https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> can I use the native flow in browse...
# ory-copilot
r
@chilly-king-10285 can I use the native flow in browser mode?
b
A message from kapa.ai
No, you should not use the native flow in browser mode. Ory explicitly separates browser and native flows for security reasons. Browser applications must use the 
/self-service/{flow-type}/browser
endpoints, which include additional security measures such as anti-CSRF cookies. Native flows (
/self-service/{flow-type}/api
) are designed for native apps (like mobile or desktop) and do not set CSRF cookies. Using native endpoints in a browser context is considered dangerous, and Ory actively prevents this to protect against security risks such as CSRF attacks [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration). In summary: Do not use native flows in browser applications. Always use the browser flow endpoints for browser-based apps.
r
@chilly-king-10285 how can I intercept all APIs with my own custom logic before forwarding the request to Ory Kratos
b
A message from kapa.ai
To intercept all API requests and apply your own custom logic before forwarding them to Ory Kratos, you should use a reverse proxy such as Ory Oathkeeper. Oathkeeper acts as a Policy Enforcement Point (PEP) in your architecture, sitting in front of Ory Kratos and your applications. You can define access rules and configure authenticators, authorizers, and mutators to control and modify requests as needed. How to do this: 1. Set up Ory Oathkeeper as a reverse proxy in front of Ory Kratos. All incoming requests will go through Oathkeeper first. 2. Define access rules in Oathkeeper’s configuration (e.g., 
access-rules.yml
). These rules determine which requests are allowed, how they are authenticated, and what happens if they are not authorized. 3. Implement custom logic by: - Using Oathkeeper’s built-in authenticators, authorizers, and mutators. - Optionally, you can extend Oathkeeper with your own custom logic by writing a custom authorizer or mutator, or by using the [web_hook action](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks) in Ory Actions if you are using Ory Network. Example Oathkeeper rule:
Copy code
yaml - id: "ory:kratos:public"   upstream:     preserve_host: true     url: "<http://kratos:4433>"     strip_path: /.ory/kratos/public   match:     url: "<http://127.0.0.1:4455/.ory/kratos/public/<**>>"     methods:       - GET       - POST       - PUT       - DELETE       - PATCH   authenticators:     - handler: noop   authorizer:     handler: allow   mutators:     - handler: noop
You can add your own logic in the authenticator, authorizer, or mutator sections, or by using a webhook to call your own service for additional checks before forwarding the request to Kratos [Introduction to Ory Oathkeeper Zero Trust Proxy](https://www.ory.sh/docs/oathkeeper) [Access Rules](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#access-rules). Summary: Use Ory Oathkeeper as a reverse proxy to intercept and process all API requests before they reach Ory Kratos. Customize the logic using Oathkeeper’s configuration and, if needed, extend with your own code or webhooks.
r
@chilly-king-10285 I have to provide email and username eventhough I just only want phone number to register
b
A message from kapa.ai
You do not have to require both email and username if you only want users to register with a phone number. Ory Kratos allows you to fully customize your identity schema to collect only the fields you want. To enable registration with just a phone number, define your identity schema so that only the 
phone
trait is required and set it as the login identifier. Here’s an example schema for phone number registration:
Copy code
json {   "$id": "<https://example.com/registration.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "phone": {           "type": "string",           "format": "tel",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               },               "webauthn": {                 "identifier": true               },               "totp": {                 "account_name": true               },               "code": {                 "identifier": true,                 "via": "sms"               },               "passkey": {                 "display_name": true               }             },             "recovery": {               "via": "sms"             },             "verification": {               "via": "sms"             }           }         }       },       "required": ["phone"]     }   } }
With this schema, only the phone number is required for registration and login. You do not need to include email or username unless you want to collect them for your use case [Phone number and password](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#phone-number-and-password) [Identity schema extensions](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#identity-schema-extensions). If you are seeing email or username fields being required, check your active identity schema and make sure only 
phone
is listed as a required field.
r
@chilly-king-10285 what if I want to have multiple different identity schema?
