go templates:
Copy code
X-Verified-Email: |
                  {{- $all := len .Extra.identity.verifiable_addresses -}}
                  {{- $verified := 0 -}}
                  {{- range .Extra.identity.verifiable_addresses}}{{ if .verified }}{{ $verified = add $verified 1}}{{end}}{{end -}}
                  {{- eq $verified $all -}}
Maybe it helps as a starting point
b
backend does something like
Copy code
if (request.headers["x-user"]?.length) {
      await identityApi
        .getIdentity({
          id: request.headers["x-user"],
        })
        .then((resp: any) => {
          const identity: Identity = resp.data;
          identity?.verifiable_addresses?.every(
            (verifiable_address) => verifiable_address.verified
          )
            ? Promise.resolve
            : reply.code(403).send("User must verify their email or phone");
        });
    } else {
      reply.code(400).send("Missing required header");
    }
and its a global pre-request hook
f
Sure, but then it reaches your backend and you need to lookup the identity too. With the go template, you could just look at the headers that oathkeeper set, and reject. No need to request the identity
b
gun fingers
4 Views
Open in Slack
PreviousNext
Powered by