hey all, Kratos newbie here. A couple of questions...
# talk-kratos
a
hey all, Kratos newbie here. A couple of questions about identity config: 1. is it possible to have multiple username-type fields on a login form? I'm thinking of having a hidden form field (tenant-id), and kratos would check username + tenant-id + password 2. ...or failing that is there some way we could prefix usernames with some string value (not visible in user facing screens, but prefixed when sending username to kratos api) 3. is it possible to have multiple linked email identities? e.g. if a user has 2 email addresses and can sign in to the same identity with either, and could reset their password with either?
RE: multi-tenancy I know there is a recommendation to run 1 ory instance per tenant... but that feels like overkill for a small user base and means we would have to automate the deployment of an ory node for each new tenant. Ideally just want someone to be able to sign up to multiple tenants with the same email address (but separate identity/passwords)
l
I can only answer for point 3 as we tested it and one identity can have multiple emails, and you can sign in with these different emails for the same identity, I didn't tested the recovery flow to know which email receive the recovery link
🙏 1
a
Hey @loud-spoon-23770 I don't suppose you would be able to share part of your json identity config ?
l
it looked something like this
Copy code
{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "emails": {
          "type": "array",
          "title": "Emails",
          "items": {
            "type": "string",
            "format": "email",
            "minLength": 3,
            "<http://ory.sh/kratos|ory.sh/kratos>": {
              "credentials": {
                "password": {
                  "identifier": true
                },
                "totp": {
                  "account_name": true
                }
              },
              "verification": {
                "via": "email"
              },
              "recovery": {
                "via": "email"
              }
            }
          }
        }
      },
      "required": [
        "emails"
      ],
      "additionalProperties": false
    }
  }
}
a
Thanks so much!
m
1. Should that data be visible/modifiable to the end-user? If not you can use the somewhat new metadata feature for Kratos 2. probably yes, but better as part of the identity config IMO. 3. as pointed out above yes, thanks Dejan!
a
thanks @magnificent-energy-493, metadata sounds good. I think I'm a bit confused about what is an identifier (what I would traditionally think of as a username?). In the example config above, is kratos finding a unique person via the password as the identifier? The reason I didn't think using metadata would fit my use case is because I wanted to find a way for two accounts to have the same email address, kratos would know which identity it was based on the tenant field... so the identity would be a unique combination of email+tenantId
in keycloak terminology I'd think of the tenant being a realm
m
what is an identifier (what I would traditionally think of as a username?).
Ory Kratos currently supports two kinds of identifiers, `password`and
oidc
password is your (username, email, ...) + password credential combination and oidc is some kind of oidc credential. its possible to add other identifiers down the line (like biometrics or fido2 which you can use as second factor now) in the below example the
Copy code
"identity": {
    "id": "34ab316c-fef1-4ab2-bb6f-f29992e3d90e",
part is the unique identifier for kratos
Copy code
{
  "id": "286ba56b-9a80-4bd5-a3ab-bf8c7ecc980c",
  "active": true,
  "expires_at": "2022-07-14T10:42:57.654562Z",
  "authenticated_at": "2022-07-11T10:42:57.654562Z",
  "authenticator_assurance_level": "aal1",
  "authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2022-07-11T10:42:57.654554495Z"
    }
  ],
  "issued_at": "2022-07-11T10:42:57.654562Z",
  "identity": {
    "id": "34ab316c-fef1-4ab2-bb6f-f29992e3d90e",
    "schema_id": "1590889099b35292ed1dc97f6adfe146f3b99e1510a99992632a8876ba112ce862c12fd362e3b8cf44c4853381128e02209ea4f4502ebe8f6ecb97179f854496",
    "schema_url": "<https://crazy-ellis-0i15g80nvt.projects.oryapis.com/schemas/MTU5MDg4OTA5OWIzNTI5MmVkMWRjOTdmNmFkZmUxNDZmM2I5OWUxNTEwYTk5OTkyNjMyYTg4NzZiYTExMmNlODYyYzEyZmQzNjJlM2I4Y2Y0NGM0ODUzMzgxMTI4ZTAyMjA5ZWE0ZjQ1MDJlYmU4ZjZlY2I5NzE3OWY4NTQ0OTY>",
    "state": "active",
    "state_changed_at": "2022-06-28T19:24:10.775954Z",
    "traits": {..}
}