https://www.ory.sh/ logo
Powered by
q

quiet-psychiatrist-3449

12/26/2021, 5:49 PM
Hi! I'm currently in the process of checking out the API endpoints of Kratos, and noticed the 
/schemas
endpoint is open to the public, yet it doesn't even exist for the admin API. Since I want to use Kratos for customer authentication, as well as employee authentication and partners authentication, I would like to "obfuscate" the available identity schemas. People with access to the public Kratos API shouldn't be able to see what kind of internal schemas we use. Why is it even public, yet not available under the admin API? I'm a bit confused here, since I'm not really all too versed in IAM. Are schemas supposed to be public to everybody? Is security though obfuscation not a thing in IAM? (Not telling the world what kind of authentication structure your company has should be the default, shouldn't it?) Would be great if somebody could explain the reasoning to me here šŸ™‚
h

high-optician-2097

12/26/2021, 7:41 PM
If it's available at admin it's also available at public :) Just call the right endpoint! What is your threat model where having the schemas available would be problematic? For your public users, they can figure it out themselves by e.g. going to the settings flow. I do understand the question with internal users though, at the same time, the schema just says what fields your users have
q

quiet-psychiatrist-3449

12/26/2021, 8:11 PM
Ight thanks! Yeah maybe security though obfuscation is not the best way to go, it's anyways normally regarded as an anti pattern šŸ™‚ Yet I am currently trying to call the admin API, and the 
/schemas
endpoint does not seem to exist, it resolves as a 404 page not found. I'm also 99.95% sure I'm calling the right endpoint (<ip-address>:<port>/schemas) on the admin API. Other admin endpoints such as 
/identities
also work fine. I could post a log entry if you wish. The next step for me would be to look into the source-code. FWIW here's my curl command that I use: 
curl localhost:8090/schemas | json_pp
maybe you see something wrong with it? Did I oversee something in the documentation? Note: I'm proxy forwarding the admin service from a K8s cluster. One can also reproduce it by bootstrapping the quickstart deployment and running 
curl 0.0.0.0:4434/schemas
, so it seems that 
/schemas
may be somehow disabled for the admin API?
Copy code
āžœ  ~ curl 0.0.0.0:4433/schemas
[{"id":"default","schema":{"$id":"<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>","$schema":"<http://json-schema.org/draft-07/schema#>","title":"Person","type":"object","properties":{"traits":{"type":"object","properties":{"email":{"type":"string","format":"email","title":"E-Mail","minLength":3,"<http://ory.sh/kratos|ory.sh/kratos>":{"credentials":{"password":{"identifier":true}},"verification":{"via":"email"},"recovery":{"via":"email"}}},"name":{"type":"object","properties":{"first":{"title":"First Name","type":"string"},"last":{"title":"Last Name","type":"string"}}}},"required":["email"],"additionalProperties":false}}}}]

āžœ  ~ curl 0.0.0.0:4434/schemas
404 page not found
Querying 
127.0.0.1:4433/schemas/default
does result in a redirect to the public endpoint 
127.0.0.1:4434/schemas/default
(note the port changed). So it seems the 
/schemas
endpoint is not redirecting to the public endpoint?
Ok so apparently the 
/schemas/{id}
endpoint is checking for a 404 StatusCode on line 2293 in api_v0alpha2.go, while 
/schemas
is not. I'm not realy familiar with the Repo, so I don't really have a deep understanding as to what's really missing. f that's unexpected behavior I can open up an issue and see if I can create a PR.
h

high-optician-2097

12/27/2021, 6:48 AM
Just call the public endpoint from your backend! Its not available at admin. Admin contains only privileged routes and schemas is not one of them
So you're right it's not available at admin but it shouldn't be a problem because you can call public from your backend :)
q

quiet-psychiatrist-3449

12/27/2021, 7:20 AM
Got it! Just a bit interesting that 
/schemas/{id}
warrants a redirect to the public endpoint, while 
/schemas
does not :)
h

high-optician-2097

12/27/2021, 7:55 AM
Ah yeah, that's probably a bug! Can you open a PR or issue for it please? :)
q

quiet-psychiatrist-3449

12/27/2021, 8:17 AM
will do!
2 Views
Powered by