quick-addition-90714
11/21/2024, 4:26 PMactive
state for when creating an identity in Kratos?brief-egg-61061
11/21/2024, 4:26 PMbrief-egg-61061
11/21/2024, 4:26 PMactive
state when creating an identity in Kratos. When creating an identity in Ory Kratos, the active
state is one of the possible values for the state
field of an identity. According to the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api), the state
field is described as follows: > State is the identity's state. > > This value has currently no effect. > active StateActive > inactive StateInactive The active
state indicates that the identity is in an active state. However, it's important to note that the documentation explicitly mentions that this value currently has no effect on the system's behavior. When creating an identity, you can set the state
field to either active
or inactive
. The active
state is typically used to represent a fully functional and usable identity within the system, although its practical impact is not currently implemented. It's worth mentioning that while you can set this state when creating an identity, its actual functionality may be reserved for future use or system enhancements in Ory Kratos.quick-addition-90714
11/21/2024, 4:32 PMbrief-egg-61061
11/21/2024, 4:32 PMbrief-egg-61061
11/21/2024, 4:33 PM/clients
endpoint for OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy." Administrative endpoints include: - All /clients
endpoints - All /keys
endpoints - All /health
, /admin/metrics/prometheus
, /admin/version
endpoints - All /oauth2/auth/requests
endpoints - Endpoint /oauth2/introspect
- Endpoint /oauth2/flush
It's important to note that none of the administrative endpoints have any built-in access control. This means that if you expose these endpoints, you need to implement your own security measures. For Ory Kratos: The setup is similar. As mentioned in the [Ory Kratos deployment guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx): Ory Kratos also uses two ports: - Public API (default 4433) - Admin API (default 4434) The guide recommends using a reverse proxy (like Nginx) to manage access to these APIs. For the admin API, it suggests implementing access control. Here's an example from the Nginx configuration: nginx location /admin { # Example of managing access control # for the /admin endpoint # in that example we allow access # either from the subnet # or by checking query parameter ?secret= set $allow 0; # Check against remote address if ($remote_addr ~* "172.24.0.*") { set $allow 1; } # Check against ?secret param if ($arg_secret = "GuQ8alL2") { set $allow 1; } if ($allow = 0) { return 403; } rewrite /admin/(.*) /$1 break; proxy_pass <http://admin_api>; # ... other proxy settings ... }
In conclusion, while the admin routes are designed to be accessed through the admin port, they don't inherently block access. However, it's crucial to implement proper security measures to protect these sensitive endpoints. The recommended approach is to use a reverse proxy or API gateway to control access to the admin routes, rather than relying solely on the port separation.quick-addition-90714
11/21/2024, 4:55 PMbrief-egg-61061
11/21/2024, 4:55 PMbrief-egg-61061
11/21/2024, 4:56 PMcredentials
object, which can contain a password
field. Here's the relevant part of the schema: json "credentials": { "password": { "config": { "password": { "description": "The password in plain text if no hash is available.", "type": "string" }, "hashed_password": { "description": "The hashed password in [PHC format]", "type": "string" } } } }
This means that when creating a user via the admin API, you have three options regarding the password: 1. Provide a plain text password in the password
field. 2. Provide a hashed password in the hashed_password
field. 3. Don't provide any password at all. If you don't provide a password when creating the user, no password will be set for that user. This is confirmed by the [Ory documentation on importing user accounts](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#importing-credentials), which shows an example of creating an identity with a password: json { "schema_id": "<preset://email>", "traits": { "email": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)" }, "credentials": { "password": { "config": { "password": "the-password" } } } }
In this example, the password "the-password" is explicitly provided in the request. To summarize, when creating a user via the admin API, Ory will not automatically create a password for that user. You need to explicitly provide the password in the request if you want one to be set during user creation.quick-addition-90714
11/21/2024, 5:00 PMbrief-egg-61061
11/21/2024, 5:00 PMbrief-egg-61061
11/21/2024, 5:00 PMPUT /admin/identities/{id}
endpoint. According to the [Ory API Reference](https://www.ory.sh/docs/reference/api), this endpoint allows updating an identity's credentials. The request body would include the password information in the credentials
object, similar to the creation process. 2. Through the self-service Settings Flow: This is the method that allows users to set or update their own passwords. The [Settings Flow documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings) explains that users can update their password using the password
method in the Settings Flow. Here's how the self-service flow works: 1. The user initiates a Settings Flow. 2. Ory Kratos provides a form with the necessary fields for updating the password. 3. The user submits the form with their new password. The [Settings Flow documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#update-password) provides an example of what the password update form looks like in the API response: json { "type": "input", "group": "password", "attributes": { "name": "password", "type": "password", "required": true, "disabled": false }, "messages": [], "meta": { "label": { "id": 1070001, "text": "Password", "type": "info" } } }
It's important to note that if you're using this method for users who don't have a password set yet, you might need to implement a custom flow in your application to guide them through the process of setting their initial password. Remember, when updating passwords, Ory Kratos applies the configured password policy to ensure the new password meets the required security standards. In summary, passwords can be set after user creation either by an administrator using the admin API or by the users themselves through the self-service Settings Flow.quick-addition-90714
11/21/2024, 6:23 PMbrief-egg-61061
11/21/2024, 6:23 PMbrief-egg-61061
11/21/2024, 6:24 PMcode
)
- Recovery by magic links (link
)
The code
method is the default and recommended approach. As stated in the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset):
"One-time code" (code
) is the default, preferred, and recommended method by Ory.
3. User Input:
The user is presented with a form to enter their recovery address (usually an email). According to the [Quickstart guide](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout):
"The next screen shows a HTML form where you enter your email address"
4. Recovery Message:
Ory Kratos sends a recovery message (email or SMS) containing either a one-time code or a magic link, depending on the configured method.
5. Verification:
The user verifies their identity by either:
- Entering the one-time code on the recovery page
- Clicking the magic link in the email (if using the link
method)
6. Password Reset:
After successful verification, the user receives a [privileged session](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset) and is taken to the account settings page where they can set a new password.
7. Completion:
Once the new password is set, the user can log in with their new credentials.
The actual implementation of the recovery UI is customizable. You can create your own UI using the Ory Kratos API. Here's an example of how you might implement the recovery page using React:
jsx
import { UserAuthCard } from "@ory/elements"
export default function Recovery() {
return (
<UserAuthCard
title="Recovery"
flowType="recovery"
/>
)
}
This example is from the [Ory Elements documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-ory-elements#recovery-page) and shows how to create a recovery page using Ory's pre-built components.
It's worth noting that you can configure additional behaviors, such as invalidating other sessions after a successful recovery. This can be done using the after_recovery
hook, as described in the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions).brief-egg-61061
11/21/2024, 6:24 PMcode
) - Recovery by magic links (link
) The code
method is the default and recommended approach. As stated in the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset): "One-time code" (code
) is the default, preferred, and recommended method by Ory. 3. User Input: The user is presented with a form to enter their recovery address (usually an email). According to the [Quickstart guide](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout): "The next screen shows a HTML form where you enter your email address" 4. Recovery Message: Ory Kratos sends a recovery message (email or SMS) containing either a one-time code or a magic link, depending on the configured method. 5. Verification: The user verifies their identity by either: - Entering the one-time code on the recovery page - Clicking the magic link in the email (if using the link
method) 6. Password Reset: After successful verification, the user receives a [privileged session](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset) and is taken to the account settings page where they can set a new password. 7. Completion: Once the new password is set, the user can log in with their new credentials. The actual implementation of the recovery UI is customizable. You can create your own UI using the Ory Kratos API. Here's an example of how you might implement the recovery page using React: jsx import { UserAuthCard } from "@ory/elements" export default function Recovery() { return ( <UserAuthCard title="Recovery" flowType="recovery" /> ) }
This example is from the [Ory Elements documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-ory-elements#recovery-page) and shows how to create a recovery page using Ory's pre-built components. It's worth noting that you can configure additional behaviors, such as invalidating other sessions after a successful recovery. This can be done using the after_recovery
hook, as described in the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions). In summary, password resetting in Ory Kratos is handled through the account recovery flow, which involves user verification via a one-time code or magic link, followed by setting a new password in a privileged session.quick-addition-90714
11/21/2024, 6:28 PMbrief-egg-61061
11/21/2024, 6:28 PMbrief-egg-61061
11/21/2024, 6:28 PMbash curl --request POST -sL \ --header "Authorization: Bearer {ORY_API_KEY}" \ --header "Content-Type: application/json" \ --data '{ "schema_id": "<preset://email>", "traits": { "email": "$USER_EMAIL_ADDRESS" } }' https://{project-slug}.<http://projects.oryapis.com/admin/identities|projects.oryapis.com/admin/identities>
2. Trigger account recovery: After creating the account, the admin initiates the account recovery process for this user. bash curl --request POST -sL \ --header "Authorization: Bearer {ORY_API_KEY}" \ --header "Content-Type: application/json" \ --data '{ "expires_in": "12h", "identity_id": "$ACCOUNT_ID" }' https://{project-slug}.<http://projects.oryapis.com/admin/recovery/link|projects.oryapis.com/admin/recovery/link>
3. Send invitation: The admin then sends the recovery link obtained from the API response to the user's email address. This link acts as an invitation. 4. User sets credentials: When the user clicks on the recovery link, they are prompted to perform account recovery, which forces them to define new credentials (including a password). 5. Account activation: After setting the credentials, the user gets a fully functional account with the credentials they defined. This process allows you to simulate invitations even when public registration is disabled. It ensures that only users invited by an admin can create accounts, while still allowing those users to set their own passwords securely. It's important to note that this process requires custom code to automate these steps, as mentioned in the documentation: "Automating this process requires writing custom code that relies on the specifics of your implementation." Also, remember that admin API calls don't trigger Ory Actions, so any custom logic you want to apply during this process needs to be handled in your application code. [Source: Ory Documentation - Invite Users](https://www.ory.sh/docs/kratos/manage-identities/invite-users) This approach provides a secure way to invite users to your application while maintaining control over who can create accounts.quick-addition-90714
11/23/2024, 9:41 AMbrief-egg-61061
11/23/2024, 9:41 AMbrief-egg-61061
11/23/2024, 9:41 AMcode
) - This is the default and recommended method. - Magic links (link
) - This is considered a legacy solution. 3. User Input: The user is presented with a form to enter their recovery address (usually an email). 4. Recovery Message: Kratos sends a recovery message to the user's recovery address. This message contains either: - A one-time code (if using the code
method) - A magic link (if using the link
method) 5. Verification: The user verifies their identity by either: - Entering the one-time code on the recovery page - Clicking the magic link in the email (if using the link
method) 6. Privileged Session: After successful verification, the user receives a privileged session. As the documentation states: "When the user accesses the configured recovery method, they receive a [privileged session](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions) and are taken to their account's settings page where they must create a new password to regain access to their account." 7. Password Reset: The user is directed to the account settings page where they can set a new password. 8. Completion: Once the new password is set, the user can log in with their new credentials. It's important to note that this process doesn't reset the user's second authentication factor if multi-factor authentication is enabled. Additionally, you can configure Kratos to invalidate other active sessions when a successful recovery occurs. This can be done using the after_recovery
hook, as described in the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions). Remember, the actual implementation of the recovery UI is customizable. You need to create your own UI that interacts with the Ory Kratos API to guide the user through this process. In summary, activating an account reset in Kratos involves initiating the account recovery flow, which then leads to a series of steps including user verification, privileged session creation, and password reset.quick-addition-90714
11/23/2024, 10:10 AMbrief-egg-61061
11/23/2024, 10:10 AMbrief-egg-61061
11/23/2024, 10:10 AMprivileged_session_max_age
value." 4. Implementation Examples: In the [Custom UI with Ory Elements documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-ory-elements#settings-page), there's an example of how to implement a protected settings page: jsx import { UserAuthCard } from "@ory/elements" export default function Settings() { return ( <UserAuthCard title="Settings" flowType="settings" /> ) }