b
A message from kapa.ai
Yes, you can have multiple different identity schemas in Ory Kratos and Ory Network. This is useful if you have different types of users (e.g., customers, support staff, service accounts) or need to support different data models for various user groups. You define multiple schemas in your configuration, each with a unique 
id
and a URL pointing to the schema file. You also set a 
default_schema_id
for new identities. When creating or updating an identity, you can specify which schema to use by setting the 
schema_id
for that identity. Here’s an example configuration:
Copy code
yaml identity:   default_schema_id: person   schemas:     - id: customer       url: <http://foo.bar.com/customer.schema.json>     - id: person       url: <http://foo.bar.com/person.schema.json>
Ory validates identity traits against the corresponding schema on all create/update operations. This allows you to tailor the identity model for different user types within the same system [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). This approach is also helpful for versioning schemas as your requirements evolve [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices).
r
@chilly-king-10285 how can i setup multiple identity schema in self hosted ory
b
A message from kapa.ai
To set up multiple identity schemas in self-hosted Ory Kratos, you need to define them in your Kratos configuration file. Each schema gets a unique 
id
and a URL (local file or remote) pointing to the schema definition. You also set a 
default_schema_id
that will be used for new identities unless another is specified. Example configuration:
Copy code
yaml identity:   default_schema_id: person   schemas:     - id: customer       url: file:///path/to/customer.schema.json     - id: person       url: file:///path/to/person.schema.json
- The 
default_schema_id
is used when creating an identity if no specific schema is provided. - When creating or updating an identity via the Admin API, you can specify which schema to use by setting the 
schema_id
for that identity. Ory Kratos will validate the identity traits against the corresponding schema on all create/update operations. This allows you to support different user types or versions within the same system [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). Summary: 1. Define each schema in your configuration under 
identity.schemas
. 2. Set the 
default_schema_id
. 3. Reference the appropriate 
schema_id
when creating or updating identities. This approach is also useful for versioning your schemas as your requirements change [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices).
r
@chilly-king-10285 if I want to create my own reverse proxy, which endpoint should I call for passwordless register and login
b
A message from kapa.ai
If you are building your own reverse proxy and want to support passwordless registration and login with Ory Kratos, you should forward requests to the appropriate self-service flow endpoints for browser or native clients, depending on your use case. For browser-based flows (recommended for web apps), use: - Registration: 
/self-service/registration/browser
- Login: 
/self-service/login/browser
For native/API flows (for mobile or non-browser clients), use: - Registration: 
/self-service/registration/api
- Login: 
/self-service/login/api
These endpoints initialize the respective flows. The actual passwordless method (such as code via email or SMS, or WebAuthn) is determined by your identity schema and Kratos configuration, not by the endpoint itself [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser). Important: - For browser apps, always use the 
/browser
endpoints to ensure CSRF protection and proper session handling. - For native apps, use the 
/api
endpoints. If you are using a reverse proxy, you may want to expose these endpoints under your own domain (e.g., 
/auth/self-service/login/browser
) and forward them to Kratos internally [Zero Trust with Access Proxy guide](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy). Summary: - Use 
/self-service/registration/browser
and 
/self-service/login/browser
for browser-based passwordless flows. - Use 
/self-service/registration/api
and 
/self-service/login/api
for native/API passwordless flows.
r
@chilly-king-10285 how can I link the schema json in relative path
b
A message from kapa.ai
You can link your schema JSON using a relative file path in your Ory Kratos configuration by using the 
file://
URL scheme. For example, if your schema file is located relative to your configuration file, you can specify:
Copy code
yaml identity:   default_schema_id: person   schemas:     - id: person       url: file://./schemas/person.schema.json     - id: customer       url: file://./schemas/customer.schema.json
This tells Ory Kratos to load the schema from the specified relative path. The path is resolved relative to the working directory where you start the Kratos service [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). If you are using Ory Network, you typically upload the schema via the Console or encode it as base64, but for self-hosted Kratos, the 
file://
scheme with a relative path is supported.
r
@chilly-king-10285 is this looks right to you?
