trying to figure out how to propagate traits down from hydra Ory Community #ory-selfhosting

Join Slack

Channels

announcements

ory-copilot

trying to figure out how to propagate traits down ...

# ory-selfhosting

curved-train-21046

11/21/2024, 11:49 PM

trying to figure out how to propagate traits down from hydra to kratos.. when I look at the ID_TOKEN i can see the email trait in there but can't figure out how to get one out of a custom identity schema I created..

curved-train-21046

11/21/2024, 11:50 PM

I've been looking this over, https://www.ory.sh/docs/hydra/guides/claims-at-refresh but it seems like a lot of work for information I've already got set for a given user..

curved-train-21046

11/21/2024, 11:50 PM

Copy code

{
  "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              },
              "code": {
                "identifier": true,
                "via": "email"
              },
              "passkey": {
                "display_name": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        },
        "tenant_id": {
          "type": "string",
          "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$",
          "title": "Tenant ID",
          "description": "The primary tenant this user belongs to"
        },
        "roles": {
          "type": "array",
          "items": {
            "type": "string",
            "enum": [
              "admin",
              "user",
              "superuser"
            ]
          },
          "title": "Roles",
          "description": "The roles assigned to this user"
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}

curved-train-21046

11/21/2024, 11:51 PM

Copy code

hydra:
  config:
    serve:
      public:
        port: 4444
      admin:
        port: 4445
    urls:
      self:
        issuer: <https://hydra.tunnel.threadr.ai/>
      login: <https://kratos.tunnel.threadr.ai/login>
      consent: <https://kratos.tunnel.threadr.ai/consent>
      logout: <https://kratos.tunnel.threadr.ai/logout>
    strategies:
      access_token: jwt
      jwt:
        scope_claim: list
    oauth2:
      expose_internal_errors: true
      allowed_top_level_claims:
        - email
        - tenant_id
      mirror_top_level_claims: true

curved-train-21046

11/21/2024, 11:53 PM

and this is how I'm getting my access_token and id_token:

Copy code

echo "<https://hydra.tunnel.threadr.ai/oauth2/auth>?\
client_id=0a6a0438-3871-4294-8f1c-bc92145cc7e4&\
response_type=code&\
scope=openid+profile+email+tenant_id&\
redirect_uri=<https://api.tunnel.threadr.ai/callback&>\
state=${STATE}"
<https://hydra.tunnel.threadr.ai/oauth2/auth?client_id=0a6a0438-3871-4294-8f1c-bc92145cc7e4&response_type=code&scope=openid+profile+email+tenant_id&redirect_uri=https://api.tunnel.threadr.ai/callback&state=f4372dc01ec903e047ec864e59604d28>

curved-train-21046

11/21/2024, 11:53 PM

Copy code

curl -X POST <https://hydra.tunnel.threadr.ai/oauth2/token> \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode "grant_type=authorization_code" \
  --data-urlencode "code=${CODE}" \
  --data-urlencode "redirect_uri=<https://api.tunnel.threadr.ai/callback>" \
  --data-urlencode "client_id=0a6a0438-3871-4294-8f1c-bc92145cc7e4" \
  --data-urlencode "client_secret=f00b4r" \
  --data-urlencode "scope=openid profile email tenant_id"

steep-lamp-91158

11/22/2024, 10:22 AM

you can set this on the consent UI as well, there you should have the full identity from the session available

steep-lamp-91158

11/22/2024, 10:24 AM

see this example implementation https://github.com/ory/kratos-selfservice-ui-node/blob/a08de3a329f0ef07c09affc77ead49972a9b3220/src/routes/consent.ts#L220

curved-train-21046

11/22/2024, 2:27 PM

Thanks @steep-lamp-91158 will check that out

curved-train-21046

11/22/2024, 3:16 PM

that worked, thank you..

curved-train-21046

11/23/2024, 7:59 PM

@steep-lamp-91158 can I do something similar with metadata_admin? I'm getting typescript errors that maybe say I can't,

Copy code

if (identity.metadata_admin?.tenant_id) {
        session.access_token.tenant_id = identity.metadata_admin.tenant_id
        session.id_token.tenant_id = identity.metadata_admin.tenant_id
    }

curved-train-21046

11/24/2024, 2:26 AM

Ok i figured out the kratos-ui part I think, I'm seeing it in the JWT now, just need to figure out what to do with oathkeeper

curved-train-21046

11/24/2024, 3:06 AM

ok straightened everything out 🙂

30 Views

Open in Slack

Previous Next