This component inherently handles the authentication check. 5. Server-Side Protection: For server-side applications, you typically need to implement middleware to check for a valid session before rendering the settings page. An example from the [PHP integration guide](https://www.ory.sh/docs/getting-started/integrate-auth/php#validate-and-login) shows how to validate a session: php public function validateSession(){ $cookies = ""; foreach ($_COOKIE as $key=>$value) { $cookies .= "$key=$value;"; } try { $session = $this->ory->toSession("", $cookies); if (! $session["active"]) throw new Exception('Session expired'); } catch (Exception $e) { header("Location: /.ory/self-service/login/browser", true, 303); die(); } $this->session = $session; }
While this example is for a dashboard, a similar approach would be used for the settings page. In conclusion, the settings page in Ory Kratos is indeed a protected page that requires authentication. It's designed to ensure that only logged-in users can access and modify their own settings, with additional security measures for sensitive operations.quick-addition-90714
11/25/2024, 7:44 PMbrief-egg-61061
11/25/2024, 7:44 PMbrief-egg-61061
11/25/2024, 7:44 PMcode
) and magic links (link
). The one-time code method, which is what you're asking about, is the default, preferred, and recommended method by Ory. According to the [Account Recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset), when using the code
method for account recovery: 1. The system sends a one-time code to the recovery address defined by the user (typically an email address). 2. The user must enter this code on the recovery page to confirm their identity and ownership of the account. While the exact format of the code isn't specified in the provided documentation, we can infer some characteristics based on common practices and an example from the [Administrative Account Recovery documentation](https://www.ory.sh/docs/kratos/manage-identities/account-recovery): 1. The code is typically a string of characters or numbers. 2. It's designed to be short enough to be easily entered by the user, but long enough to be secure. 3. An example of a recovery code format is shown in the API response: json { "recovery_code": "76453943", ... }
In this example, the recovery code is an 8-digit number. It's worth noting that the actual implementation of how this code is displayed to the user depends on your custom UI. You would need to create a form where the user can input this code. Remember, this one-time code is temporary and expires after a set period. The expiration time can be configured when initiating the recovery process. Lastly, it's important to mention that while Ory supports the "magic links" method, it's considered a legacy solution and is set to be removed in future releases. The one-time code method is preferred as it mitigates many of the drawbacks associated with magic links.quick-addition-90714
11/25/2024, 7:45 PMbrief-egg-61061
11/25/2024, 7:45 PMbrief-egg-61061
11/25/2024, 7:45 PMcode
) - Magic links (link
) 2. Delivery: The documentation states that when the account recovery flow is initiated, "the system sends a link or a one-time code to the recovery address defined by the user." 3. Recovery Address: The [Identity Schema Extensions documentation](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#recovery-address) shows that recovery addresses can be configured for email or SMS: json { "<http://ory.sh/kratos|ory.sh/kratos>": { "recovery": { "via": "email" } } }
or json { "<http://ory.sh/kratos|ory.sh/kratos>": { "recovery": { "via": "sms" } } }
4. Custom Integration: While not specifically mentioning webhooks, the [Administrative Account Recovery documentation](https://www.ory.sh/docs/kratos/manage-identities/account-recovery) notes that "Automating this process requires writing custom code that relies on the specifics of your implementation." Given this information, it appears that by default, account recovery codes are not shared via webhooks. They are typically sent directly to the user's recovery address (email or SMS). However, Ory's flexibility and support for custom implementations mean that it might be possible to integrate webhook functionality if required for your specific use case. If you need to implement webhook functionality for recovery codes, you would likely need to create a custom solution using Ory's APIs and your own webhook implementation. To get definitive information on this, you may want to consult the Ory support channels or documentation for any advanced integration options that might not be covered in the provided knowledge sources.quick-addition-90714
11/26/2024, 6:45 PMbrief-egg-61061
11/26/2024, 6:45 PMbrief-egg-61061
11/26/2024, 6:45 PMexpires_in
parameter. This parameter defines how long the recovery code or link is valid. For example: json { "expires_in": "12h", "identity_id": "e01b5f2f-6afc-4194-8578-4cebcf69a4d5" }
2. Default Lifespan: In the [Configuration section](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#configuration) of the Account Recovery documentation, it's mentioned that there's a default lifespan for recovery flows: yaml selfservice: flows: recovery: enabled: true lifespan: 15m # Defines how much time the user has to complete the recovery flow in the UI. Default: 1h.
This indicates that recovery flows are designed to have a limited lifespan by default. 3. Security Considerations: Having an expiration time for recovery flows is a security best practice. It limits the window of opportunity for potential attackers to exploit a recovery code or link. Given this information, it doesn't appear to be possible or recommended to create a recovery flow without a retention period in Ory Kratos. The system is designed with built-in expiration mechanisms for security reasons. If you have a specific use case that requires a recovery flow without a retention period, you might need to consider alternative approaches or consult with Ory support for potential custom solutions. However, it's important to carefully consider the security implications of such a request.quick-addition-90714
11/26/2024, 6:47 PMbrief-egg-61061
11/26/2024, 6:47 PMbrief-egg-61061
11/26/2024, 6:47 PMyaml selfservice: methods: code: config: lifespan: 15m # Defines how long the code or link are valid for. Default: 1h.
This means that by default, the recovery code or link is valid for 1 hour after it's been sent to the user. 2. Recovery Flow Completion: This is the time the user has to complete the recovery flow in the UI after they've opened the link or entered the code. The documentation states: yaml selfservice: flows: recovery: lifespan: 15m # Defines how much time the user has to complete the recovery flow in the UI. Default: 1h.
This means that once the user has initiated the recovery process by clicking the link or entering the code, they have 1 hour by default to complete the process. So, to directly answer your question: The default lifespan you're referring to (1 hour) applies to both scenarios. It's the time the code/link remains valid before use, and also the time the user has to complete the recovery process after initiating it. It's important to note that these values can be configured separately, allowing you to set different durations for the code/link validity and the recovery flow completion time if needed. [Source: Ory Kratos Account Recovery Configuration](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#configuration)quick-addition-90714
11/26/2024, 7:13 PMbrief-egg-61061
11/26/2024, 7:13 PMbrief-egg-61061
11/26/2024, 7:15 PMquick-addition-90714
11/26/2024, 7:24 PMbrief-egg-61061
11/26/2024, 7:24 PMbrief-egg-61061
11/26/2024, 7:24 PMquick-addition-90714
11/26/2024, 7:36 PMbrief-egg-61061
11/26/2024, 7:36 PMbrief-egg-61061
11/26/2024, 7:37 PMyaml selfservice: flows: recovery: after: hooks: - hook: revoke_active_sessions
Remember, the exact user experience might vary depending on your specific UI implementation and any custom configurations you've set up in your Ory Kratos instance.quick-addition-90714
12/05/2024, 6:49 PMbrief-egg-61061
12/05/2024, 6:49 PMbrief-egg-61061
12/05/2024, 6:49 PMoAuth2RedirectTo
object. This object contains a redirect_to
URL. Here's what it looks like: json { "description": "Contains a redirect URL used to complete a login, consent, or logout request.", "properties": { "redirect_to": { "description": "RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed.", "type": "string" } }, "required": ["redirect_to"], "title": "OAuth 2.0 Redirect Browser To", "type": "object" }
The purpose of this redirect URL is to guide the user's browser to the next step in the OAuth 2.0 flow after the current process (in this case, the consent request) has been completed or has become invalid. When you receive a 410 status code, it typically means that the consent request you're trying to fetch is no longer available or valid. This could happen for several reasons, such as: 1. The consent request has expired. 2. The consent request has already been processed (accepted or rejected). 3. The consent request has been invalidated for some other reason. In these cases, instead of returning an error that might leave the user stuck, Hydra provides a redirect URL. This URL is where you should redirect the user's browser to continue the OAuth 2.0 flow properly. The exact destination of this redirect URL can vary depending on the state of the OAuth 2.0 flow and your specific configuration. It might lead the user back to the beginning of the flow, to an error page, or to the next appropriate step in the authentication process. To use this redirect URL, your application should check for the 410 status code when fetching a consent request. If encountered, extract the redirect_to
URL from the response and use it to redirect the user's browser. [Source: Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api)quick-addition-90714
12/07/2024, 10:38 AMbrief-egg-61061
12/07/2024, 10:38 AMbrief-egg-61061
12/07/2024, 10:39 AMsession
object in the body of the PUT call to accept a consent challenge is used to set session data for the access token, refresh token, and ID token. This allows you to include custom claims or information in the tokens that will be issued as a result of the consent process. According to the [Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api), the session
object in the request body for accepting an OAuth 2.0 consent request has two main properties: 1. `access_token`: This sets session data for the access and refresh tokens, as well as any future tokens issued by the refresh grant. The documentation notes: "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!" 2. `id_token`: This sets session data specifically for the OpenID Connect ID token. The documentation warns: "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session's payloads are readable by anyone that has access to the ID Challenge. Use with care!" Here's an example of how you might use the session
object in practice, based on the [OAuth2 custom login and consent flow documentation](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example): javascript const session = await createOAuth2ConsentRequestSession( grantScope, body, identity ); return oauth2.acceptOAuth2ConsentRequest({ consentChallenge: challenge, acceptOAuth2ConsentRequest: { grant_scope: grantScope, grant_access_token_audience: body.requested_access_token_audience, session: session, remember: Boolean(req.body.remember), remember_for: process.env.REMEMBER_CONSENT_FOR_SECONDS ? Number(process.env.REMEMBER_CONSENT_SESSION_FOR_SECONDS) : 3600, }, });
In this example, the session
object is created based on the granted scopes and other information, and then included in the request to accept the consent challenge. By using the session
object, you can customize the claims and information included in the various tokens issued as part of the OAuth 2.0 and OpenID Connect flows, allowing for more flexible and feature-rich implementations of these protocols.quick-addition-90714
12/25/2024, 4:13 PMbrief-egg-61061
12/25/2024, 4:13 PMbrief-egg-61061
12/25/2024, 4:13 PMbase_url
, ui_url
, and allowed_return_urls
. For example: yaml serve: public: base_url: <https://your-domain.com/kratos/> admin: base_url: <https://internal-domain.com/kratos-admin/>
2. Security Settings: - Enable CORS with proper settings for production. - Set appropriate allowed_return_urls
for your production environment. 3. Self-service Flows: - Consider enabling verification and recovery flows for production: yaml verification: enabled: true ui_url: <https://your-domain.com/verification> recovery: enabled: true ui_url: <https://your-domain.com/recovery>
- Enable registration if needed: yaml registration: enabled: true ui_url: <https://your-domain.com/registration>
4. Logging: For production, you might want to change the log level: yaml log: level: info
5. Secrets: Add a secrets
section with secure, randomly generated secrets: yaml secrets: cookie: - SECURE-RANDOM-SECRET cipher: - ANOTHER-SECURE-RANDOM-SECRET
6. Database: Add a dsn
configuration to use a production-grade database like PostgreSQL: yaml dsn: <postgres://user:password@localhost:5432/database?sslmode=require>
7. Hashers: The Argon2 settings should be adjusted for production: yaml hashers: argon2: parallelism: 1 memory: 128MB iterations: 3 salt_length: 16 key_length: 32
8. OAuth2 Provider: Ensure the Hydra URL is using HTTPS: yaml oauth2_provider: url: <https://hydra-internal.your-domain.com:4445>
9. Session: Add session configuration for production: yaml session: cookie: secure: true same_site: Lax
10. SMTP: If you're using email functionality, add SMTP configuration: yaml courier: smtp: connection_uri: <smtps://user:password@mail.your-domain.com:587>
Remember to follow security best practices, such as not exposing the admin API to the public internet, as mentioned in the [Ory Kratos production guide](https://www.ory.sh/docs/kratos/guides/production#security). Also, consider using environment variables for sensitive information like database credentials and secrets. For a comprehensive production setup, refer to the [Ory Kratos deployment guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example) which provides detailed instructions on setting up Kratos for production environments.quick-addition-90714
12/25/2024, 4:15 PMbrief-egg-61061
12/25/2024, 4:15 PMbrief-egg-61061
12/25/2024, 4:15 PMyaml
serve:
public:
base_url: <https://public.example.com/>
cors:
enabled: true
allowed_origins:
- <https://app.example.com>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie
admin:
base_url: <https://admin.example.com/>
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
session:
lifespan: 24h
cookie:
same_site: Lax
hashers:
argon2:
parallelism: 1
memory: 128MB
iterations: 3
salt_length: 16
key_length: 32
# ... other configurations ...
Now, let's explain the purpose of each section:
1. Session:
The session configuration controls how Ory Kratos manages user sessions. According to the [Session Management documentation](https://www.ory.sh/docs/kratos/session-management/overview), sessions represent authenticated users. In the example, we set:
- `lifespan`: Determines how long a session remains valid.