Copy code
{
  "identity": "emailpassword",
  "default_schema_id": "emailpassword",
  "schemas": [
    {
      "id": "emailpassword",
      "url": "file://./emailpassword.schema.json"
    },
    {
      "id": "phonenumber",
      "url": "file://./phonenumber.schema.json"
    }
  ]
}
b
A message from kapa.ai
Your configuration is almost correct, but there are a couple of points to clarify based on the Ory documentation: 1. Top-level key: The configuration for identity schemas should be under the 
identity
key, not as a string value. Your example uses 
"identity": "emailpassword"
, which is not correct. It should be an object, like this:
Copy code
json {   "identity": {     "default_schema_id": "emailpassword",     "schemas": [       {         "id": "emailpassword",         "url": "file://./emailpassword.schema.json"       },       {         "id": "phonenumber",         "url": "file://./phonenumber.schema.json"       }     ]   } }
2. Relative paths: Using 
file://./emailpassword.schema.json
is correct for referencing a schema in a relative path, as long as the file exists relative to the working directory where Kratos is started [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). 3. Schema structure: The structure of the 
schemas
array and the use of 
default_schema_id
matches the documented approach for supporting multiple schemas [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices). Summary: - Change 
"identity": "emailpassword"
to an object as shown above. - The rest of your configuration looks correct for setting up multiple identity schemas with relative paths. If you follow this structure, your configuration will be valid according to the Ory documentation.
r
@chilly-king-10285 I’m getting this error Unable to instantiate configuration.
b
A message from kapa.ai
Your error "Unable to instantiate configuration" is likely due to the structure of your configuration file. According to the Ory Kratos documentation and examples, the 
identity
key should be an object containing 
default_schema_id
and 
schemas
, not a string. Your original configuration had:
Copy code
json {   "identity": "emailpassword",   "default_schema_id": "emailpassword",   "schemas": [     ...   ] }
This is incorrect. The correct structure should be:
Copy code
json {   "identity": {     "default_schema_id": "emailpassword",     "schemas": [       {         "id": "emailpassword",         "url": "file://./emailpassword.schema.json"       },       {         "id": "phonenumber",         "url": "file://./phonenumber.schema.json"       }     ]   } }
Make sure your configuration matches this structure. The 
default_schema_id
and 
schemas
must be nested under the 
identity
object, not at the top level. This matches the documented approach for configuring multiple identity schemas in Ory Kratos [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). If you still encounter issues after correcting the structure, double-check that the schema files exist at the specified relative paths and that the JSON syntax is valid. If the problem persists, the knowledge sources do not provide further troubleshooting steps for this specific error.
r
@chilly-king-10285 I changed but still having the same issue
b
A message from kapa.ai
I'm sorry you're still encountering the "Unable to instantiate configuration" error after correcting the structure. Based on the knowledge sources, here are some things to check: 1. Configuration Structure: Ensure your configuration file matches the expected structure, with 
default_schema_id
and 
schemas
nested under the 
identity
key as an object, not as top-level keys [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices). 2. File Paths: The 
file://./emailpassword.schema.json
and 
file://./phonenumber.schema.json
paths are resolved relative to the working directory where you start Ory Kratos. Make sure these files exist in the correct location [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). 3. JSON Syntax: Double-check that your JSON is valid. Even a small syntax error can cause configuration loading to fail. 4. Kratos Version: The knowledge sources do not specify any breaking changes regarding schema configuration, but if you are using a very recent or older version, ensure compatibility with the documentation. 5. Error Details: If possible, check the full error message or logs for more specific information about what part of the configuration is causing the failure. If you have verified all of the above and the issue persists, the knowledge sources do not provide further troubleshooting steps for this specific error. You may want to consult the [official documentation](https://www.ory.sh/docs/kratos/reference/configuration) or open an issue with your configuration and error details for more targeted help.
r
@chilly-king-10285 the error message i got is allOf failed\n I[#] S[#/allOf/1/required] missing properties
b
A message from kapa.ai
The error message 
allOf failed\n  I[#] S[#/allOf/1/required] missing properties
indicates that your identity schema is missing required properties as defined in the JSON Schema. This typically happens when the schema specifies certain fields as required, but the data or the schema itself does not provide them. What to check: 1. Required Fields in Schema: Make sure your identity schema’s 
required
array matches the properties actually defined in the 
properties
object. For example, if you have:
Copy code
json    "properties": {      "traits": {        "type": "object",        "properties": {          "phone": { ... }        },        "required": ["phone"]      }    }
Then only 
phone
should be required, and it must be present in the 
properties
object. 2. No Extra Required Fields: If your schema’s 
required
array lists fields like 
"email"
or 
"username"
but you only define 
"phone"
, you will get this error. Remove any required fields that are not present in your schema’s 
properties
 [Mandatory fields for registration](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#mandatory-fields-for-registration). 3. Nested Required Fields: For nested objects (like 
name
), the 
required
property must be inside the nested object, not at the top level [Mandatory fields for registration](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#mandatory-fields-for-registration). Example of a correct minimal phone-only schema:
Copy code
json {   "$schema": "<http://json-schema.org/draft-07/schema#>",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "phone": {           "type": "string",           "format": "tel"         }       },       "required": ["phone"]     }   } }
Summary: Check your schema’s 
required
fields and ensure every required property is actually defined. If you only want to require a phone number, only list 
"phone"
in the 
required
array and ensure it is present in 
properties
 [Mandatory fields for registration](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#mandatory-fields-for-registration). If you continue to see this error after making these adjustments, please share the relevant part of your schema for further review.
r
@chilly-king-10285 is 
anyof
a valid field
b
A message from kapa.ai
The knowledge sources do not explicitly mention the use of 
anyOf
in identity schemas for Ory Kratos. However, they do reference the use of standard JSON Schema features, and 
anyOf
is a valid keyword in JSON Schema Draft-07, which Ory Kratos uses [JSON schema and JSON paths](https://www.ory.sh/docs/kratos/reference/json-schema-json-paths). If you want to use 
anyOf
, ensure your schema is valid according to JSON Schema Draft-07, but be aware that the Ory documentation does not provide specific examples or guidance for 
anyOf
. If you encounter issues, double-check your schema with a JSON Schema validator and consult the [official JSON Schema documentation](https://json-schema.org/understanding-json-schema/reference/combining.html#anyof). In summary: 
anyOf
is a valid JSON Schema keyword, and Ory Kratos uses JSON Schema Draft-07, but the knowledge sources do not provide explicit examples or guarantees for its use in identity schemas.
r
@chilly-king-10285 does the multi schema correct? do you have reference?
b
A message from kapa.ai
Yes, using multiple identity schemas in Ory Kratos is correct and supported. You define them in your configuration under the 
identity
key, with each schema having a unique 
id
and a 
url
pointing to the schema file. You also set a 
default_schema_id
to specify which schema is used by default for new identities. This approach is documented and recommended for supporting different user types or for schema versioning. Here is a reference example from the documentation:
Copy code
yaml identity:     default_schema_id: person     schemas:       - id: customer         url: <http://foo.bar.com/customer.schema.json>       - id: person         url: <http://foo.bar.com/person.schema.json>
This configuration allows you to assign different schemas to different identities as needed. Ory validates the identity traits against the corresponding schema on all create/update operations [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). This method is also recommended for schema versioning and managing different user groups [Identity schema best practices](https://www.ory.sh/docs/kratos/manage-identities/best-practices).
r
@chilly-king-10285 I’m using it as json
b
A message from kapa.ai
Yes, you can use multiple identity schemas in Ory Kratos with a JSON configuration file. The structure is the same as shown in the YAML example, but written in JSON syntax. Here’s how it should look:
Copy code
json {   "identity": {     "default_schema_id": "person",     "schemas": [       {         "id": "customer",         "url": "file://./customer.schema.json"       },       {         "id": "person",         "url": "file://./person.schema.json"       }     ]   } }
This configuration is correct and supported, as documented in the Ory Kratos documentation. Each schema has a unique 
id
and a 
url
pointing to the schema file. The 
default_schema_id
specifies which schema is used by default for new identities. You can assign a different schema to an identity by specifying the 
schema_id
when creating or updating the identity [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#traits). If you follow this structure, your multi-schema setup in JSON is valid according to the knowledge sources.
Open in Slack
PreviousNext
Powered by