https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> How can I change the Jsonnet for se...
# ory-copilot
q
@chilly-king-10285 How can I change the Jsonnet for sending emails via HTTP?
b
A message from kapa.ai
To change the Jsonnet for sending emails via HTTP in Ory, you can modify the 
body
configuration in the HTTP request settings. Here's how you can do it: 1. Create a custom Jsonnet file with your desired email payload structure. 2. In your Ory Identities configuration, update the 
body
field under the 
courier.http.request_config
section to point to your custom Jsonnet file. Here's an example of how to configure this:
Copy code
yaml courier:   delivery_strategy: http   http:     request_config:       url: <https://mail-sender.example.com>       method: POST       body: file:///path/to/your/custom/mail.template.jsonnet       headers:         Content-Type: application/json       # ... other configuration options
Replace 
/path/to/your/custom/mail.template.jsonnet
with the actual path to your custom Jsonnet file. Your custom Jsonnet file should be a function that takes a 
ctx
object as input and returns the desired payload structure. The 
ctx
object provides access to various email-related data such as recipient, template type, and template data. Here's an example of what your custom Jsonnet might look like:
Copy code
jsonnet function(ctx) {   recipient: ctx.recipient,   template_type: ctx.template_type,   // Add or modify fields as needed   custom_field: "Your custom value",   // Access template data   verification_code: if "template_data" in ctx && "verification_code" in ctx.template_data then ctx.template_data.verification_code else null,   // ... other fields }
Remember to adjust the Jsonnet according to your specific needs and the requirements of your HTTP email service. For more detailed information on HTTP-based email delivery configuration and available variables, you can refer to the [Ory documentation on sending emails using an HTTP server](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp#send-emails-using-an-http-server).
q
@chilly-king-10285 How do I run kratos for both kratos and courier?
b
A message from kapa.ai
To run both Ory Kratos and its mail courier in a self-hosted environment, you have two options depending on your setup: 1. For a single-instance setup: You can run Kratos with the mail courier as a background worker by adding the 
--watch-courier
flag to your 
kratos serve
command. This is suitable for single-instance deployments.
Copy code
kratos serve --watch-courier
2. For a multi-instance setup: If you're running multiple instances of Kratos (e.g., in a replicated Kubernetes deployment), you need to run the mail courier as a separate singleton job. Here's how: a. Run Kratos instances:
Copy code
kratos serve
b. Run the mail courier as a separate job:
Copy code
kratos courier watch
It's important to note that in a multi-instance setup, you should only run one instance of the mail courier to avoid processing the same email multiple times. Make sure to provide the necessary configuration files and templates to all instances (both Kratos and courier) in your multi-instance setup. For more detailed information on running the mail courier in self-hosted Ory Kratos, you can refer to the [Ory documentation on Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted). Remember to configure your SMTP settings and other necessary configurations in your Kratos configuration file before running these commands.
q
@chilly-king-10285 2025-03-09 110754 time=2025-03-09T100754Z level=info msg=started handling request http_request=map[headersmap[accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9,nl;q=0.8,fr;q=0.7 cache-control:max-age=0 connection:keep-alive content-length:156 content-type:application/x-www-form-urlencoded cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". dnt:1 origin:http://localhost:3002 referer:http://localhost:3002/ sec-ch-ua:"Chromium";v="133", "Not(A:Brand";v="99" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36] hostlocalhost4433 method:POST path:/self-service/recovery query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote172.18.0.157134 scheme:http] 2025-03-09 110754 time=2025-03-09T100754Z level=debug msg=Preparing recovery code. address=Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". audience=application service_name=Ory Kratos service_version=v1.3.1 via=email 2025-03-09 110754 time=2025-03-09T100754Z level=info msg=Account recovery was requested for an unknown address. audience=audit email_address=Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". service_name=Ory Kratos service_version=v1.3.1 strategy=code via=email was_notified=false 2025-03-09 110754 time=2025-03-09T100754Z level=info msg=completed handling request http_request=map[headersmap[accepttext/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.9,nl;q=0.8,fr;q=0.7 cache-control:max-age=0 connection:keep-alive content-length:156 content-type:application/x-www-form-urlencoded cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". dnt:1 origin:http://localhost:3002 referer:http://localhost:3002/ sec-ch-ua:"Chromium";v="133", "Not(A:Brand";v="99" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"macOS" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36] hostlocalhost4433 method:POST