https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
e

enough-bear-53057

11/05/2021, 8:58 AM
Hello, I am using Kratos for OpenID connect login for human users of my application and it works really well! Now I need to enable API authentication for machine users and I wonder if I can do this with Kratos somehow or if I need to integrate another Ory offering such as Hydra? What is the best way forward for this usecase?
b

brainy-plumber-70688

11/05/2021, 8:33 PM
there is no support for machine users in kratos ATM
s

sparse-angle-36437

11/06/2021, 7:09 PM
@brainy-plumber-70688 really? I thought the docs indicated otherwise: https://www.ory.sh/kratos/docs/self-service/flows/user-registration#api-clients
(I haven’t tried it myself, but is seems one could create machine users using a server-generated email/password combination)
b

brainy-plumber-70688

11/06/2021, 7:23 PM
API clients are not machine accounts. Api client is a native app, mobile app etc.
i.e. not browser.
s

sparse-angle-36437

11/06/2021, 7:55 PM
(Sorry, my knowledge of Kratos may be lacking) but is there a reason the API Client flows would not work in a server-to-server scenario?
b

brainy-plumber-70688

11/06/2021, 8:43 PM
@sparse-angle-36437 you would need your server to perform a login flow with username and password. I think it's a bit weird.
s

sparse-angle-36437

11/06/2021, 8:53 PM
Correct me if I’m wrong, but the
identifier
for the
password
Credentials can be an email, or anything else (e.g. server ID, robot ID, smartphone IMEI) and the
password
could be a machine-generated value. I’m not certain if Kratos was designed to be used in that way?
b

brainy-plumber-70688

11/06/2021, 8:55 PM
You are correct. However, generally you give machine an API key or something. I'm not saying you can't have a user that is actually a machine, I'm saying there is no support for machine accounts specifically.
I.e. with Google cloud you get a key that you can exchange for access token when you create service account.
s

sparse-angle-36437

11/06/2021, 9:01 PM
Right, so if I understood you correctly, you are saying that the concept of “Service Account” does not exist in Kratos. However, machine authentication is technically possible with Kratos, using the API flows. Is that correct?
b

brainy-plumber-70688

11/06/2021, 9:12 PM
Yes
6 Views