id | title |
---|---|
hooks |
Hooks |
Hooks execute logic after a flow (login, registration, settings, ...):
- After login: is executed after a login was successful.
- After registration: is executed when a registration was successful:
- Before persisting: runs before the identity is saved in the database.
- After persisting: runs after the identity was saved in the database.
- After settings: is executed when a settings was successful:
- Before persisting: runs before the identity is saved in the database.
- After persisting: runs after the identity was saved in the database.
selfservice:
flows:
login:
after:
password:
- hook: revoke_active_sessions
The revoke_active_sessions
will delete all active sessions for that user on
successful login:
selfservice:
flows:
login:
after:
<strategy>:
- hook: revoke_active_sessions
# can not be configured
Hooks running after successful user registration are defined per Self-Service Registration Strategy in ORY Kratos' configuration file.
selfservice:
flows:
registration:
after:
oidc:
- hook: session
password:
- hook: session
Adding the session
hook signs the user immediately in once the account has been created.
It runs after the identity has been saved to the database.
:::info
Using this job as part of your post-registration workflow makes your system
vulnerable to
Account Enumeration Attacks
because a threat agent can distinguish between existing and non-existing
accounts by checking if Set-Cookie
was sent as part of the registration
response.
:::
To use this hook, you must first define one or more (for secret rotation)
secrets. You can either choose to use the "default" secrets or the more specific "cookie" secrets.
The other required config is setting the hook in after
work flows:
secrets:
cookie:
- something-super-secret # The first entry will be used to sign and verify session cookies
# All other entries will be used to verify session cookies that were signed before "something-super-secret" became
# the current signing secret.
- old-session-secret
- older-session-secret
- ancient-session-secret
selfservice:
flows:
registration:
after:
<strategy>:
- hook: session
# can not be configured
Depending on the registration flow type the behavior changes.
When performing a registration flow with a Browser, this hook sends a
Set-Cookie
HTTP header which contains the session cookie.
Therefore, the user is logged in immediately.
When performing a registration flow with an API client (e.g. mobile apo), this hook creates a session and returns the session token and the session itself in the response body as application/json:
{
"session": {
"id": "..."
// ...
},
"session_token": "...",
"identity": {
"id": "..."
// ...
}
}
:::info
Because the HTTP reply is handled by the hook itself, no other hooks can be executed because the HTTP reply can not be modified further (e.g. HTTP Status Code was already sent as 200 and cannot be changed to 301). You must ensure that the session hook is the last hook in your configuration!
:::
Hooks running after successfully updating user settings and are defined per Self-Service Settings Strategy in ORY Kratos' configuration file.
selfservice:
flows:
settings:
after:
No hooks are available for this flow at the moment.