path:/self-service/recovery query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote172.18.0.157134 scheme:http] http_response=map[headersmap[cache controlprivate, no-cache, no-store, must-revalidate location:http://localhost:3002/recovery?flow=6707a028-1567-4488-9e82-91ebae7fe72a vary:Cookie] size:0 status:303 text_status:See Other took:5.685458ms] 2025-03-09 110754 time=2025-03-09T100754Z level=info msg=started handling request http_request=map[headersmap[accept encodinggzip cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] hostkratos4433 method:GET path:/self-service/recovery/flows query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote172.18.0.745450 scheme:http] 2025-03-09 110754 time=2025-03-09T100754Z level=info msg=completed handling request http_request=map[headersmap[accept encodinggzip cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] hostkratos4433 method:GET path:/self-service/recovery/flows query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote172.18.0.745450 scheme:http] http_response=map[headersmap[cache controlprivate, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Cookie] size:1866 status:200 text_status:OK took:2.390708ms] with schema: { "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "title": "email", "minLength": 6, "ory.sh/kratos": { "credentials": { "password": { "identifier": true } } } } }, "required": ["email"], "additionalProperties": false } } }
b
A message from kapa.ai
Based on the provided log output and schema, it appears that an account recovery process was initiated for an unknown email address in an Ory Kratos system. Let me break down the key points: 1. A recovery request was made to the 
/self-service/recovery
endpoint. 2. The system attempted to prepare a recovery code for the provided email address. 3. The log indicates that the recovery was requested for an unknown address:
Copy code
msg=Account recovery was requested for an unknown address.
4. The system did not send a notification to the unknown address:
Copy code
was_notified=false
5. The recovery flow was created and redirected to:
Copy code
location:<http://localhost:3002/recovery?flow=6707a028-1567-4488-9e82-91ebae7fe72a>
6. The identity schema provided does not include the 
recovery
configuration in the 
<http://ory.sh/kratos|ory.sh/kratos>
section for the email field. Given this information, there are a few important points to note: 1. The system is configured to not notify unknown recipients during recovery attempts. This is a security measure to prevent account enumeration attacks. 2. The identity schema doesn't explicitly enable recovery for the email field. To enable recovery via email, you should add the following to the 
<http://ory.sh/kratos|ory.sh/kratos>
section of the email field in your schema:
Copy code
json    "recovery": {      "via": "email"    }
3. If you want to enable notifications for unknown recipients during recovery attempts, you need to update your Ory Kratos configuration. To address these points, you can: 1. Update your identity schema to enable recovery via email. 2. If desired, enable notifications for unknown recipients in your Ory Kratos configuration. For more information on configuring account recovery and attempted recovery notifications, you can refer to the [Ory documentation on Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address) and [Attempted recovery notifications](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#attempted-recovery-notifications).
q
@chilly-king-10285 How should the whole schema look like?
b
A message from kapa.ai
Based on the information provided in the previous conversation and the knowledge sources, I can suggest how the complete identity schema should look like to enable account recovery via email. Here's an example of the updated schema:
Copy code
json {   "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "title": "E-Mail",           "minLength": 6,           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               }             },             "recovery": {               "via": "email"             },             "verification": {               "via": "email"             }           }         }       },       "required": ["email"],       "additionalProperties": false     }   } }
This updated schema includes the following changes: 1. Added the 
recovery
configuration to enable account recovery via email. 2. Added the 
verification
configuration to enable email verification. 3. Changed the 
title
of the email field from "email" to "E-Mail" for consistency with Ory's documentation examples. These additions will allow you to use the email address for account recovery and verification purposes. The 
recovery
and 
verification
configurations are set to use email as the method ("via": "email"). For more detailed information on customizing identity schemas and configuring recovery and verification, you can refer to the following Ory documentation: 1. [Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#examples) 2. [Account recovery address](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address) 3. [Verification address](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#verification-address) Remember to update your Ory Kratos configuration to enable the recovery and verification flows if you haven't already done so.