- `cookie`: Configures how the session cookie behaves. The same_site
setting helps prevent CSRF attacks.
2. Hash:
The hashers
section configures how passwords are hashed. Ory Kratos uses Argon2 for password hashing, as shown in the [Configuration Reference](https://www.ory.sh/docs/kratos/reference/configuration). The settings control:
- `parallelism`: Number of threads to use
- `memory`: Memory usage
- `iterations`: Number of iterations
- salt_length
and `key_length`: Affect the security of the hash
3. Secrets:
The secrets
section is crucial for security. As mentioned in the [Deploy to Production guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#secure-secrets), these secrets are used for:
- `cookie`: Encrypting cookies
- `cipher`: General-purpose encryption
It's important to replace these with secure, randomly generated strings in a production environment.
4. CORS (Cross-Origin Resource Sharing):
CORS settings, found under serve.public.cors
, control which domains can interact with your Kratos instance. As explained in the [Cross-origin resource sharing (CORS) settings guide](https://www.ory.sh/docs/kratos/guides/setting-up-cors), these settings are crucial for security when your frontend is on a different domain than your Kratos instance. The configuration includes:
- `allowed_origins`: Which domains can make requests
- `allowed_methods`: Which HTTP methods are permitted
- `allowed_headers`: Which headers can be included in requests
- `exposed_headers`: Which headers can be exposed to the requesting sitebrief-egg-61061
12/25/2024, 4:15 PMyaml serve: public: base_url: <https://public.example.com/> cors: enabled: true allowed_origins: - <https://app.example.com> allowed_methods: - POST - GET - PUT - PATCH - DELETE allowed_headers: - Authorization - Content-Type exposed_headers: - Content-Type - Set-Cookie admin: base_url: <https://admin.example.com/> secrets: cookie: - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE cipher: - 32-LONG-SECRET-NOT-SECURE-AT-ALL session: lifespan: 24h cookie: same_site: Lax hashers: argon2: parallelism: 1 memory: 128MB iterations: 3 salt_length: 16 key_length: 32 # ... other configurations ...
Now, let's explain the purpose of each section: 1. Session: The session configuration controls how Ory Kratos manages user sessions. According to the [Session Management documentation](https://www.ory.sh/docs/kratos/session-management/overview), sessions represent authenticated users. In the example, we set: - `lifespan`: Determines how long a session remains valid. - `cookie`: Configures how the session cookie behaves. The same_site
setting helps prevent CSRF attacks. 2. Hash: The hashers
section configures how passwords are hashed. Ory Kratos uses Argon2 for password hashing, as shown in the [Configuration Reference](https://www.ory.sh/docs/kratos/reference/configuration). The settings control: - `parallelism`: Number of threads to use - `memory`: Memory usage - `iterations`: Number of iterations - salt_length
and `key_length`: Affect the security of the hash 3. Secrets: The secrets
section is crucial for security. As mentioned in the [Deploy to Production guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#secure-secrets), these secrets are used for: - `cookie`: Encrypting cookies - `cipher`: General-purpose encryption It's important to replace these with secure, randomly generated strings in a production environment. 4. CORS (Cross-Origin Resource Sharing): CORS settings, found under serve.public.cors
, control which domains can interact with your Kratos instance. As explained in the [Cross-origin resource sharing (CORS) settings guide](https://www.ory.sh/docs/kratos/guides/setting-up-cors), these settings are crucial for security when your frontend is on a different domain than your Kratos instance. The configuration includes: - `allowed_origins`: Which domains can make requests - `allowed_methods`: Which HTTP methods are permitted - `allowed_headers`: Which headers can be included in requests - `exposed_headers`: Which headers can be exposed to the requesting site Remember, this is just an example configuration. In a production environment, you should carefully review and adjust these settings based on your specific security requirements and infrastructure setup. Always use strong, unique secrets and configure CORS to be as restrictive as necessary for your application's needs. [Source: Ory Kratos Documentation](https://www.ory.sh/docs/kratos/)quick-addition-90714
12/28/2024, 2:59 PMbrief-egg-61061
12/28/2024, 2:59 PMbrief-egg-61061
12/28/2024, 2:59 PMlatest
tag. Here's an example command to run an Ory Kratos container: bash docker run -it -e DSN="<your-database-url>" \ --mount type=bind,source=/path/to/your/kratos/config,target=/etc/config/kratos \ oryd/kratos:<version> serve --config /etc/config/kratos/kratos.yml
Let's break down this command: 1. `-it`: Runs the container in interactive mode with a pseudo-TTY. 2. `-e DSN="<your-database-url>"`: Sets the database source name environment variable. 3. `--mount`: Mounts your local configuration directory to the container. 4. `oryd/kratos:<version>`: Specifies the Kratos Docker image and version to use. 5. `serve`: Runs the Kratos server. 6. `--config /etc/config/kratos/kratos.yml`: Specifies the path to the configuration file inside the container. For running multiple containers, you would typically use an orchestration tool like Docker Swarm or Kubernetes. These tools allow you to define how many instances of Kratos you want to run and handle load balancing between them. When running multiple instances, there are a few important considerations: 1. Database: All instances should connect to the same database to share state. 2. Configuration: Ensure all instances use the same configuration. 3. Mail Courier: As mentioned in the [Mail courier in self-hosted Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted), for multi-instance setups, you need to run the mail courier as a separate singleton job: bash docker run oryd/kratos:<version> courier watch
4. Secrets: Make sure all instances use the same secrets for encryption and signing. 5. Load Balancing: Use a load balancer to distribute traffic among your Kratos instances. Remember to adjust the command based on your specific configuration and environment variables. Also, always use a specific version tag in production deployments for consistency and to avoid unexpected changes. [Source: Ory Kratos Docker Guide](https://www.ory.sh/docs/kratos/guides/docker) [Source: Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted)quick-addition-90714
12/28/2024, 3:00 PMbrief-egg-61061
12/28/2024, 3:00 PMbrief-egg-61061
12/28/2024, 3:00 PMyaml courier: delivery_strategy: http http: request_config: url: <https://your-email-service.com/send-email> method: POST body: file:///path/to/your/request_body.jsonnet
2. Disable Email-based Flows: If you don't want to handle emails at all, you can disable the flows that require email sending. This includes: - Account verification - Password reset / Account recovery You can disable these flows in your Kratos configuration: yaml selfservice: flows: verification: enabled: false recovery: enabled: false
However, this would limit the self-service capabilities of your users, as they won't be able to verify their email addresses or recover their accounts if they forget their passwords. 3. Custom Implementation: You could implement your own solution for handling these flows without using email. This would require custom development and careful consideration of security implications. It's important to note that while it's possible to run Kratos without the mail courier, doing so may limit important functionalities and security features. The mail courier is designed to handle email-related tasks reliably and securely, especially in multi-instance deployments. If you're considering not using the mail courier due to specific requirements or constraints, it might be worth reaching out to the Ory community or support channels to discuss your use case and find the best approach that maintains security and functionality. [Source: HTTP based email delivery](https://www.ory.sh/docs/kratos/self-hosted/email-http) Remember, the choice to not use the mail courier should be made carefully, considering the impact on user experience and security features like account verification and recovery.quick-addition-90714
12/28/2024, 3:04 PMbrief-egg-61061
12/28/2024, 3:04 PMbrief-egg-61061
12/28/2024, 3:04 PM--watch-courier
flag is used with the kratos serve
command to run the message courier as a background task in Ory Kratos. This flag is particularly useful for single-instance setups of Kratos. Let me explain its purpose and usage based on the information from the Ory documentation. According to the [CLI documentation for kratos serve](https://www.ory.sh/docs/kratos/cli/kratos-serve), the --watch-courier
flag is described as: "Run the message courier as a background task, to simplify single-instance setup" This flag is important because it allows the mail courier to run alongside the main Kratos server process in a single instance. The mail courier is responsible for processing and sending emails, which are crucial for various self-service flows like account verification and password reset. Here's why this flag is significant: 1. Single-instance Setup: In a single-instance deployment of Kratos, using --watch-courier
allows you to run both the main Kratos server and the mail courier in the same process, simplifying your setup. 2. Background Processing: The courier runs as a background task, meaning it doesn't interfere with the main Kratos server operations but still processes the email queue. 3. Simplification: It eliminates the need to run a separate courier process, which is typically required in multi-instance setups. However, it's important to note that for multi-instance deployments, running the courier as a separate singleton job is recommended. As stated in the [Mail courier in self-hosted Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted): "If you're running multiple instances of Kratos (for example replicated Kubernetes deployment), you need to run the mail courier as a separate singleton job. The courier can be started with the kratos courier watch
command." In summary, the --watch-courier
flag is a convenient way to run the mail courier alongside Kratos in single-instance setups, simplifying deployment and management. However, for more complex, multi-instance deployments, a different approach is recommended. [Source: Kratos CLI Documentation](https://www.ory.sh/docs/kratos/cli/kratos-serve) [Source: Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted)quick-addition-90714
12/28/2024, 3:06 PMbrief-egg-61061
12/28/2024, 3:06 PMbrief-egg-61061
12/28/2024, 3:07 PM--watch-courier
flag with the kratos serve
command. This runs the mail courier as a background task within the same process as the Kratos server. 2. Run the mail courier as a separate process: For multi-instance setups, you should run the mail courier as a separate singleton job using the kratos courier watch
command. 3. Use HTTP-based email delivery: As an alternative to the mail courier, you can configure Kratos to use an HTTP-based email delivery method. This would send emails via an HTTP API instead of using the mail courier. 4. Disable email-based flows: If you don't want to handle emails at all, you can disable the flows that require email sending, such as account verification and password reset. If you choose not to run the mail courier and haven't set up an alternative email delivery method, then indeed, no emails will be sent. This would affect functionalities like account verification, password reset, and any other features that rely on email communication. [Source: Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted) Remember, not sending emails could significantly impact user experience and security features, so it's generally recommended to have some form of email delivery system in place unless you have a specific reason not to.quick-addition-90714
12/28/2024, 3:45 PMbrief-egg-61061
12/28/2024, 3:45 PMbrief-egg-61061
12/28/2024, 3:45 PMkratos migrate sql
