Is there a flow that creates a session from a session? My usecase is that I have a web app and a CLI app, and when the user is logged into the web app, I'd like them to be logged into cli as well (without greater hickups) and possibly the other way around? 😄

Unfortunately not, as that has the potential to be abused by attackers. We recommend OAuth2 for these situations. The CLI would be an OAuth2 client and the user is prompted to re-login in the browser completing the OAuth2 via redirects and a local webserver started by the CLI app. The other way, would be very difficult, as you'd need to add a session to the browser.

@bland-eye-99092 so I'd setup something like hydra — configure "myself" then to be an openid provider in kratos? Or what are you thinking? Right now I have a cli flow where I start a native login flow, then render available providers or "direct" (aka username/password). But I was just wondering if there is an easier way to do this when the user is logged in already.

The other way around, Hydra can use Kratos as the identity provider. A little bit mind bending and definitely easier to setup in Ory Network, as the wiring is done for you. If you just want to stick to Kratos, you could also use the "API" (or "native") variants of the self-service flows to receive a session token, that can be used to call

toSession

to verify the user's authentication status. But it requires prompting the user for their credentials in the CLI and Google/Apple/etc via OIDC won't work.

I am using a native flow with OIDC (opening a browser window, then callback server), it works (nicely, if I may add)?

ah, that's good to hear. Glad it works! 🙂