q
@chilly-king-10285 Create a Golang struct for this jsonnet please: function(ctx) { recipient: ctx.recipient, template_type: ctx.template_type, name: if "template_data" in ctx && "identity" in ctx.template_data && "name" in ctx.template_data.identity then ctx.template_data.identity.name else null, to: if "template_data" in ctx && "to" in ctx.template_data then ctx.template_data.to else null, recovery_code: if "template_data" in ctx && "recovery_code" in ctx.template_data then ctx.template_data.recovery_code else null, recovery_url: if "template_data" in ctx && "recovery_url" in ctx.template_data then ctx.template_data.recovery_url else null, verification_url: if "template_data" in ctx && "verification_url" in ctx.template_data then ctx.template_data.verification_url else null, verification_code: if "template_data" in ctx && "verification_code" in ctx.template_data then ctx.template_data.verification_code else null, } So I can read the body properly
b
A message from kapa.ai
Based on the provided Jsonnet template, I can create a corresponding Golang struct that represents the structure of the data. Here's the Golang struct that matches the Jsonnet output:
Copy code
go type EmailTemplate struct {     Recipient        string  `json:"recipient"`     TemplateType     string  `json:"template_type"`     Name             *string `json:"name,omitempty"`     To               *string `json:"to,omitempty"`     RecoveryCode     *string `json:"recovery_code,omitempty"`     RecoveryURL      *string `json:"recovery_url,omitempty"`     VerificationURL  *string `json:"verification_url,omitempty"`     VerificationCode *string `json:"verification_code,omitempty"` }
This struct definition allows you to properly read and handle the JSON body that would be generated by the Jsonnet template. Here are some key points about this struct: 1. All fields that can potentially be 
null
in the Jsonnet output are represented as pointers (
*string
) in the Go struct. This allows for proper handling of null values when unmarshaling the JSON. 2. The 
json
tags are used to map the JSON keys to the struct fields. 3. The 
omitempty
tag is used for fields that might not always be present in the JSON, which corresponds to the conditional logic in the Jsonnet template. 4. The 
Recipient
and 
TemplateType
fields are non-pointer types because they appear to always be present in the Jsonnet output. To use this struct to read the JSON body, you can use Go's 
encoding/json
package. Here's an example of how you might unmarshal the JSON into this struct:
Copy code
go import "encoding/json"  // Assuming `body` is the []byte containing your JSON data var template EmailTemplate err := json.Unmarshal(body, &template) if err != nil {     // Handle error }  // Now you can access the fields of `template`
This struct and unmarshaling process will allow you to properly handle the JSON output from your Jsonnet template in your Go code. For more information on working with JSON in Go, you can refer to the [Go documentation on JSON and Go](https://golang.org/pkg/encoding/json/).
q
@chilly-king-10285 how do I add a first and last name to an identity schema and how do I make it required. And what happens when I run the migration?
b
A message from kapa.ai
To add a first and last name to an identity schema and make them required, you need to modify your existing schema. Here's how you can do it: 1. Add the first and last name fields to your identity schema:
Copy code
json {   "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "title": "E-Mail",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               }             },             "recovery": {               "via": "email"             },             "verification": {               "via": "email"             }           }         },         "name": {           "type": "object",           "properties": {             "first": {               "type": "string",               "title": "First Name"             },             "last": {               "type": "string",               "title": "Last Name"             }           },           "required": ["first", "last"]         }       },       "required": ["email", "name"],       "additionalProperties": false     }   } }
2. To make the fields required, we've added them to the 
required
array within the 
name
object and added 
name
to the 
required
array of the 
traits
object. When you run the migration after updating the schema, the following will happen: 1. Ory Kratos will update its internal representation of the identity schema. 2. New registrations will require users to provide both first and last names. 3. Existing identities will not be automatically updated with the new fields. They will remain valid but may have missing data for the new fields. To handle existing identities, you have a few options: 1. You can update them manually through the admin API. 2. You can prompt users to update their profiles the next time they log in. 3. You can write a migration script to update existing identities with default values for the new fields. It's important to note that changing the schema to require new fields that didn't exist before can potentially cause issues with existing identities. Therefore, it's recommended to handle this change carefully, especially in a production environment. For more detailed information on customizing identity schemas and handling schema migrations, you can refer to the following Ory documentation: 1. [Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema) 2. [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices) Remember to test these changes in a non-production environment first to ensure they work as expected with your existing data and workflows.