command as part of the upgrade process. Here's how you can run a migration script: 1. First, it's crucial to back up your data before running any migrations. As the upgrade guide states: "Back up your data! Applying upgrades can lead to data loss if handled incorrectly." 2. You can run the migration command using the Kratos CLI. The [kratos migrate sql documentation](https://www.ory.sh/docs/kratos/cli/kratos-migrate-sql) provides the following command: kratos migrate sql <database-url> [flags]
3. If you're using Docker, you can run the migration command in a separate container. Here's an example based on the [Ory Kratos Docker guide](https://www.ory.sh/docs/kratos/guides/docker): bash docker run -it --rm \ -e DSN="<your-database-url>" \ oryd/kratos:<version> \ migrate sql -e --yes
The -e
flag reads the database URL from the environment variable, and --yes
automatically accepts any confirmations. It's important to note that while you can run migrations with Kratos instances running, it's generally safer to perform migrations during a maintenance window to avoid potential issues. The [Ory architecture philosophy](https://www.ory.sh/docs/ecosystem/software-architecture-philosophy#architecture-philosophy) states: "The Ory stack strives to minimize startup time, taking no more than milliseconds to be ready. The processes shut down gracefully when they receive a SIGTERM signal from the process manager." This suggests that you could potentially stop your Kratos instances, run the migration, and then restart the instances with minimal downtime. Remember, always follow best practices for database migrations in production environments, such as testing the migration on a non-production copy of the database first, as mentioned in the upgrade guide. [Source: Ory Kratos Upgrade Guide](https://www.ory.sh/docs/kratos/guides/upgrade) [Source: Kratos CLI Documentation](https://www.ory.sh/docs/kratos/cli/kratos-migrate-sql) [Source: Ory Kratos Docker Guide](https://www.ory.sh/docs/kratos/guides/docker) [Source: Ory Architecture Philosophy](https://www.ory.sh/docs/ecosystem/software-architecture-philosophy#architecture-philosophy)quick-addition-90714
12/29/2024, 1:08 PM{
"$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "email",
"minLength": 6,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
brief-egg-61061
12/29/2024, 1:08 PMbrief-egg-61061
12/29/2024, 1:09 PMtraits
object. Here's how you can update your schema to include first name and last name: json { "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>", "$schema": "<http://json-schema.org/draft-07/schema#>", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "title": "Email", "minLength": 6, "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } } } }, "first_name": { "type": "string", "title": "First Name", "minLength": 1 }, "last_name": { "type": "string", "title": "Last Name", "minLength": 1 } }, "required": ["email", "first_name", "last_name"], "additionalProperties": false } } }
In this updated schema: 1. We've added two new properties under `traits`: first_name
and last_name
. 2. Both first_name
and last_name
are defined as strings with a minimum length of 1 character. 3. We've added "first_name"
and "last_name"
to the required
array, making them mandatory fields along with the email. This schema will now require users to provide their first name and last name when registering, in addition to their email address. The Ory Kratos UI will automatically generate form fields for these new properties. Remember to update your Kratos configuration to use this new schema. If you're using a file-based schema, update the file contents. If you're specifying the schema directly in your Kratos configuration, you'll need to update it there. For more information on customizing identity schemas, you can refer to the [Ory Kratos documentation on customizing identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema).quick-addition-90714
12/29/2024, 1:10 PMbrief-egg-61061
12/29/2024, 1:10 PMbrief-egg-61061
12/29/2024, 1:10 PM"identifier": true
setting under the password
credentials tells Kratos that this field (in this case, email) should be used as the "username" for the password-based login flow. 2. Email as Primary Identifier: In many systems, the email address serves as the primary way to identify a user uniquely. It's a common practice to use email addresses for logins because they are unique and users can easily remember them. 3. Multiple Identifiers: Kratos allows for multiple identifiers. You could, for example, have both email and username as identifiers for password login. Here's an example from the documentation: json "email": { "type": "string", "format": "email", "title": "E-Mail", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } }, "verification": { "via": "email" }, "recovery": { "via": "email" } } }
In this example, the email is set as the identifier for password login, and it's also used for verification and recovery processes. If you wanted to use a different field as the identifier, or add multiple identifiers, you could add the same configuration to other fields. For instance, to allow login with both email and username: json "email": { // ... other properties ... "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } } } }, "username": { // ... other properties ... "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } } } }
This configuration allows users to log in using either their email or username, along with their password. [Source: Ory Kratos - Customize Identity Schema](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#password-login-identifier) Remember, the placement of this configuration determines which field(s) can be used for authentication, so it's an important consideration in designing your user identity system.quick-addition-90714
12/29/2024, 1:48 PMbrief-egg-61061
12/29/2024, 1:48 PMbrief-egg-61061
12/29/2024, 1:49 PMquick-addition-90714
01/05/2025, 8:05 PMserve:
public:
cors:
enabled: true
allowed_origins:
- <http://localhost:5173>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
urls:
self:
issuer: <http://localhost:4444>
public: <http://localhost:4444>
consent: <http://localhost:3001/consent>
login: <http://localhost:3001/login>
logout: <http://localhost:3001/logout>
error: <http://localhost:3001/error>
secrets:
system:
- youReallyNeedToChangeThis
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: youReallyNeedToChangeThis
is this a good config for production grade appsbrief-egg-61061
01/05/2025, 8:05 PMbrief-egg-61061
01/05/2025, 8:06 PMhttp://
and localhost
. For production, you should use https://
and actual domain names. As stated in the [Ory Hydra production guide](https://www.ory.sh/docs/hydra/production), "HTTPS (TLS) must be used at all times." 2. CORS: The CORS configuration is allowing a localhost origin, which is not appropriate for production. You should specify your actual production domain(s) here. 3. Secrets: The secrets.system
value is using a placeholder. As mentioned in the [Ory Hydra configuration documentation](https://www.ory.sh/docs/hydra/reference/configuration), you should "use a very long, randomly generated secret" for production. 4. OIDC Subject Identifiers: The pairwise.salt
is using a placeholder value. This should be a randomly generated, secure string in production. 5. Missing configurations: Several important production configurations are missing, such as database settings, logging, and access rules. Here's an example of how you might adjust this configuration for production: yaml serve: public: cors: enabled: true allowed_origins: - <https://your-app-domain.com> allowed_methods: - POST - GET - PUT - PATCH - DELETE allowed_headers: - Authorization - Content-Type cookies: same_site_mode: Lax secure: true urls: self: issuer: <https://your-hydra-domain.com> public: <https://your-hydra-domain.com> consent: <https://your-app-domain.com/consent> login: <https://your-app-domain.com/login> logout: <https://your-app-domain.com/logout> error: <https://your-app-domain.com/error> secrets: system: - LoremIpsum123!ChangeMe!ThisIsJustAnExample oidc: subject_identifiers: supported_types: - pairwise - public pairwise: salt: AnotherLongRandomString123! dsn: <postgres://user:password@host:port/database?sslmode=require> log: level: info format: json oauth2: expose_internal_errors: false
Remember to replace placeholder values with actual, secure values for your production environment. Also, consider adding other production-specific configurations like rate limiting, database connection pooling, and proper SSL/TLS settings. For a comprehensive guide on deploying Ory Hydra in production, refer to the [Ory Hydra production deployment guide](https://www.ory.sh/docs/hydra/production). [Source: Ory Hydra Production Guide](https://www.ory.sh/docs/hydra/production) [Source: Ory Hydra Configuration Reference](https://www.ory.sh/docs/hydra/reference/configuration)quick-addition-90714
01/05/2025, 8:09 PMquick-addition-90714
01/05/2025, 8:09 PMbrief-egg-61061
01/05/2025, 8:09 PMbrief-egg-61061
01/05/2025, 8:09 PMissuer
and public
URLs in the urls.self
configuration of Ory Hydra serve different purposes in the OAuth2 and OpenID Connect flows. Let me explain each of them based on the Ory documentation: 1. Issuer URL: The issuer
URL is a critical component in OpenID Connect. According to the [Ory OAuth2 and OpenID Connect documentation](https://www.ory.sh/docs/oauth2-oidc/issuer-url): "The issuer URL is the URL of your OAuth2 Server. It's used to identify your server and is included in various OAuth2 and OpenID Connect flows and tokens." This URL is used in several important ways: - It's included in the iss
claim of ID Tokens and OAuth2 JWT Access Tokens. - It's used to construct the OpenID Connect Discovery endpoint (.well-known/openid-configuration
). - Clients use this URL to validate tokens and fetch server metadata. 2. Public URL: The public
URL is the base URL for Hydra's public endpoints. These are endpoints that are accessible to the public internet and used by clients and end-users during OAuth2 and OpenID Connect flows. Public endpoints include: - The authorization endpoint (/oauth2/auth
) - The token endpoint (/oauth2/token
) - The userinfo endpoint (/userinfo
) - The JWKS endpoint (/.well-known/jwks.json
) In many cases, the issuer
and public
URLs will be the same, especially in simple deployments. However, they can be different in more complex setups, such as when using a reverse proxy or in certain cloud deployments. For example, in a production configuration, you might see something like this: yaml urls: self: issuer: <https://auth.example.com> public: <https://auth.example.com>
It's crucial to use HTTPS for both these URLs in production environments to ensure secure communication. [Source: Ory OAuth2 and OpenID Connect - Issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url) Remember, changing the issuer URL can have significant impacts on your system, especially if you have existing clients or tokens. Always be cautious when modifying these values in a production environment.quick-addition-90714
01/05/2025, 8:16 PMbrief-egg-61061
01/05/2025, 8:16 PMbrief-egg-61061
01/05/2025, 8:16 PMbash export SECRETS_SYSTEM=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
Remember, changing the system secret after the database has been initialized can lead to data inaccessibility, so it should be managed carefully. [Source: Run your own OAuth2 Server](https://www.ory.sh/run-oauth2-server-open-source-api-security/#configure-the-ory-hydra-oauth2-server-and-openid-connect-provider)quick-addition-90714
01/05/2025, 8:25 PMbrief-egg-61061
01/05/2025, 8:25 PMbrief-egg-61061
01/05/2025, 8:25 PMyaml
serve:
public:
cors:
enabled: true
allowed_origins:
- <https://your-frontend-domain.com>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie
Similar configuration would be needed for Kratos.
5. API Gateway Configuration:
In API Gateway, you'll need to enable CORS for your resources and methods. This typically involves:
- Allowing specific origins
- Setting Access-Control-Allow-Methods
- Setting Access-Control-Allow-Headers
- Enabling Access-Control-Allow-Credentials
if you're using cookies
6. Considerations:
- Ensure that the CORS configurations in API Gateway, Hydra, and Kratos are consistent.
- Be cautious with wildcard origins (*
) in production environments.
- Remember that API Gateway has a maximum timeout of 29 seconds, which might affect long-running operations.
