https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
w

worried-photographer-43513

11/04/2021, 12:38 AM
Hi guys. I’m trying to understand the backend flows for verifying an Ory Kratos session token that is coming from a mobile app. What Ory API endpoint(s) would I use to validate that the session token is valid, and to get the details of the user/identity that is associated with that session token (e.g. their name and email address)? This is for the purpose of having a REST API endpoint in my own backend which should only be accessible to authenticated users. From reading the docs, this seems like something that would be done using one of the Admin APIs and the request would be authenticated using an Ory Personal Access Token? Although I haven’t been able to identify the specific endpoint(s) that I would use for this task. Note that we’re using Ory Cloud for this project.
b

brainy-plumber-70688

11/04/2021, 3:06 AM
nah, there is
/whoami
endpoint
/sessions/whoami
hit while session cookie is set and you will get entity in return
w

worried-photographer-43513

11/04/2021, 4:14 AM
@brainy-plumber-70688 thanks for the response. Can that flow be used in a context where cookies are not involved? The frontend will be a mobile app that talks to the Ory APIs, so it will not be dealing with cookies. The frontend will get an Ory session token and send that in a header for requests it makes to our own backend. Then our backend needs to be able to grab that session token and somehow validate it with Ory and get the details of the user. What I was hoping/expecting is there’s some Ory endpoint that lets me pass the session token as a parameter and get back the relevant information from Ory. Side note in case it’s relevant - this is a project where we’re using Ory Cloud.
s

steep-lamp-91158

11/04/2021, 11:03 AM
yes the docs specific for cloud are not really there yet, but the API is the same as the open source kratos, so have a look there https://www.ory.sh/kratos/docs/reference/api#operation/toSession
w

worried-photographer-43513

11/04/2021, 9:22 PM
Thanks @steep-lamp-91158, that looks like what I need, I’ll give that a try 🙂
b

brainy-plumber-70688

11/06/2021, 5:22 AM
@steep-lamp-91158 docs seem to be wrong: validation only happens on cookie.
Just tried on latest 0.8 docker image.
s

steep-lamp-91158

11/06/2021, 11:39 AM
Please open an issue then with a detailed bug report
w

worried-photographer-43513

11/08/2021, 9:38 AM
@brainy-plumber-70688 I was testing with the Ory playground API and I did find that I could check/validate a session token by passing it in the
X-Session-Token
header to a request to https://playground.projects.oryapis.com/api/kratos/public/sessions/whoami Are you saying that you had a different result?
b

brainy-plumber-70688

11/08/2021, 6:49 PM
@worried-photographer-43513 correct. I need to do some more investigation, later because it is possible that rust's client is wrong (goes directly to kratos) and my proxy is messing with headers (that what i use for curl)
👍 1
3 Views