q
@chilly-king-10285 If I use emails through http API is there a retry mechanism?
b
A message from kapa.ai
Yes, there is a retry mechanism in place when using HTTP API for email delivery in Ory. This retry mechanism applies to both email and SMS delivery. Here are the key points about the retry policy: 1. Default retries: By default, Ory will attempt to deliver a message up to 5 times. This is controlled by the 
message_retries
configuration parameter. 2. Configuration: You can adjust the number of retries in your Ory Kratos configuration file. For example:
Copy code
yaml    courier:      message_retries: 5
3. Abandoned status: If the courier can't deliver the message within the specified number of retries, the message gets the 
Abandoned
status, and the courier stops trying to deliver it. 4. Webhook retries: For webhook deliveries (which could be used in custom integrations), Ory Network implements a retry policy that attempts to deliver the payload up to three times, with a 30-second timeout between each attempt. It's important to note that the retry mechanism is implemented at the Ory Kratos level, not at the HTTP API level. This means that Ory Kratos will handle the retries internally, regardless of whether you're using SMTP or HTTP for email delivery. For more detailed information on the retry mechanism and courier configuration, you can refer to the following Ory documentation: 1. [Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted#error-handling) 2. [Webhook retries](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#webhook-retries) Remember that while Ory provides this retry mechanism, it's also a good practice to monitor your email delivery system and handle any persistent delivery issues at the application level.
q
@chilly-king-10285 But how does Kratos check to retry? Like what status code do I have to return for a failed mail?
b
A message from kapa.ai
To answer your question about how Kratos checks for retries when using HTTP API for email delivery, I'll need to provide some clarification based on the available information. Unfortunately, the knowledge sources provided don't contain specific information about the exact status codes that Kratos uses to determine when to retry HTTP-based email delivery. This level of detail is not explicitly mentioned in the documentation I have access to. However, based on general HTTP practices and the information we do have about Kratos's retry mechanism, we can make some educated assumptions: 1. Typically, HTTP status codes in the 4xx and 5xx range are considered errors that might trigger retries. 2. Common status codes that often trigger retries in HTTP services include: - 500 (Internal Server Error) - 502 (Bad Gateway) - 503 (Service Unavailable) - 504 (Gateway Timeout) 3. Kratos likely considers any non-2xx status code as a failure that would trigger a retry. To get the most accurate and up-to-date information about the specific status codes that Kratos uses to determine retries for HTTP-based email delivery, I would recommend: 1. Checking the latest Ory Kratos documentation for any updates on this topic. 2. Examining the Kratos source code, particularly the parts related to the courier and HTTP email delivery. 3. Reaching out to the Ory community or support channels for definitive answers. If you need precise control over when Kratos retries email delivery, you might want to implement your own email delivery service that Kratos calls via HTTP. This way, you can define the exact behavior and status codes that indicate success or failure. For more information on configuring HTTP-based email delivery in Kratos, you can refer to the [Ory documentation on HTTP based email delivery](https://www.ory.sh/docs/kratos/self-hosted/email-http).
q
@chilly-king-10285 is it normal that in the settings page in the profile group nodes, each label has the same id for first name last name and email?