7. Security:
As mentioned in the [Ory Hydra production guide](https://www.ory.sh/docs/hydra/self-hosted/production), it's recommended to run Ory services behind an API gateway or load balancer for additional security:
"We strongly recommend running Ory Hydra behind an API gateway or a load balancer."brief-egg-61061
01/05/2025, 8:25 PMyaml serve: public: cors: enabled: true allowed_origins: - <https://your-frontend-domain.com> allowed_methods: - POST - GET - PUT - PATCH - DELETE allowed_headers: - Authorization - Content-Type exposed_headers: - Content-Type - Set-Cookie
Similar configuration would be needed for Kratos. 5. API Gateway Configuration: In API Gateway, you'll need to enable CORS for your resources and methods. This typically involves: - Allowing specific origins - Setting Access-Control-Allow-Methods
- Setting Access-Control-Allow-Headers
- Enabling Access-Control-Allow-Credentials
if you're using cookies 6. Considerations: - Ensure that the CORS configurations in API Gateway, Hydra, and Kratos are consistent. - Be cautious with wildcard origins (*
) in production environments. - Remember that API Gateway has a maximum timeout of 29 seconds, which might affect long-running operations. 7. Security: As mentioned in the [Ory Hydra production guide](https://www.ory.sh/docs/hydra/self-hosted/production), it's recommended to run Ory services behind an API gateway or load balancer for additional security: "We strongly recommend running Ory Hydra behind an API gateway or a load balancer." Remember, when setting up this architecture, you'll need to carefully manage your CORS settings to ensure they're secure yet functional for your specific use case. Always use HTTPS in production and be mindful of exposing sensitive endpoints. [Source: Ory Hydra Production Guide](https://www.ory.sh/docs/hydra/self-hosted/production) [Source: Ory Kratos CORS Settings](https://www.ory.sh/docs/kratos/guides/setting-up-cors)quick-addition-90714
01/11/2025, 9:13 AMbrief-egg-61061
01/11/2025, 9:13 AMbrief-egg-61061
01/11/2025, 9:14 AM"serve -c /shared/config.yml all"
This command is close to correct, but it needs a slight modification to be fully accurate for production use. The correct command should be: "serve all --config /shared/config.yml"
This command is based on the information from the [Ory Hydra CLI documentation](https://www.ory.sh/docs/hydra/cli/hydra-serve-all). The serve all
command starts both the public and administrative HTTP/2 APIs. The --config
flag (or -c
for short) specifies the path to the configuration file. As for the health check command: hydra remote status -e <http://localhost:4434> || exit 1
This command is not entirely correct for a production setup. There are a few issues: 1. The use of http://
instead of https://
is not recommended for production. As mentioned in the [Ory Hydra production guide](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints), HTTPS should be used at all times in production. 2. The port 4434 is not a standard port for Ory Hydra. Typically, Hydra uses 4444 for the public API and 4445 for the admin API. 3. The hydra remote status
command is not documented in the provided knowledge sources, which suggests it might not be the recommended way to check Hydra's health in production. A more appropriate health check command would be to use a simple HTTP request to Hydra's health endpoint. For example: curl -f -s -o /dev/null <https://your-hydra-domain.com:4445/health/ready> || exit 1
This command checks the readiness of the Hydra instance by making a request to the /health/ready
endpoint on the admin port (4445). The -f
flag ensures that curl returns a non-zero exit code on HTTP errors, which is then used to determine the health status. Remember to replace <http://your-hydra-domain.com|your-hydra-domain.com>
with your actual Hydra domain, and ensure that your health check is accessing the correct port and using HTTPS in a production environment. [Source: Hydra CLI Documentation](https://www.ory.sh/docs/hydra/cli/hydra-serve-all) [Source: Hydra Production Guide](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints)quick-addition-90714
01/17/2025, 12:42 PMbrief-egg-61061
01/17/2025, 12:42 PMbrief-egg-61061
01/17/2025, 12:43 PMjson
{
"family": "ory-hydra",
"containerDefinitions": [
{
"name": "hydra",
"image": "oryd/hydra:v1.10.6",
"cpu": 256,
"memory": 512,
"essential": true,
"portMappings": [
{
"containerPort": 4444,
"hostPort": 4444,
"protocol": "tcp"
},
{
"containerPort": 4445,
"hostPort": 4445,
"protocol": "tcp"
}
],
"environment": [
{
"name": "DSN",
"value": "<postgres://user:password@your-db-host:5432/hydra?sslmode=require>"
},
{
"name": "SECRETS_SYSTEM",
"value": "your-very-long-secret-here"
},
{
"name": "URLS_SELF_ISSUER",
"value": "<https://your-hydra-domain.com/>"
},
{
"name": "URLS_CONSENT",
"value": "<https://your-consent-app-domain.com/consent>"
},
{
"name": "URLS_LOGIN",
"value": "<https://your-login-app-domain.com/login>"
}
],
"command": [
"serve",
"all",
"--config",
"/etc/config/hydra.yml"
],
"healthCheck": {
"command": [
"CMD-SHELL",
"curl -f <http://localhost:4445/health/ready> || exit 1"
],
"interval": 30,
"timeout": 5,
"retries": 3,
"startPeriod": 60
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/ory-hydra",
"awslogs-region": "your-aws-region",
"awslogs-stream-prefix": "hydra"
}
}
}
],
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "256",
"memory": "512"
}
2. Ory Kratos Task Definition:brief-egg-61061
01/17/2025, 12:43 PMjson { "family": "ory-hydra", "containerDefinitions": [ { "name": "hydra", "image": "oryd/hydra:v1.10.6", "cpu": 256, "memory": 512, "essential": true, "portMappings": [ { "containerPort": 4444, "hostPort": 4444, "protocol": "tcp" }, { "containerPort": 4445, "hostPort": 4445, "protocol": "tcp" } ], "environment": [ { "name": "DSN", "value": "<postgres://user:password@your-db-host:5432/hydra?sslmode=require>" }, { "name": "SECRETS_SYSTEM", "value": "your-very-long-secret-here" }, { "name": "URLS_SELF_ISSUER", "value": "<https://your-hydra-domain.com/>" }, { "name": "URLS_CONSENT", "value": "<https://your-consent-app-domain.com/consent>" }, { "name": "URLS_LOGIN", "value": "<https://your-login-app-domain.com/login>" } ], "command": [ "serve", "all", "--config", "/etc/config/hydra.yml" ], "healthCheck": { "command": [ "CMD-SHELL", "curl -f <http://localhost:4445/health/ready> || exit 1" ], "interval": 30, "timeout": 5, "retries": 3, "startPeriod": 60 }, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/ory-hydra", "awslogs-region": "your-aws-region", "awslogs-stream-prefix": "hydra" } } } ], "requiresCompatibilities": [ "FARGATE" ], "networkMode": "awsvpc", "cpu": "256", "memory": "512" }
2. Ory Kratos Task Definition: json { "family": "ory-kratos", "containerDefinitions": [ { "name": "kratos", "image": "oryd/kratos:v0.9.0", "cpu": 256, "memory": 512, "essential": true, "portMappings": [ { "containerPort": 4433, "hostPort": 4433, "protocol": "tcp" }, { "containerPort": 4434, "hostPort": 4434, "protocol": "tcp" } ], "environment": [ { "name": "DSN", "value": "<postgres://user:password@your-db-host:5432/kratos?sslmode=require>" }, { "name": "SECRETS_DEFAULT", "value": "your-very-long-secret-here" }, { "name": "SERVE_PUBLIC_BASE_URL", "value": "<https://your-kratos-public-domain.com/>" }, { "name": "SERVE_ADMIN_BASE_URL", "value": "<https://your-kratos-admin-domain.com/>" } ], "command": [ "serve", "--config", "/etc/config/kratos.yml" ], "healthCheck": { "command": [ "CMD-SHELL", "curl -f <http://localhost:4434/health/ready> || exit 1" ], "interval": 30, "timeout": 5, "retries": 3, "startPeriod": 60 }, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/ory-kratos", "awslogs-region": "your-aws-region", "awslogs-stream-prefix": "kratos" } } } ], "requiresCompatibilities": [ "FARGATE" ], "networkMode": "awsvpc", "cpu": "256", "memory": "512" }
These task definitions are set up for AWS Fargate, which is a serverless compute engine for containers. They include: - Container images and versions - Port mappings - Environment variables (including database connection strings and secrets) - Health checks - Logging configurations Remember to replace placeholder values (like database URLs, secrets, and domain names) with your actual values. Also, ensure that you're using the latest stable versions of Ory Hydra and Kratos. For production use, consider the following additional steps: 1. Use AWS Secrets Manager or Parameter Store to manage sensitive information like database credentials and secrets. 2. Set up proper networking and security groups to control access to your containers. 3. Use HTTPS for all external communications. 4. Adjust CPU and memory allocations based on your workload requirements. 5. Set up proper IAM roles for your tasks to access other AWS resources. [Source: Ory Hydra Docker Guide](https://www.ory.sh/docs/hydra/guides/docker) [Source: Ory Kratos Docker Guide](https://www.ory.sh/docs/kratos/guides/docker) Always refer to the latest Ory documentation and AWS best practices when deploying these services in a production environment.quick-addition-90714
01/18/2025, 3:30 PMbrief-egg-61061
01/18/2025, 3:30 PMbrief-egg-61061
01/18/2025, 3:30 PM<https://your-domain.com/hydra>
for Ory Hydra - <https://your-domain.com/kratos>
for Ory Kratos - <https://your-domain.com/ui>
for the self-service UI 2. Reverse Proxy: Use a reverse proxy (like Nginx, Traefik, or AWS API Gateway) to route requests to the appropriate service based on the path. 3. Configuration: You'll need to adjust the configuration of both Hydra and Kratos to work with this setup. For example, in your Kratos configuration: yaml serve: public: base_url: <https://your-domain.com/kratos>
And for Hydra: yaml urls: self: issuer: <https://your-domain.com/hydra>
4. CORS Configuration: Since all services are on the same domain, CORS issues should be minimal. However, you still need to configure CORS in Hydra and Kratos to allow requests from your domain. 5. Cookie Domain: Ensure that cookies are set for the root domain so they can be shared across subpaths. It's important to note that while this setup is possible, it comes with some considerations: 1. Security: Ensure proper isolation between services, especially for admin APIs. 2. Complexity: This setup increases the complexity of your deployment and can make debugging more challenging. 3. Performance: Be mindful of the load on your reverse proxy as it will be handling all traffic. The [Ory documentation on multi-domain cookies](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies) emphasizes the importance of having Ory and your UI on the same top-level domain: "Ory and your UI must be on the hosted on same top level domain. You can't host Ory and your UI on separate top level domains." This setup you're proposing aligns with this requirement, as all components would be on the same domain. Remember to thoroughly test this configuration, especially focusing on the interaction between Hydra, Kratos, and your self-service UI, to ensure all flows work correctly under this shared domain setup. [Source: Ory Kratos - Multi-domain Cookies](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies)quick-addition-90714
01/18/2025, 3:31 PMbrief-egg-61061
01/18/2025, 3:31 PMbrief-egg-61061
01/18/2025, 3:31 PMbase_url
in Kratos configuration, typically found under serve.public.base_url
, is used for several key functions: 1. Compute Redirect URLs: As mentioned in the [Ory Kratos documentation on advanced base URL settings](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies), the public base URL is used to compute redirect URLs. 2. Form Action URLs: It's used to generate form action URLs for various self-service flows. 3. Reference Point: It serves as a reference point for relative URLs in the system. 4. CORS: It's used as the basis for CORS (Cross-Origin Resource Sharing) configurations. For example, in a Kratos configuration: yaml serve: public: base_url: <https://your-domain.com/kratos>
This tells Kratos that all of its public endpoints should be accessible under <https://your-domain.com/kratos>
. For Ory Hydra: In Hydra, the base URL is typically set in the urls.self.issuer
configuration. Its purposes include: 1. OpenID Connect Issuer: As explained in the [Ory OAuth2 and OpenID Connect documentation](https://www.ory.sh/docs/oauth2-oidc/issuer-url), this URL is used as the issuer identifier in OpenID Connect flows. 2. Token Issuance: It's included in the iss
(issuer) claim of ID Tokens and OAuth2 JWT Access Tokens. 3. Discovery Endpoint: It's used to construct the OpenID Connect Discovery endpoint (.well-known/openid-configuration
). 4. Client Validation: Clients use this URL to validate tokens and fetch server metadata. For example, in a Hydra configuration: yaml urls: self: issuer: <https://your-domain.com/hydra>
This configuration tells Hydra to use <https://your-domain.com/hydra>
as its base URL for issuing tokens and other OAuth2/OpenID Connect operations. In both cases, the base URL is crucial for ensuring that all components of the system (including clients, browsers, and the services themselves) have a consistent understanding of where to find and interact with the services. It's particularly important when you're running these services behind a reverse proxy or in complex network setups. Remember, when hosting both services on the same domain, as you mentioned in your previous question, you need to ensure these base URLs are correctly set to reflect your chosen subpaths for each service.quick-addition-90714
01/18/2025, 3:35 PMbrief-egg-61061
01/18/2025, 3:35 PMbrief-egg-61061
