@User / @User is there any way to query if a certain user trait already exists within Kratos? What we want is this: a conditional that can tell us IF or IF NOT a given email already exists as a registered user, without the user needing to enter their password. We could do this by querying the database directly, but we would prefer to use the Kratos API where possible. We need this to support a flow where the user first enters their email address, and then we decide the proper redirect flow based on whether or not the user’s email exists, or if they need to login using an external SSO provider. This mimics an Auth0 supported sign-in flow. Please see the attached flowchart for a clearer understanding. CC @User (from my team)

Would using adminGetIdentity be an option? See also https://www.ory.sh/docs/kratos/guides/retrieve-social-sign-in-access-refresh-id-token

@User thanks for the response! Unfortunately I don’t think it would. The problem with

adminGetIdentity

is that we need to know the user’s

{id}

to run the query. In this case, we only know a certain trait of the user (their email). We would need to be able to retrieve the

{id}

using this trait. Theoretically, this could be done with a SQL call directly to the ORY Kratos database, which would parse the database for traits where the the email

===

a certain value (for instance,

<mailto:bob@example.com|bob@example.com>

). However, I think this must be possible through ORY Kratos, but I just don’t have the API exposed to do it. This is because right now, when a user logs in or creates a new account, ORY Kratos needs to check that: 1. The user email does not exist, which will allow the user to create a new account with that email, or 2. The user email does exist, in which case the user needs a matching password to be able to login. Obviously Kratos is somehow checking this data in the backend, but we don’t have an API endpoint to run the same query. It would be really simple in theory, something like (pseudocode)

SELECT userobject FROM kratosdb WHERE email = <mailto:bob@example.com|bob@example.com>

. The only potential problem with exposing this endpoint is username/email enumeration. But I would contend that ORY Kratos users should be able to decide whether or not to solve this problem themselves! In fact, as mentioned in the Kratos documentation:

If you wish to mitigate account enumeration attacks, it’s important to note that you can’t sign in users directly after sign up! Depending on the type of service you provide, you might not care about this specific attack in which case direct login after sign up would be ok.

— https://www.ory.sh/docs/kratos/concepts/security#account-enumeration-attacks

For our service, we will need to sign users up right after they sign up. Maybe we can get an API endpoint that exposes this option?

Hi there, great observation! We have a PR for this, so it is work in progress: https://github.com/ory/kratos/pull/2442

Awesome! Thanks for the input @User 🙂. Let me know if there is anything we/I can do to help out with that PR… On another note –– does the ORY team offer any kind of consulting? We would be glad to pay for your time to get input/help with a few small issues.

@User will be able to answer that. We are focusing our efforts on the Ory Cloud product and have definitely capacity to help out with some questions if you’re consuming Ory Kratos from there 🙂

👍 we have been using ORY Cloud for all of our development and testing. Unfortunately, some of our requirements necessitate that we self-host our data (we deal with sensitive personal information), but we would love to support the ORY project however possible. @User lass mich bitte wissen, wie wir Kontakt aufnehmen können!