b
A message from kapa.ai
Yes, it is normal for the profile group nodes in the settings page to have the same label ID for first name, last name, and email fields. Based on the knowledge sources, all trait fields in Ory Kratos use the same message ID (1070002) for their labels. Looking at the UI node examples in the documentation, we can see this pattern consistently:
Copy code
json {   "type": "input",   "group": "profile",   "attributes": {     "name": "traits.email",     "type": "email",     "value": "<mailto:user@example.com|user@example.com>",     "disabled": false   },   "messages": null,   "meta": {     "label": {       "id": 1070002,       "text": "E-Mail",       "type": "info"     }   } }
The same ID (1070002) is used for other profile fields as well:
Copy code
json {   "type": "input",   "group": "profile",   "attributes": {     "name": "traits.name.first",     "type": "text",     "value": "Foo",     "disabled": false   },   "messages": null,   "meta": {     "label": {       "id": 1070002,       "text": "First Name",       "type": "info"     }   } }
According to the [Ory documentation on UI nodes and error messages](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#titles-labels--validation-messages), message IDs follow a pattern where: - 
x
is the message type (1 for info) - 
yy
is the module (07 for verification messages) - 
zzzz
is the specific message ID So 1070002 represents an info message (1) in the verification module (07) with ID 0002. This consistent ID usage is by design and doesn't affect functionality, as the actual display text is provided in the "text" field of each label.
q
@chilly-king-10285 How do I start a courrier only task?
b
A message from kapa.ai
I'll explain how to start a courier-only task in Ory Kratos. To start a courier-only task (which handles email delivery), you can use the 
kratos courier watch
command. This is particularly useful in multi-instance deployments where you want to run the mail courier as a separate singleton process. Here's how to do it:
Copy code
kratos courier watch [flags]
Available flags include: - `--expose-metrics-port int`: The port to expose the metrics endpoint on (not exposed by default) - `-c, --config strings`: Path to one or more configuration files For example, to run the courier with a specific configuration file:
Copy code
kratos courier watch -c path/to/kratos/config.yml
This command starts the mail courier as a standalone process that will process the email queue. It's important to note that in a multi-instance setup, you should only run one instance of the mail courier to avoid processing the same email multiple times. If you're running in a containerized environment like Docker or Kubernetes, you would typically run this as a separate container or pod with the appropriate configuration. For more information on the courier command and its options, you can refer to the [Kratos CLI documentation](https://www.ory.sh/docs/kratos/cli/kratos-courier-watch).
q
@chilly-king-10285 like this then: command = [ "kratos", "courrier", "watch", "-c", "/shared/config.yml" ]
b
A message from kapa.ai
There's a small typo in your command. The correct spelling is "courier" (with one 'r'), not "courrier" (with two 'r's). Here's the corrected command:
Copy code
command = [   "kratos", "courier", "watch", "-c", "/shared/config.yml" ]
This command will start the Ory Kratos mail courier as a standalone process using the configuration file located at 
/shared/config.yml
. The courier will be responsible for processing and sending emails from the message queue. This approach is particularly useful in multi-instance deployments where you want to run the mail courier as a separate singleton process to avoid duplicate email processing. For more information about the courier command and its options, you can refer to the [Kratos courier watch documentation](https://www.ory.sh/docs/kratos/cli/kratos-courier-watch).
q
@chilly-king-10285 why shouldn't I check with account recovery if email in database
b
A message from kapa.ai
Using account recovery to check if an email exists in the database is not recommended because it creates a security vulnerability known as account enumeration. This vulnerability allows attackers to discover valid user accounts in your system. Ory Kratos is specifically designed to protect against account enumeration attacks. When an account recovery is attempted for an unknown email address, Ory Kratos intentionally doesn't reveal whether the email exists or not. Instead, it shows the same success message regardless of whether the email is in the database. As noted in a GitHub issue about this topic: > Account enumeration is a common vulnerability that allows an attacker who has acquired a list of valid usernames, IDs, or email addresses to verify whether or not a user exists in a system. [Configurable Account Enumeration protection in Account Experience](https://github.com/ory/network/issues/229) The logs you shared in a previous conversation actually demonstrate this security feature in action:
Copy code
msg=Account recovery was requested for an unknown address. audience=audit email_address=Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". service_name=Ory Kratos service_version=v1.3.1 strategy=code via=email was_notified=false
This shows that Ory Kratos detected a recovery attempt for an unknown email but didn't reveal this information to the user. If you need to check if an email exists for legitimate purposes, you should use internal admin APIs or database queries that aren't exposed to end users, rather than using the public-facing recovery flow.
q
@chilly-king-10285 does the courier have health checks?
b
A message from kapa.ai
Yes, the courier in Ory Kratos has health checks available. Like other Ory services, Kratos provides standard health check endpoints that can be used to monitor the status of both the main service and the courier. The health check endpoints are: 1. 