01/18/2025, 3:36 PMserve.admin.base_url
in the Kratos configuration, is used for administrative operations and internal communication. Here's what it's used for: 1. Administrative API: The admin base URL is the endpoint for Kratos' administrative API. This API is used for operations that should not be accessible to the public, such as managing identities, performing administrative actions, and accessing sensitive system information. 2. Internal Communication: It's used for internal communication between Kratos and other components of your system that need administrative access. 3. Separation of Concerns: By having a separate admin base URL, you can isolate administrative traffic from public traffic, enhancing security. 4. Access Control: The admin API should typically be accessible only from within your internal network or through strictly controlled access points. For example, in a Kratos configuration, you might see something like this: yaml serve: admin: base_url: <http://kratos:4434>
This configuration tells Kratos that its administrative API should be accessible at <http://kratos:4434>
. It's important to note that, as mentioned in the [Ory Kratos deployment guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx), the admin API should not be exposed to the public internet. The guide recommends using a reverse proxy (like Nginx) to manage access to these APIs and implement access control for the admin endpoints. For instance, in a production environment, you might configure your reverse proxy to only allow access to the admin API from specific IP addresses or after passing through additional authentication. Remember, while the public base URL is used for user-facing operations and flows, the admin base URL is for backend, administrative tasks and should be secured accordingly. [Source: Ory Kratos Deployment Guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx)quick-addition-90714
01/18/2025, 3:37 PMbrief-egg-61061
01/18/2025, 3:37 PMbrief-egg-61061
01/18/2025, 3:37 PMquick-addition-90714
01/18/2025, 3:42 PMbrief-egg-61061
01/18/2025, 3:42 PMbrief-egg-61061
01/18/2025, 3:42 PMserve.cookies.secure
is set to true, which is correct for production use. 2. The URLs are properly set using the ${identity_url}
variable, which allows for consistent domain usage. 3. The secrets.system
is set using a variable, which is good for security. 4. OIDC subject identifiers are properly configured. 5. Logging is set to use JSON format, which is good for production environments. 6. oauth2.expose_internal_errors
is set to false, which is correct for production to prevent leaking sensitive information. Kratos Configuration: 1. Both public and admin base URLs are set using variables. 2. Self-service flows are properly configured with UI URLs. 3. Password method is enabled. 4. Verification and recovery flows are disabled. Make sure this is intentional for your use case. 5. Registration is disabled. Again, ensure this is intentional. 6. Logging is configured with a variable for log level and sensitive value leaking is disabled. 7. Secrets for cookies and ciphers are set using variables. 8. Session lifespan and cookie settings are defined. 9. Argon2 hasher is configured, though the memory setting (128KB) seems low for production. Consider increasing this for better security. 10. Identity schema is loaded from a file path. 11. OAuth2 provider URL is set using a variable. Overall, these configurations look suitable for a production environment, with a few points to consider: 1. Ensure all the Terraform variables are properly set and secured. 2. Consider enabling verification and recovery flows if needed for your use case. 3. Review the Argon2 hasher settings, particularly the memory allocation. 4. Make sure the ${identity_schema_path}
points to the correct schema file in your production environment. 5. Verify that the ${oauth2_provider_url}
correctly points to your Hydra instance. Remember to test thoroughly in a staging environment that mirrors your production setup before deploying. Also, ensure that your infrastructure (like reverse proxies or API gateways) is configured to properly route requests to Hydra and Kratos based on these configurations. [Source: Ory Hydra Configuration](https://www.ory.sh/docs/hydra/reference/configuration) [Source: Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration)quick-addition-90714
01/19/2025, 1:43 PMbrief-egg-61061
01/19/2025, 1:43 PMbrief-egg-61061
01/19/2025, 1:44 PM.<http://identity.example.com|identity.example.com>
to allow sharing across subdomains. 3. CORS Configuration: Configure CORS settings in both Kratos and Hydra to allow requests from your UI subdomain. 4. Kratos Configuration: Update your Kratos configuration to reflect this setup. For example: yaml serve: public: base_url: <https://identity.example.com>
5. Hydra Configuration: Similarly, update your Hydra configuration: yaml urls: self: issuer: <https://auth.identity.example.com> login: <https://ui.identity.example.com/login> consent: <https://ui.identity.example.com/consent>
6. Reverse Proxy: Set up a reverse proxy (like Nginx or Traefik) to handle routing between these subdomains. This setup is in line with the guidance provided in the [Ory documentation on multi-domain cookies](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies), which states: "Ory and your UI must be on the hosted on same top level domain. You can't host Ory and your UI on separate top level domains." Your proposed setup meets this requirement as all services are on subdomains of <http://example.com|example.com>
. Remember to thoroughly test this configuration, especially the interactions between Kratos, Hydra, and your self-service UI, to ensure all flows work correctly under this subdomain setup. [Source: Ory Kratos - Multi-domain Cookies](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies)quick-addition-90714
01/22/2025, 9:04 PMbrief-egg-61061
01/22/2025, 9:04 PMbrief-egg-61061
01/22/2025, 9:04 PMyaml session: cookie: domain: <http://identity.example.com|identity.example.com>
This setting will make the session cookie available across all subdomains of <http://identity.example.com|identity.example.com>
. For Ory Hydra: Similarly, you can set the cookie domain for Hydra in its configuration. As per the [Ory Hydra documentation on configuring cookies](https://www.ory.sh/docs/hydra/guides/cookies), you can set it like this: yaml serve: cookies: domain: <http://identity.example.com|identity.example.com>
This configuration will ensure that cookies set by Hydra are also available across all subdomains of <http://identity.example.com|identity.example.com>
. Important considerations: 1. Shared Domain: By setting the cookie domain to your top-level domain (e.g., <http://identity.example.com|identity.example.com>
), you ensure that cookies can be shared across all subdomains, which is crucial for your setup with <http://identity.example.com|identity.example.com>
, <http://auth.identity.example.com|auth.identity.example.com>
, and <http://ui.identity.example.com|ui.identity.example.com>
. 2. Security: When setting cookie domains, always use the most specific domain possible to minimize the risk of cookie-based attacks. 3. HTTPS: In production, always use HTTPS and set the secure
flag for cookies to true. 4. SameSite: Consider setting the SameSite
attribute for your cookies. For example: yaml session: cookie: same_site: Lax
This helps protect against CSRF attacks. Remember, when you're using subdomains as in your proposed setup (<http://identity.example.com|identity.example.com>
, <http://auth.identity.example.com|auth.identity.example.com>
, <http://ui.identity.example.com|ui.identity.example.com>
), setting the cookie domain to the root domain (<http://identity.example.com|identity.example.com>
) allows these cookies to be shared across all these subdomains, which is typically what you want for a cohesive authentication system. [Source: Ory Kratos - Configuring Cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies) [Source: Ory Hydra - Configuring Cookies](https://www.ory.sh/docs/hydra/guides/cookies)quick-addition-90714
01/23/2025, 6:51 PMbrief-egg-61061
01/23/2025, 6:51 PMbrief-egg-61061
01/23/2025, 6:52 PM/health
, /admin/metrics/prometheus
, /admin/version
endpoints." These endpoints are served on the administrative port, which is typically 4445. For Ory Kratos: The [Ory Kratos deployment guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx) shows that the health check endpoint is accessed via the admin port (4434): bash curl -f <http://localhost:4434/health/ready> || exit 1
This indicates that the health check endpoints in Kratos are also served on the admin port. It's important to note that these health check endpoints are not meant to be exposed to the public internet. They are designed for internal use, such as for load balancers, orchestration systems, or monitoring tools to check the status of the services. If you need to perform health checks from outside your internal network, it's recommended to set up a proxy or API gateway that can access these admin endpoints internally and expose a public health check endpoint that doesn't reveal sensitive information about your infrastructure. [Source: Ory Hydra Production Guide](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints) [Source: Ory Kratos Deployment Guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx)quick-addition-90714
01/23/2025, 7:04 PMbrief-egg-61061
01/23/2025, 7:04 PMbrief-egg-61061
01/23/2025, 7:04 PM/health
, /admin/metrics/prometheus
, /admin/version
endpoints." This means that the version endpoint for Hydra is typically accessed via the admin port (usually 4445) and would be something like: <http://localhost:4445/admin/version>
For Ory Kratos, while not explicitly mentioned in the provided knowledge sources, it follows a similar pattern to Hydra. The version endpoint is likely also part of the administrative API and would be accessed through the admin port (typically 4434). It's important to note that these administrative endpoints, including the version endpoint, are not meant to be exposed to the public internet. They are designed for internal use, such as for monitoring, debugging, or administrative purposes. If you need to access version information from outside your internal network, it's recommended to create a secure method to retrieve this information without directly exposing the administrative endpoints. This could involve setting up a proxy or creating a custom endpoint that safely relays the version information. Remember, in a production environment, always use HTTPS for any external access, and implement proper authentication and authorization for accessing sensitive information like version details. [Source: Ory Hydra Production Guide](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints)quick-addition-90714
01/24/2025, 4:08 PMserve:
public:
base_url: ${base_url}
admin:
base_url: ${admin_base_url}
selfservice:
default_browser_return_url: ${identity_service_url}
allowed_return_urls:
- ${identity_service_url}
methods:
password:
enabled: true
flows:
settings:
ui_url: ${identity_service_url}/ui/settings
verification:
enabled: false
recovery:
enabled: false
logout:
after:
default_browser_return_url: ${identity_service_url}/login
login:
ui_url: ${identity_service_url}/login
registration:
enabled: false
error:
ui_url: ${identity_service_url}/error
log:
level: ${log_level}
leak_sensitive_values: false
secrets:
cookie:
- ${openssl_key_cookie}
cipher:
- ${openssl_key_cipher}
session:
lifespan: 24h
cookie:
domain: ${identity_domain}
same_site: Lax
hashers:
argon2:
parallelism: 1
memory: 128KB
iterations: 2
salt_length: 16
key_length: 16
identity:
schemas:
- id: default
url: file://${identity_schema_path}
oauth2_provider:
url: ${oauth2_provider_url}
if I let out the serve for admin url, what happens?brief-egg-61061
01/24/2025, 4:08 PMbrief-egg-61061
01/24/2025, 4:09 PMserve.admin.base_url
from your Ory Kratos configuration, Kratos will still function, but there are some important implications to consider: 1. Default Behavior: When the admin base URL is not explicitly set, Kratos will use a default value. Typically, this default is <http://localhost:4434>
or a similar local address. 2. Internal Communication: The admin base URL is primarily used for internal communication and administrative operations. By not setting it explicitly, you're relying on the default, which might not be suitable for your specific deployment setup. 3. Security Implications: If the default admin URL is used and it's not properly secured, it could potentially expose the admin API to unintended access. This is especially risky if your deployment accidentally makes the default admin port accessible externally. 4. Flexibility Loss: By not setting the admin base URL explicitly, you lose some flexibility in how you deploy and manage Kratos, especially in more complex setups or when using reverse proxies. 5. Potential Misconfiguration: In production environments, relying on defaults can lead to misconfigurations, especially if the actual admin API ends up being served from a different location than the default. 6. Logging and Debugging: Without an explicit admin base URL, it might be more challenging to track and debug issues related to admin API access. While Kratos can function without an explicitly set admin base URL, it's generally recommended to set it, especially in production environments. This ensures that you have full control over where and how the admin API is accessed, and it helps in maintaining a clear and secure configuration. Remember, the admin API should never be exposed to the public internet. If you decide to omit the admin base URL, make sure that your deployment still properly secures access to the admin endpoints, regardless of where they end up being served from. [Source: Ory Kratos Deployment Guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example)quick-addition-90714
