Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Next question from me I'm afraid. Every step forward seems to reveal another hurdle.

Is there any sane way to check a password against Kratos' password policy, other than by the user trying to change it via the browser flow? Neither the admin endpoints nor the migration hook appear to do so.

I want to:
• verify the robustness of users' passwords as part of our migration rather than bringing over any weak/compromised ones;
• also potentially to do so occasionally in future for users logging in to hopefully pick up on recently compromised ones;
• apply the same standards to passwords set through our admin UI as to those set by the user themself.