/health/alive
- This endpoint returns a HTTP 200 status code when the service is accepting incoming HTTP requests. This is a basic liveness check. 2. 
/health/ready
- This endpoint returns a HTTP 200 status code when the service is up and running and its dependencies (like the database) are responsive as well. This is a more comprehensive readiness check. You can use these endpoints to monitor the health of your courier instance. For example, you could use the 
kratos remote status
command to check the status of a remote Kratos instance, including the courier:
Copy code
kratos remote status --endpoint <http://your-courier-instance:port>
It's worth noting that these health checks will only report on the status of a single instance, not the overall cluster state if you're running multiple instances. For more information on health checks in Ory services, you can refer to the API reference documentation for [Kratos](https://www.ory.sh/docs/kratos/reference/api), [Hydra](https://www.ory.sh/docs/hydra/reference/api), and [Keto](https://www.ory.sh/docs/keto/reference/rest-api), which all follow a similar pattern for health checks.
q
@chilly-king-10285 what kratos config do I need to set to set the URL to which it needs to submit login forms?
b
A message from kapa.ai
To configure the URL to which Ory Kratos submits login forms, you need to set the 
selfservice.flows.login.ui_url
configuration value. This tells Kratos where to redirect users during the login flow. Here's how you can set this in your Kratos configuration file:
Copy code
yaml selfservice:   flows:     login:       ui_url: <http://your-app.com/login>
You can also set this using an environment variable:
Copy code
SELFSERVICE_FLOWS_LOGIN_UI_URL=<http://your-app.com/login>
This configuration is crucial because without it, users will be redirected to Kratos' fallback login UI, which is just a placeholder page that instructs you to set up the proper configuration. When a user initiates a login flow, Kratos will: 1. Create a new login flow 2. Redirect the user to the configured 
ui_url
with a flow ID as a query parameter 3. Your UI application will then fetch the flow details and render the login form 4. The form will be submitted back to Kratos for processing For more information, you can refer to: - [Self-Service User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) - [Kratos Fallback Login UI](https://www.ory.sh/docs/kratos/fallback/login) If you're deploying to production, you might want to check the [Deploy to production guide](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#configure-user-interface) which includes examples of configuring all the UI URLs.
q
It's because my flow action form now goes to: https://ip-10-0-26-50.eu-west-2.compute.internal:4433/self-service/login?flow=65dc8cb2-2bc2-47a7-856a-d0fad65c143d but it should go to my domain name as that is an internal domain name
@chilly-king-10285 It's because my flow action form now goes to: https://ip-10-0-26-50.eu-west-2.compute.internal:4433/self-service/login?flow=65dc8cb2-2bc2-47a7-856a-d0fad65c143d but it should go to my domain name as that is an internal domain name
b
A message from kapa.ai
I understand your issue. The form action URL is using an internal domain name instead of your public domain. This happens because Ory Kratos is generating URLs based on its configuration. To fix this issue, you need to configure the 
serve.public.base_url
setting in your Kratos configuration. This setting determines what base URL Kratos uses when generating URLs for forms and redirects. Here's how to update your configuration:
Copy code
yaml serve:   public:     base_url: <https://your-public-domain.com/>
You can also set this using an environment variable:
Copy code
SERVE_PUBLIC_BASE_URL=<https://your-public-domain.com/>
This configuration is crucial for proper operation when Kratos is running behind a proxy or in environments where the internal hostname differs from the public-facing domain. If you're using custom domains with Ory Network, you'll need to set up a CNAME record for your domain. For self-hosted Kratos, the base_url configuration is sufficient. For more information on configuring base URLs and cookies in multi-domain environments, you can refer to: - [Advanced base URL, CSRF and session cookie settings](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies) - [Configure User Interface](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#configure-user-interface) After updating this configuration, restart your Kratos service for the changes to take effect.
Open in Slack
PreviousNext
Powered by