01/24/2025, 4:10 PMbrief-egg-61061
01/24/2025, 4:10 PMbrief-egg-61061
01/24/2025, 4:11 PMserve.admin.base_url
) is not intended to be exposed to or used by the browser. It's meant for internal communication and administrative operations. Therefore, you can safely omit it from the configuration if you know the correct URL to use internally for admin operations. Here's why this approach is acceptable: 1. Internal Use Only: The admin URL is used for server-to-server communication and administrative tasks, not for browser-based redirects or client-side operations. 2. Security: By not exposing the admin URL in your configuration, you're adhering to the principle of least privilege and reducing potential attack surfaces. 3. Flexibility: If you're using a reverse proxy or API gateway to manage internal routing, you can handle the admin URL routing there without exposing it in the Kratos configuration. However, keep in mind: 1. Proper Setup: Ensure that your internal systems (like other microservices or admin tools) are correctly configured to use the admin URL you've chosen. 2. Secure Access: Even though you're not exposing the admin URL in the configuration, make sure it's still properly secured and only accessible within your internal network or through appropriate authentication mechanisms. 3. Documentation: It's a good practice to document your admin URL separately for your operations team, so they know how to access administrative functions. In summary, yes, you can leave out the serve.admin.base_url
from your Kratos configuration if you know the correct URL to use internally for admin operations. This approach aligns well with security best practices by not exposing internal infrastructure details to the browser or end-users. [Source: Ory Kratos Deployment Guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example) Remember, the key is to ensure that your internal systems are correctly set up to use the admin URL, even if it's not explicitly defined in the Kratos configuration file.quick-addition-90714
01/24/2025, 4:11 PMbrief-egg-61061
01/24/2025, 4:11 PMbrief-egg-61061
01/24/2025, 4:12 PMnginx server { listen 80; server_name <http://identity.example.com|identity.example.com>; # Route for public API location / { proxy_pass <http://localhost:4433;> } # Return 404 for any admin routes location ~ ^/admin { return 404; } }
This configuration would return a 404 for any paths starting with /admin
on the public domain, mimicking Hydra's behavior. 4. Kratos Configuration: In your Kratos configuration, you can omit the serve.admin.base_url
as you mentioned earlier. This ensures that Kratos doesn't expose information about the admin API through its public interfaces. By implementing this approach, you can achieve behavior similar to Hydra, where attempts to access admin routes on the public port result in a 404 error. Remember, this is a custom solution and not a built-in feature of Kratos based on the available documentation. Always ensure that your admin routes are properly secured and not accessible from public networks, regardless of the HTTP status code returned. [Source: Ory Kratos Deployment Guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example) For the most up-to-date and accurate information on this specific requirement, you may want to consult the Ory community forums or submit a feature request to the Ory team.quick-addition-90714
01/24/2025, 8:22 PMzenuml
title OAuth2 Token Request Flow
@Actor User #FFEBE6
Hydra
"Identity Service"
Kratos
User -> Hydra : Start OAuth2 request
Hydra -> "Identity Service" : Redirect to login UI
"Identity Service" -> Kratos : Redirect for authentication
Kratos -> "Identity Service" : Return after login
"Identity Service" -> Hydra : Return with authentication context
Hydra -> User : Return code url
User -> Hydra : Fetch Token
is this a correct diagram where identity service is the self service uibrief-egg-61061
01/24/2025, 8:22 PMbrief-egg-61061
01/24/2025, 8:23 PMquick-addition-90714
01/26/2025, 3:51 PMbrief-egg-61061
01/26/2025, 3:51 PMbrief-egg-61061
01/26/2025, 3:52 PMtypescript
// call the sdk
// sdk...
.then(({data: flow}) => {
// error message can also exist inside the flow data even when the request is successful.
// This is the case when retrieving the login flow using the flow ID and the flow was submitted previously
// but still contains errors.
// method level error
// messages is an array of error messages
err.response?.data?.ui.messages.forEach((message) => {
console.log(message)
})
// field level error
err.response?.data?.ui.nodes.forEach(({ messages }) => {
// messages is an array of error messages
messages.forEach((message) => {
console.log(message)
})
})
})
.catch((err: AxiosError) => {
// if the request failed but the response is not just an error
// it will contain flow data which can be used to display error messages
// this is common when submitting a form (e.g. login or registration)
// and getting a response status 400 `Bad Request` back.
if (err.response.status === 400) {
// method level error
// messages is an array of error messages
err.response?.data?.ui.messages.forEach((message) => {
console.log(message)
})
// field level error
err.response?.data?.ui.nodes.forEach(({ messages }) => {
// messages is an array of error messages
messages.forEach((message) => {
console.log(message)
})
})
} else {
// request level error
if (err.response?.data?.error) {
console.log(err.response.data.error)
}
}
})
For Ory Hydra:
Hydra also provides error information that you can use for logging. According to the [User-facing errors documentation](https://www.ory.sh/docs/hydra/faq#can-i-set-the-log-level-to-warn-error-debug-), you can set the log level for Hydra to control the verbosity of error logging:
LOG_LEVEL=<level>
Supported levels include: debug, info, warn, error, fatal, panic.
For user-facing errors, Hydra provides an error endpoint that you can query to get detailed error information. As described in the [User-facing errors in the browser documentation](https://www.ory.sh/docs/hydra/faq#can-i-set-the-log-level-to-warn-error-debug-), you can make a request to:
<https://kratos>-<public|admin>/self-service/errors?id=abcde
brief-egg-61061
01/26/2025, 3:52 PMtypescript // call the sdk // sdk... .then(({data: flow}) => { // error message can also exist inside the flow data even when the request is successful. // This is the case when retrieving the login flow using the flow ID and the flow was submitted previously // but still contains errors. // method level error // messages is an array of error messages err.response?.data?.ui.messages.forEach((message) => { console.log(message) }) // field level error err.response?.data?.ui.nodes.forEach(({ messages }) => { // messages is an array of error messages messages.forEach((message) => { console.log(message) }) }) }) .catch((err: AxiosError) => { // if the request failed but the response is not just an error // it will contain flow data which can be used to display error messages // this is common when submitting a form (e.g. login or registration) // and getting a response status 400 `Bad Request` back. if (err.response.status === 400) { // method level error // messages is an array of error messages err.response?.data?.ui.messages.forEach((message) => { console.log(message) }) // field level error err.response?.data?.ui.nodes.forEach(({ messages }) => { // messages is an array of error messages messages.forEach((message) => { console.log(message) }) }) } else { // request level error if (err.response?.data?.error) { console.log(err.response.data.error) } } })
For Ory Hydra: Hydra also provides error information that you can use for logging. According to the [User-facing errors documentation](https://www.ory.sh/docs/hydra/faq#can-i-set-the-log-level-to-warn-error-debug-), you can set the log level for Hydra to control the verbosity of error logging: LOG_LEVEL=<level>
Supported levels include: debug, info, warn, error, fatal, panic. For user-facing errors, Hydra provides an error endpoint that you can query to get detailed error information. As described in the [User-facing errors in the browser documentation](https://www.ory.sh/docs/hydra/faq#can-i-set-the-log-level-to-warn-error-debug-), you can make a request to: <https://kratos>-<public|admin>/self-service/errors?id=abcde
The response will contain error details that you can log: json [ { "code": 500, "message": "no such file or directory", "reason": "some reason", "debug": "some debug info" } ]
In both cases, you should implement error handling in your error page that retrieves these error details, logs them appropriately, and displays user-friendly messages to the end-user. Remember to handle errors securely, avoiding exposure of sensitive information to end-users while still providing meaningful feedback and maintaining detailed logs for troubleshooting. [Source: Kratos Error Handling](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#error-handling) [Source: Hydra User-facing Errors](https://www.ory.sh/docs/hydra/faq#can-i-set-the-log-level-to-warn-error-debug-)quick-addition-90714
01/26/2025, 6:00 PMbrief-egg-61061
01/26/2025, 6:00 PMbrief-egg-61061
01/26/2025, 6:01 PM<https://example.org/errors?id=abcde>
2. Fetching Error Details: In your self-service node, you need to extract this error ID from the URL and use it to fetch the error details from Kratos. You can do this by making a request to Kratos' error API endpoint. Here's an example of how you might implement this in a Node.js application: javascript const express = require('express'); const axios = require('axios'); const app = express(); app.get('/error', async (req, res) => { const errorId = req.query.id; if (!errorId) { return res.status(400).send('Error ID is missing'); } try { // Replace with your Kratos public API URL const kratosUrl = '<https://kratos-public/self-service/errors>'; const response = await axios.get(`${kratosUrl}?id=${errorId}`); const errorDetails = response.data; // Log the error details console.log('Error details:', errorDetails); // Render your error page with the error details res.render('error', { error: errorDetails }); } catch (error) { console.error('Failed to fetch error details:', error); res.status(500).send('Internal Server Error'); } });
3. Error Structure: The error details you receive will typically have this structure: json [ { "code": 500, "message": "some error message", "reason": "some reason", "debug": "some debug info" } ]
You can use these details to log the error and display an appropriate message to the user. 4. Handling Different Error Types: Remember that Kratos provides errors at different levels (request, method, and field). You may need to handle these differently depending on the error type. 5. Security Considerations: Be cautious about what error information you expose to the user. It's often best to log detailed error information server-side but only show a generic message to the user. By implementing this approach, you can effectively capture and handle error IDs in your self-service node, allowing you to provide appropriate feedback to users and maintain detailed logs for troubleshooting. [Source: User-facing errors in the browser](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors) Remember to adjust the Kratos URL and error handling logic to fit your specific setup and requirements.quick-addition-90714
01/26/2025, 6:06 PMbrief-egg-61061
01/26/2025, 6:06 PMbrief-egg-61061
01/26/2025, 6:07 PMxyyzzzz
) where: - x
is the message type (1 for info, 4 for input validation error, 5 for generic error) - yy
is the module or flow this error references (e.g., 01 for login, 02 for logout) - zzzz
is the specific message ID For example, an error ID like 4070001
would be a Kratos error (4 for input validation error, 07 for verification, 0001 for the specific message). For Ory Hydra: Hydra doesn't use the same structured ID system as Kratos. Instead, when you're dealing with Hydra errors, you typically get an error object that includes properties like error
, error_description
, and sometimes an error_hint
. To differentiate between Kratos and Hydra errors in your self-service node: 1. Check the structure of the error response: - If you see a 7-digit numeric ID, it's likely a Kratos error. - If you see an object with error
and error_description
fields, it's likely a Hydra error. 2. Consider the context: - Errors related to identity management, login flows, or registration are typically from Kratos. - Errors related to OAuth2 flows, token issuance, or consent are typically from Hydra. 3. Check the error endpoint: - Kratos errors are typically fetched from an endpoint like /self-service/errors?id=<error_id>
- Hydra errors are often returned directly in the OAuth2 flow responses Here's an example of how you might handle this in your code: javascript app.get('/error', async (req, res) => { const errorId = req.query.id; if (errorId && /^\d{7}$/.test(errorId)) { // This is likely a Kratos error const kratosError = await fetchKratosError(errorId); console.log('Kratos error:', kratosError); // Handle Kratos error... } else { // This might be a Hydra error const hydraError = req.query.error; const hydraErrorDescription = req.query.error_description; console.log('Hydra error:', hydraError, hydraErrorDescription); // Handle Hydra error... } // Render your error page... });
