Apologies for resurrecting this thread but we are in the same boat here. The way that different organizations handle authentication is often different and custom requirements drive orgs to build their own IAM stacks or lay out huge stacks of cash on profees. The webhook integrations with before/after hooks could be similarly implemented with a plugin... perhaps preRequest and postResponse, meaning we can make custom changes prior to sending the request and after the response is received. Plugins would need to have the ability to manipulate the headers, session and other response objects for this to work. One example which I brought up here is the need for risk-based decisions during the authentication and recovery flows. To describe this use case in more detail, at the time of submitting some credentials, i.e. username and password, after the response is received from Kratos the plugin would check to see if the authentication was successful and depending on that would make an API call to a risk engine which would calculate if MFA is required based on many factors including things like geofencing, IP address, device details, etc. It is true that it is hard to be sure plugins are secure, but that level of flexibility is needed for more widespread adoption of Kratos. The alternative could be that people choose not to use Kratos or (gasp) run an internal fork. Maybe that is OK and that is the direction for the product but it will prevent adoption in many cases.

OK let's run with that idea a little. Do you think running the plugin in webassembly would suffice? (I'm looking at https://github.com/bytecodealliance/wasmtime-go). Where all should these plugins be applied? What's the API?

With regards to MFA flexibility, I think solving the problem without a plugin is the right approach... I've started a little discussion on that here but there is a lot more to discuss. But that wasn't the original point of this thread... I'm still getting my skis under me with regards to the Ory stack and only code in Go intermittently so I'm going to have to spend some time digging in to propose something more thorough. Let me think and research some.