Hey wave I m probably missing something very obvious but how Ory Community #talk-kratos

Hey :wave: I’m probably missing something very obv...

handsome-agency-20541

01/09/2023, 4:41 PM

Hey 👋 I’m probably missing something very obvious, but how can I reset a user’s password (or rather make it unusable for the login purposes) before triggering a recovery flow? Use-case: a user’s password got leaked and we must prevent it from being used for login immediately, without waiting for the user to complete the recovery flow.

handsome-agency-20541

01/10/2023, 11:57 AM

@magnificent-energy-493 sorry for tagging you. Maybe you have a thing to suggest? 🥺

magnificent-energy-493

01/10/2023, 12:14 PM

I dont think it is an obvious question, and feel free to tag me if you dont get a response within 24h 🙂 How do you determine if a users password gets leaked? Ory has an haveibeenpwned integration for registration. First you probably want to delete all active sessions: https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentitySessions Then you could for example delete the password credential that has been leaked https://www.ory.sh/docs/reference/api#tag/identity/operation/updateIdentity and next trigger a recovery flow so the user can add a new credential (they cant login again otherwise!) You would have to test this out, but I think this is the way to go

handsome-agency-20541

01/10/2023, 12:23 PM

How do you determine if a users password gets leaked?

I, as a developer, am not the very best person to answer this question. I guess our InfoSec department would come up with a dozen of crazy scenarios. 🙈 In our case we’re talking of corporate accounts, so a leak is not necessarily public.

Then you could for example delete the password credential that has been leaked

https://www.ory.sh/docs/reference/api#tag/identity/operation/updateIdentity

Tried that yesterday, but looks like either I’m doing something wrong, or credentials can’t be deleted

Copy code

curl -q -H 'Authorization: Bearer '$ORY_PAT $ORY_HTTP_BASE'/admin/identities/a16986bf-dfd0-42a4-a589-b1573dea5dcc' -XPATCH -H 'Content-type: application/json' -d '[{"op":"remove", "path": "/credentials/password"}]' | jq

handsome-agency-20541

01/10/2023, 12:25 PM

Also tried

[{"op":"remove", "path": "/credentials"}]

, got

patch includes denied path: /credentials

magnificent-energy-493

01/10/2023, 1:30 PM

Can you try the PUT

magnificent-energy-493

01/10/2023, 1:31 PM

e.g.

Copy code

curl -d "@identity.json" -X PUT <https://asd.projects.oryapis.com/admin/identities/1234> \
--header 'Authorization: Bearer ory_pat_asd \
--header 'Content-Type: application/json'
### Create login flow for browser

handsome-agency-20541

01/10/2023, 2:56 PM

Tried PUT with the following modifications • without

.credentials.password

• without

.credentials

• with

.credentials.password

set to

null

Kratos did not reset the password. Managed to replace the password with a new cleartext one. E.g.

jq '.credentials.password.config = { password: "random" }'

. Okay, that could work.

5 Views

Open in Slack

Previous Next