Remember, this is a simplified approach and you may need to adjust it based on your specific setup and how you're integrating Kratos and Hydra in your application. [Source: Kratos UI Message Codes](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#titles-labels--validation-messages) Always ensure you're logging errors securely and not exposing sensitive information to end-users.quick-addition-90714
01/27/2025, 10:26 AMbrief-egg-61061
01/27/2025, 10:26 AMbrief-egg-61061
01/27/2025, 10:26 AMPOST /self-service/login/browser { "identifier": "<mailto:user@example.com|user@example.com>", "password": "incorrect_password" }
2. Registration with Invalid Data: Attempt to register a new user with invalid data, such as an invalid email format or a password that doesn't meet the configured password policy. POST /self-service/registration/browser { "traits": { "email": "not_an_email" }, "password": "short" }
3. Expired Flow: Let a flow (like registration or login) expire by waiting longer than the configured lifespan before submitting the form. You can adjust the lifespan in your configuration to make testing easier: yaml selfservice: flows: login: lifespan: 10s
4. Invalid CSRF Token: Submit a form with an invalid or missing CSRF token. You can do this by modifying the CSRF token in your form before submission. 5. Using Stub Errors: Kratos provides stub errors for testing. As mentioned in the [User-facing errors documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors#using-stub-errors), you can use: curl -s '<https://playground.projects.oryapis.com/self-service/errors?id=stub:500>'
This will return a stub 500 (Internal Server Error) error. 6. Invalid Identity Schema: Temporarily modify your identity schema to include invalid JSON. This will cause Kratos to return an error when trying to process identities. 7. Network Issues: If you're using a separate database, you could temporarily disconnect it to trigger database connection errors. Remember to log these errors appropriately in your application and handle them as you would in a production environment. This will help ensure your error handling and logging mechanisms are working correctly. [Source: User-facing errors in Kratos](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors) Always test in a safe, non-production environment to avoid any impact on real user data or system stability.quick-addition-90714
01/27/2025, 10:37 AMserve:
public:
base_url: <http://localhost:4433/>
selfservice:
default_browser_return_url: <http://localhost:3001/>
allowed_return_urls:
- <http://localhost:3001/>
methods:
password:
enabled: true
flows:
settings:
ui_url: <http://localhost:3001/settings>
verification:
enabled: false
recovery:
enabled: false
logout:
after:
default_browser_return_url: <http://localhost:3001/login>
login:
ui_url: <http://localhost:3001/login>
registration:
enabled: false
error:
ui_url: <http://localhost:3001/error>
log:
level: debug
hashers:
argon2:
parallelism: 1
memory: 128KB
iterations: 2
salt_length: 16
key_length: 16
identity:
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
oauth2_provider:
url: <http://hydra:4445>
with this in my browser:
{
"error": {
"code": 500,
"status": "Internal Server Error",
"message": "named insert: failed to connect to `user=kratos database=kratos`: hostname resolving error: lookup kratos-db on 127.0.0.11:53: no such host"
}
}
at url:
http://localhost:4433/self-service/login/browser?login_challenge=FQEn4uPLLC-gQhR3i-[…]pKthA_-EXsrMniT68ZVeY8zUvZpc2bpOVg7dduNR9kXyHsTBLErXUSCYD-UD9brief-egg-61061
01/27/2025, 10:37 AMbrief-egg-61061
01/27/2025, 10:37 AMyaml flows: error: ui_url: <http://localhost:3001/error>
This should work for most error scenarios that Kratos can handle gracefully. 3. Database Connection Errors: Database connection errors are particularly problematic because they can prevent Kratos from performing many of its normal operations, including error handling and redirects. 4. Debug Mode: You have set the log level to debug, which is good for development and troubleshooting: yaml log: level: debug
This should provide more detailed logs about what's happening when the error occurs. To address this issue and improve error handling, consider the following steps: 1. Implement Frontend Error Handling: Since Kratos is returning a JSON error response, you can handle this on the frontend. Implement error catching in your frontend application to detect these 500 errors and redirect to your error page manually. 2. Use a Reverse Proxy: Implement a reverse proxy (like Nginx) in front of Kratos. Configure it to catch 500 errors and redirect to your error page. 3. Improve Resilience: Ensure your database connection is resilient. Consider implementing connection pooling and retry mechanisms. 4. Monitor Logs: Keep an eye on Kratos logs for more detailed information about what's happening during these errors. 5. Consider Healthchecks: Implement health checks in your deployment to quickly detect and respond to database connection issues. 6. Kratos Issue: This behavior might be considered a limitation in Kratos. You could consider opening an issue on the Ory Kratos GitHub repository to suggest improving error handling for critical errors like database connection failures. Remember, for production environments, it's crucial to have robust error handling at multiple levels - in Kratos configuration, in your frontend application, and potentially at the infrastructure level (like using a reverse proxy). [Source: Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration) If this issue persists and significantly impacts your application, you might want to reach out to the Ory community or support channels for more specific guidance on handling these critical errors in Kratos.quick-addition-90714
01/27/2025, 10:48 AMbrief-egg-61061
01/27/2025, 10:48 AMbrief-egg-61061
01/27/2025, 10:49 AMyaml selfservice: flows: login: lifespan: 10s
Then, initiate a login flow but wait more than 10 seconds before submitting. This should trigger an error flow. 2. Invalid CSRF Token: Submit a form with an invalid or missing CSRF token. You can do this by modifying the CSRF token in your form before submission. 3. Using Stub Errors: Kratos provides stub errors for testing purposes. As mentioned in the [User-facing errors documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors#using-stub-errors), you can use: curl -s '<https://your-kratos-domain/self-service/errors?id=stub:500>'
This will return a stub 500 (Internal Server Error) error, which should trigger the error flow. 4. Invalid Identity Schema: Temporarily modify your identity schema to include invalid JSON. This will cause Kratos to return an error when trying to process identities. 5. Misconfiguration: Intentionally misconfigure a setting in your Kratos configuration file. For example, set an invalid URL for one of the UI endpoints: yaml selfservice: flows: login: ui_url: <http://invalid-url>
6. Network Issues: If possible, temporarily block network access to a required service (like the database) to trigger connection errors. When triggering these errors, Kratos should redirect to the error UI URL you've configured in your settings: yaml flows: error: ui_url: <http://localhost:3001/error>
Remember to test in a safe, non-production environment. Also, make sure your error handling logic in the UI is prepared to receive and display these errors appropriately. [Source: User-facing errors in Kratos](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors)quick-addition-90714
02/02/2025, 10:52 AMbrief-egg-61061
02/02/2025, 10:52 AMbrief-egg-61061
02/02/2025, 10:52 AMsession.cookie.domain
setting: yaml session: cookie: domain: <http://example.com|example.com>
This configuration tells Kratos to set the cookie for the root domain (example.com), which will make the cookie available to all subdomains, including identity.example.com. 2. You might also want to configure the same_site
attribute for better security: yaml session: cookie: domain: <http://example.com|example.com> same_site: Lax
The same_site
attribute helps protect against CSRF attacks. The Lax
value is a good balance between security and usability for most cases. 3. Ensure that your public base URL is set correctly: yaml serve: public: base_url: <http://identity.example.com/>
This configuration allows Kratos to know its own address while still setting cookies for the parent domain. By setting up your configuration this way, Kratos will create cookies for example.com even though it's hosted at identity.example.com. This allows the cookies to be shared across all subdomains of example.com. Remember that for this to work securely in production, you should use HTTPS and set the secure
flag for cookies: yaml session: cookie: domain: <http://example.com|example.com> same_site: Lax secure: true
This setup aligns with the information provided in the [Ory Kratos documentation on configuring cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies), which explains how to set up cookie domains for multi-domain environments. [Source: Ory Kratos - Configuring Cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies) Always test this configuration thoroughly in a non-production environment before deploying to production to ensure it works as expected with your specific setup.quick-addition-90714
02/02/2025, 11:04 AMsession:
lifespan: 24h
cookie:
domain: ${thommie_domain}
same_site: None
secure: true
is this valid for Kratos?quick-addition-90714
02/02/2025, 11:05 AMsession:
lifespan: 24h
cookie:
domain: ${thommie_domain}
same_site: None
secure: true
is this valid for Kratos?brief-egg-61061
02/02/2025, 11:05 AMbrief-egg-61061
02/02/2025, 11:05 AM${thommie_domain}
) is valid and commonly used when the configuration is processed by a system that replaces these variables with actual values (like in a CI/CD pipeline or when using environment variables). 5. `same_site: None`: This is a valid setting for the SameSite attribute of the cookie. Setting it to "None" allows the cookie to be sent in cross-site requests. This is often necessary when your frontend and Kratos are on different domains. 6. `secure: true`: This is correct and highly recommended for production environments. It ensures that the cookie is only sent over HTTPS connections. This configuration is in line with the [Ory Kratos documentation on configuring cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies). The documentation mentions that you can set these attributes for the session cookie, including the domain, SameSite attribute, and secure flag. However, there are a couple of points to consider: 1. When using same_site: None
, it's crucial that secure: true
is also set (which you have done correctly) as modern browsers require this combination. 2. The ${thommie_domain}
variable should be replaced with your actual domain in the runtime environment. Make sure your deployment process handles this variable substitution correctly. 3. Setting same_site: None
can have security implications. Only use this if you absolutely need cross-site cookie sharing, and make sure you understand the potential risks. Remember to test this configuration thoroughly in a non-production environment before deploying to production to ensure it works as expected with your specific setup. [Source: Ory Kratos - Configuring Cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies)quick-addition-90714
02/02/2025, 1:38 PMbrief-egg-61061
02/02/2025, 1:38 PMbrief-egg-61061
02/02/2025, 1:38 PMsecure
property in your Kratos configuration for session cookies. This error suggests that the version of Ory Kratos you're using (v1.3.1) doesn't allow the secure
property to be explicitly set in the configuration file for session cookies. Here's what you can do to resolve this issue: 1. Remove the secure
property from your session cookie configuration. The secure
flag is typically set automatically by Kratos based on whether you're using HTTPS or not. 2. Update your configuration to look something like this: yaml session: cookie: domain: <http://stag.thommie.be|stag.thommie.be> name: ory_kratos_session persistent: true same_site: None
3. If you need to ensure that the cookie is always secure, you should run Kratos with HTTPS. Kratos automatically sets the secure
flag when it detects that it's running over HTTPS. 4. If you're running behind a reverse proxy that terminates SSL, you might need to configure Kratos to trust the proxy's headers. This ensures Kratos knows it's being served over HTTPS even if the connection to the proxy is HTTP. 5. Consider upgrading to a newer version of Kratos if possible, as newer versions might have different configuration options or improved handling of cookie settings. 6. If you absolutely need to set the secure
flag explicitly and can't upgrade, you might need to look into environment variables or command-line flags that could override this setting, if available in your version of Kratos. Remember, the same_site: None
setting requires that the cookie be secure. Kratos should handle this automatically when it detects HTTPS, but you need to ensure your setup correctly communicates the use of HTTPS to Kratos. If you continue to have issues after making these changes, you may want to consult the Ory community forums or documentation specific to your version of Kratos for any version-specific configuration details. [Source: Ory Kratos - Configuring Cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies)