diff --git a/docs/docs/guides/zero-trust-iap-proxy-identity-access-proxy.mdx b/docs/docs/guides/zero-trust-iap-proxy-identity-access-proxy.mdx index 2e0297531d5..643fb33b81d 100644 --- a/docs/docs/guides/zero-trust-iap-proxy-identity-access-proxy.mdx +++ b/docs/docs/guides/zero-trust-iap-proxy-identity-access-proxy.mdx @@ -40,7 +40,7 @@ Clone the Ory Kratos repository and fetch the latest images: ```shell script git clone https://github.com/ory/kratos.git cd kratos -git checkout +git checkout v0.8.0-alpha.3 ``` diff --git a/docs/docs/install.md b/docs/docs/install.md index 806c90cf4b1..5ce0577418c 100644 --- a/docs/docs/install.md +++ b/docs/docs/install.md @@ -11,7 +11,7 @@ binaries, Docker images, and support various package managers. We recommend using Docker to run Ory Kratos: ```shell -$ docker pull oryd/kratos: +$ docker pull oryd/kratos:v0.8.0-alpha.3 $ docker run --rm -it oryd/kratos help ``` @@ -33,7 +33,7 @@ On linux, you can use `bash <(curl ...)` to fetch the latest stable binary using: ```shell -$ bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -d -b . kratos +$ bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -d -b . kratos v0.8.0-alpha.3 $ ./kratos help ``` diff --git a/docs/docs/quickstart.mdx b/docs/docs/quickstart.mdx index f3a6fecf6a4..29cdc576e3d 100644 --- a/docs/docs/quickstart.mdx +++ b/docs/docs/quickstart.mdx @@ -126,7 +126,7 @@ Let's clone Ory Kratos and run `docker-compose`: ```shell script git clone https://github.com/ory/kratos.git cd kratos -git checkout +git checkout v0.8.0-alpha.3 docker-compose -f quickstart.yml -f quickstart-standalone.yml up --build --force-recreate # If you have SELinux, run: diff --git a/docs/versioned_docs/version-v/.gitkeep b/docs/versioned_docs/version-v/.gitkeep deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/docs/versioned_docs/version-v/.static/api.json b/docs/versioned_docs/version-v/.static/api.json deleted file mode 100755 index 7128637d171..00000000000 --- a/docs/versioned_docs/version-v/.static/api.json +++ /dev/null @@ -1,4064 +0,0 @@ -{ - "components": { - "responses": { - "emptyResponse": { - "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is typically 201." - } - }, - "schemas": { - "AdminUpdateIdentityBody": { - "properties": { - "schema_id": { - "description": "SchemaID is the ID of the JSON Schema to be used for validating the identity's traits. If set\nwill update the Identity's SchemaID.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/identityState" - }, - "traits": { - "description": "Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_id`.", - "type": "object" - } - }, - "required": ["traits", "state"], - "type": "object" - }, - "Duration": { - "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", - "format": "int64", - "type": "integer" - }, - "ID": { - "format": "int64", - "type": "integer" - }, - "JSONRawMessage": { - "title": "JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger.", - "type": "object" - }, - "RecoveryAddress": { - "properties": { - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "value": { - "type": "string" - }, - "via": { - "$ref": "#/components/schemas/RecoveryAddressType" - } - }, - "required": ["id", "value", "via"], - "type": "object" - }, - "RecoveryAddressType": { - "type": "string" - }, - "UUID": { - "format": "uuid4", - "type": "string" - }, - "adminCreateIdentityBody": { - "properties": { - "schema_id": { - "description": "SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/identityState" - }, - "traits": { - "description": "Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_url`.", - "type": "object" - } - }, - "required": ["schema_id", "traits"], - "type": "object" - }, - "adminCreateSelfServiceRecoveryLinkBody": { - "properties": { - "expires_in": { - "description": "Link Expires In\n\nThe recovery link will expire at that point in time. Defaults to the configuration value of\n`selfservice.flows.recovery.request_lifespan`.", - "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", - "type": "string" - }, - "identity_id": { - "$ref": "#/components/schemas/UUID" - } - }, - "required": ["identity_id"], - "type": "object" - }, - "authenticatorAssuranceLevel": { - "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", - "enum": ["aal0", "aal1", "aal2", "aal3"], - "title": "Authenticator Assurance Level (AAL)", - "type": "string" - }, - "errorAuthenticatorAssuranceLevelNotSatisfied": { - "properties": { - "code": { - "description": "The status code", - "example": 404, - "format": "int64", - "type": "integer" - }, - "debug": { - "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", - "example": "SQL field \"foo\" is not a bool.", - "type": "string" - }, - "details": { - "additionalProperties": true, - "description": "Further error details", - "type": "object" - }, - "id": { - "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", - "type": "string" - }, - "message": { - "description": "Error message\n\nThe error's message.", - "example": "The resource could not be found", - "type": "string" - }, - "reason": { - "description": "A human-readable reason for the error", - "example": "User with ID 1234 does not exist.", - "type": "string" - }, - "redirect_browser_to": { - "type": "string" - }, - "request": { - "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", - "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", - "type": "string" - }, - "status": { - "description": "The status description", - "example": "Not Found", - "type": "string" - } - }, - "required": ["message"], - "title": "ErrAALNotSatisfied is returned when an active session was found but the requested AAL is not satisfied.", - "type": "object" - }, - "genericError": { - "properties": { - "code": { - "description": "The status code", - "example": 404, - "format": "int64", - "type": "integer" - }, - "debug": { - "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", - "example": "SQL field \"foo\" is not a bool.", - "type": "string" - }, - "details": { - "additionalProperties": false, - "description": "Further error details", - "type": "object" - }, - "id": { - "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", - "type": "string" - }, - "message": { - "description": "Error message\n\nThe error's message.", - "example": "The resource could not be found", - "type": "string" - }, - "reason": { - "description": "A human-readable reason for the error", - "example": "User with ID 1234 does not exist.", - "type": "string" - }, - "request": { - "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", - "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", - "type": "string" - }, - "status": { - "description": "The status description", - "example": "Not Found", - "type": "string" - } - }, - "required": ["message"], - "type": "object" - }, - "healthNotReadyStatus": { - "properties": { - "errors": { - "additionalProperties": { - "type": "string" - }, - "description": "Errors contains a list of errors that caused the not ready status.", - "type": "object" - } - }, - "type": "object" - }, - "healthStatus": { - "properties": { - "status": { - "description": "Status always contains \"ok\".", - "type": "string" - } - }, - "type": "object" - }, - "identity": { - "description": "An identity can be a real human, a service, an IoT device - everything that\ncan be described as an \"actor\" in a system.", - "properties": { - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "credentials": { - "additionalProperties": { - "$ref": "#/components/schemas/identityCredentials" - }, - "description": "Credentials represents all credentials that can be used for authenticating this identity.", - "type": "object" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "recovery_addresses": { - "description": "RecoveryAddresses contains all the addresses that can be used to recover an identity.", - "items": { - "$ref": "#/components/schemas/RecoveryAddress" - }, - "type": "array", - "x-omitempty": true - }, - "schema_id": { - "description": "SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.", - "type": "string" - }, - "schema_url": { - "description": "SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.\n\nformat: url", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/identityState" - }, - "state_changed_at": { - "$ref": "#/components/schemas/nullTime" - }, - "traits": { - "$ref": "#/components/schemas/identityTraits" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "verifiable_addresses": { - "description": "VerifiableAddresses contains all the addresses that can be verified by the user.", - "items": { - "$ref": "#/components/schemas/verifiableIdentityAddress" - }, - "type": "array", - "x-omitempty": true - } - }, - "required": ["id", "schema_id", "schema_url", "traits"], - "title": "Identity represents an Ory Kratos identity", - "type": "object" - }, - "identityCredentials": { - "description": "Credentials represents a specific credential type", - "properties": { - "config": { - "$ref": "#/components/schemas/JSONRawMessage" - }, - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "identifiers": { - "description": "Identifiers represents a list of unique identifiers this credential type matches.", - "items": { - "type": "string" - }, - "type": "array" - }, - "type": { - "$ref": "#/components/schemas/identityCredentialsType" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - } - }, - "type": "object" - }, - "identityCredentialsType": { - "description": "and so on.", - "enum": ["password", "totp", "oidc"], - "title": "CredentialsType represents several different credential types, like password credentials, passwordless credentials,", - "type": "string" - }, - "identityList": { - "items": { - "$ref": "#/components/schemas/identity" - }, - "title": "A list of identities.", - "type": "array" - }, - "identitySchema": { - "properties": { - "id": { - "description": "The ID of the Identity JSON Schema", - "type": "string" - }, - "schema": { - "description": "The actual Identity JSON Schema", - "type": "object" - } - }, - "type": "object" - }, - "identitySchemas": { - "description": "Raw identity Schema list", - "items": { - "$ref": "#/components/schemas/identitySchema" - }, - "type": "array" - }, - "identityState": { - "description": "The state can either be `active` or `inactive`.", - "enum": ["active", "inactive"], - "title": "An Identity's State", - "type": "string" - }, - "identityTraits": { - "description": "Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_url`." - }, - "identityVerifiableAddressStatus": { - "description": "VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema", - "type": "string" - }, - "identityVerifiableAddressType": { - "description": "VerifiableAddressType must not exceed 16 characters as that is the limitation in the SQL Schema", - "type": "string" - }, - "jsonError": { - "description": "The standard Ory JSON API error format.", - "properties": { - "error": { - "$ref": "#/components/schemas/genericError" - } - }, - "required": ["error"], - "title": "JSON API Error Response", - "type": "object" - }, - "jsonSchema": { - "description": "Raw JSON Schema", - "type": "object" - }, - "needsPrivilegedSessionError": { - "properties": { - "code": { - "description": "The status code", - "example": 404, - "format": "int64", - "type": "integer" - }, - "debug": { - "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", - "example": "SQL field \"foo\" is not a bool.", - "type": "string" - }, - "details": { - "additionalProperties": true, - "description": "Further error details", - "type": "object" - }, - "id": { - "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", - "type": "string" - }, - "message": { - "description": "Error message\n\nThe error's message.", - "example": "The resource could not be found", - "type": "string" - }, - "reason": { - "description": "A human-readable reason for the error", - "example": "User with ID 1234 does not exist.", - "type": "string" - }, - "redirect_browser_to": { - "description": "Points to where to redirect the user to next.", - "type": "string" - }, - "request": { - "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", - "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", - "type": "string" - }, - "status": { - "description": "The status description", - "example": "Not Found", - "type": "string" - } - }, - "required": ["message", "redirect_browser_to"], - "title": "Is sent when a privileged session is required to perform the settings update.", - "type": "object" - }, - "nullTime": { - "format": "date-time", - "title": "NullTime implements sql.NullTime functionality.", - "type": "string" - }, - "selfServiceBrowserLocationChangeRequiredError": { - "properties": { - "code": { - "description": "The status code", - "example": 404, - "format": "int64", - "type": "integer" - }, - "debug": { - "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", - "example": "SQL field \"foo\" is not a bool.", - "type": "string" - }, - "details": { - "additionalProperties": true, - "description": "Further error details", - "type": "object" - }, - "id": { - "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", - "type": "string" - }, - "message": { - "description": "Error message\n\nThe error's message.", - "example": "The resource could not be found", - "type": "string" - }, - "reason": { - "description": "A human-readable reason for the error", - "example": "User with ID 1234 does not exist.", - "type": "string" - }, - "redirect_browser_to": { - "description": "Since when the flow has expired", - "type": "string" - }, - "request": { - "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", - "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", - "type": "string" - }, - "status": { - "description": "The status description", - "example": "Not Found", - "type": "string" - } - }, - "required": ["message"], - "title": "Is sent when a flow requires a browser to change its location.", - "type": "object" - }, - "selfServiceError": { - "properties": { - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "error": { - "type": "object" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - } - }, - "required": ["id"], - "type": "object" - }, - "selfServiceFlowExpiredError": { - "description": "Is sent when a flow is expired", - "properties": { - "code": { - "description": "The status code", - "example": 404, - "format": "int64", - "type": "integer" - }, - "debug": { - "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", - "example": "SQL field \"foo\" is not a bool.", - "type": "string" - }, - "details": { - "additionalProperties": true, - "description": "Further error details", - "type": "object" - }, - "id": { - "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", - "type": "string" - }, - "message": { - "description": "Error message\n\nThe error's message.", - "example": "The resource could not be found", - "type": "string" - }, - "reason": { - "description": "A human-readable reason for the error", - "example": "User with ID 1234 does not exist.", - "type": "string" - }, - "request": { - "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", - "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", - "type": "string" - }, - "since": { - "$ref": "#/components/schemas/Duration" - }, - "status": { - "description": "The status description", - "example": "Not Found", - "type": "string" - }, - "use_flow_id": { - "$ref": "#/components/schemas/UUID" - } - }, - "required": ["message"], - "type": "object" - }, - "selfServiceFlowType": { - "description": "The flow type can either be `api` or `browser`.", - "title": "Type is the flow type.", - "type": "string" - }, - "selfServiceLoginFlow": { - "description": "This object represents a login flow. A login flow is initiated at the \"Initiate Login API / Browser Flow\"\nendpoint by a client.\n\nOnce a login flow is completed successfully, a session cookie or session token will be issued.", - "properties": { - "active": { - "$ref": "#/components/schemas/identityCredentialsType" - }, - "created_at": { - "description": "CreatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,\na new flow has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the flow started.", - "format": "date-time", - "type": "string" - }, - "refresh": { - "description": "Refresh stores whether this login flow should enforce re-authentication.", - "type": "boolean" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "requested_aal": { - "$ref": "#/components/schemas/authenticatorAssuranceLevel" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - }, - "updated_at": { - "description": "UpdatedAt is a helper struct field for gobuffalo.pop.", - "format": "date-time", - "type": "string" - } - }, - "required": [ - "id", - "type", - "expires_at", - "issued_at", - "request_url", - "ui" - ], - "title": "Login Flow", - "type": "object" - }, - "selfServiceLogoutUrl": { - "properties": { - "logout_token": { - "description": "LogoutToken can be used to perform logout using AJAX.", - "type": "string" - }, - "logout_url": { - "description": "LogoutURL can be opened in a browser to sign the user out.\n\nformat: uri", - "type": "string" - } - }, - "required": ["logout_url", "logout_token"], - "type": "object" - }, - "selfServiceRecoveryFlow": { - "description": "This request is used when an identity wants to recover their account.\n\nWe recommend reading the [Account Recovery Documentation](../self-service/flows/password-reset-account-recovery)", - "properties": { - "active": { - "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to update the setting,\na new request has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the request occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/selfServiceRecoveryFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": [ - "id", - "expires_at", - "issued_at", - "request_url", - "ui", - "state" - ], - "title": "A Recovery Flow", - "type": "object" - }, - "selfServiceRecoveryFlowState": { - "description": "The state represents the state of the recovery flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", - "enum": ["choose_method", "sent_email", "passed_challenge"], - "title": "Recovery Flow State", - "type": "string" - }, - "selfServiceRecoveryLink": { - "properties": { - "expires_at": { - "description": "Recovery Link Expires At\n\nThe timestamp when the recovery link expires.", - "format": "date-time", - "type": "string" - }, - "recovery_link": { - "description": "Recovery Link\n\nThis link can be used to recover the account.", - "type": "string" - } - }, - "required": ["recovery_link"], - "type": "object" - }, - "selfServiceRegistrationFlow": { - "properties": { - "active": { - "$ref": "#/components/schemas/identityCredentialsType" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,\na new flow has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the flow occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": ["id", "expires_at", "issued_at", "request_url", "ui"], - "type": "object" - }, - "selfServiceSettingsFlow": { - "description": "This flow is used when an identity wants to update settings\n(e.g. profile data, passwords, ...) in a selfservice manner.\n\nWe recommend reading the [User Settings Documentation](../self-service/flows/user-settings)", - "properties": { - "active": { - "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting,\na new flow has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "identity": { - "$ref": "#/components/schemas/identity" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the flow occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/selfServiceSettingsFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": [ - "id", - "expires_at", - "issued_at", - "request_url", - "ui", - "identity", - "state" - ], - "title": "Flow represents a Settings Flow", - "type": "object" - }, - "selfServiceSettingsFlowState": { - "description": "show_form: No user data has been collected, or it is invalid, and thus the form should be shown.\nsuccess: Indicates that the settings flow has been updated successfully with the provided data.\nDone will stay true when repeatedly checking. If set to true, done will revert back to false only\nwhen a flow with invalid (e.g. \"please use a valid phone number\") data was sent.", - "enum": ["show_form", "success"], - "title": "State represents the state of this flow. It knows two states:", - "type": "string" - }, - "selfServiceVerificationFlow": { - "description": "Used to verify an out-of-band communication\nchannel such as an email address or a phone number.\n\nFor more information head over to: https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation", - "properties": { - "active": { - "description": "Active, if set, contains the registration method that is being used. It is initially\nnot set.", - "type": "string" - }, - "expires_at": { - "description": "ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address,\na new request has to be initiated.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "issued_at": { - "description": "IssuedAt is the time (UTC) when the request occurred.", - "format": "date-time", - "type": "string" - }, - "request_url": { - "description": "RequestURL is the initial URL that was requested from Ory Kratos. It can be used\nto forward information contained in the URL's path or query for example.", - "type": "string" - }, - "return_to": { - "description": "ReturnTo contains the requested return_to URL.", - "type": "string" - }, - "state": { - "$ref": "#/components/schemas/selfServiceVerificationFlowState" - }, - "type": { - "$ref": "#/components/schemas/selfServiceFlowType" - }, - "ui": { - "$ref": "#/components/schemas/uiContainer" - } - }, - "required": ["id", "type", "ui", "state"], - "title": "A Verification Flow", - "type": "object" - }, - "selfServiceVerificationFlowState": { - "description": "The state represents the state of the verification flow.\n\nchoose_method: ask the user to choose a method (e.g. recover account via email)\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the recovery challenge was passed.", - "enum": ["choose_method", "sent_email", "passed_challenge"], - "title": "Verification Flow State", - "type": "string" - }, - "session": { - "description": "A Session", - "properties": { - "active": { - "description": "Active state. If false the session is no longer active.", - "type": "boolean" - }, - "authenticated_at": { - "description": "The Session Authentication Timestamp\n\nWhen this session was authenticated at. If multi-factor authentication was used this\nis the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).", - "format": "date-time", - "type": "string" - }, - "authentication_methods": { - "$ref": "#/components/schemas/sessionAuthenticationMethods" - }, - "authenticator_assurance_level": { - "$ref": "#/components/schemas/authenticatorAssuranceLevel" - }, - "expires_at": { - "description": "The Session Expiry\n\nWhen this session expires at.", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "identity": { - "$ref": "#/components/schemas/identity" - }, - "issued_at": { - "description": "The Session Issuance Timestamp\n\nWhen this session was issued at. Usually equal or close to `authenticated_at`.", - "format": "date-time", - "type": "string" - } - }, - "required": ["id", "identity"], - "type": "object" - }, - "sessionAuthenticationMethod": { - "description": "A singular authenticator used during authentication / login.", - "properties": { - "completed_at": { - "description": "When the authentication challenge was completed.", - "format": "date-time", - "type": "string" - }, - "method": { - "enum": ["link_recovery", "password", "totp", "oidc", "webauthn"], - "title": "The method used", - "type": "string" - } - }, - "title": "AuthenticationMethod identifies an authentication method", - "type": "object" - }, - "sessionAuthenticationMethods": { - "description": "A list of authenticators which were used to authenticate the session.", - "items": { - "$ref": "#/components/schemas/sessionAuthenticationMethod" - }, - "title": "List of (Used) AuthenticationMethods", - "type": "array" - }, - "sessionDevice": { - "properties": { - "user_agent": { - "description": "UserAgent of this device", - "type": "string" - } - }, - "type": "object" - }, - "settingsProfileFormConfig": { - "properties": { - "action": { - "description": "Action should be used as the form action URL `\u003cform action=\"{{ .Action }}\" method=\"post\"\u003e`.", - "type": "string" - }, - "messages": { - "$ref": "#/components/schemas/uiTexts" - }, - "method": { - "description": "Method is the form method (e.g. POST)", - "type": "string" - }, - "nodes": { - "$ref": "#/components/schemas/uiNodes" - } - }, - "required": ["action", "method", "nodes"], - "type": "object" - }, - "submitSelfServiceLoginFlowBody": { - "discriminator": { - "mapping": { - "oidc": "#/components/schemas/submitSelfServiceLoginFlowWithOidcMethodBody", - "password": "#/components/schemas/submitSelfServiceLoginFlowWithPasswordMethodBody", - "totp": "#/components/schemas/submitSelfServiceLoginFlowWithTotpMethodBody" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/submitSelfServiceLoginFlowWithPasswordMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceLoginFlowWithOidcMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceLoginFlowWithTotpMethodBody" - } - ] - }, - "submitSelfServiceLoginFlowWithLookupSecretMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "lookup_secret": { - "description": "The lookup secret.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"lookup_secret\" when logging in using the lookup_secret strategy.", - "type": "string" - } - }, - "required": ["method", "lookup_secret"], - "title": "submitSelfServiceLoginFlowWithLookupSecretMethodBody is used to decode the login form payload.", - "type": "object" - }, - "submitSelfServiceLoginFlowWithOidcMethodBody": { - "description": "SubmitSelfServiceLoginFlowWithOidcMethodBody is used to decode the login form payload\nwhen using the oidc method.", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", - "type": "string" - }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, - "traits": { - "description": "The identity traits. This is a placeholder for the registration flow.", - "type": "object" - } - }, - "required": ["provider", "method"], - "type": "object" - }, - "submitSelfServiceLoginFlowWithPasswordMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"password\" when logging in using the identifier and password strategy.", - "type": "string" - }, - "password": { - "description": "The user's password.", - "type": "string" - }, - "password_identifier": { - "description": "Identifier is the email or username of the user trying to log in.", - "type": "string" - } - }, - "required": ["method", "password", "password_identifier"], - "title": "submitSelfServiceLoginFlowWithPasswordMethodBody is used to decode the login form payload.", - "type": "object" - }, - "submitSelfServiceLoginFlowWithTotpMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"totp\" when logging in using the TOTP strategy.", - "type": "string" - }, - "totp_code": { - "description": "The TOTP code.", - "type": "string" - } - }, - "required": ["method", "totp_code"], - "title": "submitSelfServiceLoginFlowWithTotpMethodBody is used to decode the login form payload.", - "type": "object" - }, - "submitSelfServiceLoginFlowWithWebAuthnMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "method": { - "description": "Method should be set to \"webAuthn\" when logging in using the WebAuthn strategy.", - "type": "string" - }, - "webauthn_login": { - "description": "Login a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", - "type": "string" - } - }, - "required": ["method"], - "title": "submitSelfServiceLoginFlowWithWebAuthnMethodBody is used to decode the login form payload.", - "type": "object" - }, - "submitSelfServiceLogoutFlowWithoutBrowserBody": { - "description": "nolint:deadcode,unused", - "properties": { - "session_token": { - "description": "The Session Token\n\nInvalidate this session token.", - "type": "string" - } - }, - "required": ["session_token"], - "type": "object" - }, - "submitSelfServiceRecoveryFlowBody": { - "discriminator": { - "mapping": { - "link": "#/components/schemas/submitSelfServiceRecoveryFlowWithLinkMethodBody" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/submitSelfServiceRecoveryFlowWithLinkMethodBody" - } - ] - }, - "submitSelfServiceRecoveryFlowWithLinkMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "Email to Recover\n\nNeeds to be set when initiating the flow. If the email is a registered\nrecovery email, a recovery link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method supports `link` only right now.", - "type": "string" - } - }, - "required": ["email", "method"], - "type": "object" - }, - "submitSelfServiceRegistrationFlowBody": { - "discriminator": { - "mapping": { - "oidc": "#/components/schemas/submitSelfServiceRegistrationFlowWithOidcMethodBody", - "password": "#/components/schemas/submitSelfServiceRegistrationFlowWithPasswordMethodBody" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/submitSelfServiceRegistrationFlowWithPasswordMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceRegistrationFlowWithOidcMethodBody" - } - ] - }, - "submitSelfServiceRegistrationFlowWithOidcMethodBody": { - "description": "SubmitSelfServiceRegistrationFlowWithOidcMethodBody is used to decode the registration form payload\nwhen using the oidc method.", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", - "type": "string" - }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, - "traits": { - "description": "The identity traits", - "type": "object" - } - }, - "required": ["provider", "method"], - "type": "object" - }, - "submitSelfServiceRegistrationFlowWithPasswordMethodBody": { - "description": "SubmitSelfServiceRegistrationFlowWithPasswordMethodBody is used to decode the registration form payload\nwhen using the password method.", - "properties": { - "csrf_token": { - "description": "The CSRF Token", - "type": "string" - }, - "method": { - "description": "Method to use\n\nThis field must be set to `password` when using the password method.", - "type": "string" - }, - "password": { - "description": "Password to sign the user up with", - "type": "string" - }, - "traits": { - "description": "The identity's traits", - "type": "object" - } - }, - "required": ["password", "traits", "method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowBody": { - "discriminator": { - "mapping": { - "oidc": "#/components/schemas/submitSelfServiceSettingsFlowWithOidcMethodBody", - "password": "#/components/schemas/submitSelfServiceSettingsFlowWithPasswordMethodBody", - "profile": "#/components/schemas/submitSelfServiceSettingsFlowWithProfileMethodBody", - "totp": "#/components/schemas/submitSelfServiceSettingsFlowWithTotpMethodBody" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowWithPasswordMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowWithProfileMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowWithOidcMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowWithOidcMethodBody" - }, - { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowWithTotpMethodBody" - } - ] - }, - "submitSelfServiceSettingsFlowWithLookupMethodBody": { - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "lookup_secret_confirm": { - "description": "If set to true will save the regenerated lookup secrets", - "type": "boolean" - }, - "lookup_secret_disable": { - "description": "Disables this method if true.", - "type": "boolean" - }, - "lookup_secret_regenerate": { - "description": "If set to true will regenerate the lookup secrets", - "type": "boolean" - }, - "lookup_secret_reveal": { - "description": "If set to true will reveal the lookup secrets", - "type": "boolean" - }, - "method": { - "description": "Method\n\nShould be set to \"lookup\" when trying to add, update, or remove a lookup pairing.", - "type": "string" - } - }, - "required": ["method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowWithOidcMethodBody": { - "description": "nolint:deadcode,unused", - "properties": { - "flow": { - "description": "Flow ID is the flow's ID.\n\nin: query", - "type": "string" - }, - "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to profile when trying to update a profile.", - "type": "string" - }, - "traits": { - "description": "The identity's traits\n\nin: body", - "type": "object" - }, - "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", - "type": "string" - } - }, - "required": ["method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowWithPasswordMethodBody": { - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to password when trying to update a password.", - "type": "string" - }, - "password": { - "description": "Password is the updated password", - "type": "string" - } - }, - "required": ["password", "method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowWithProfileMethodBody": { - "description": "nolint:deadcode,unused", - "properties": { - "csrf_token": { - "description": "The Anti-CSRF Token\n\nThis token is only required when performing browser flows.", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to profile when trying to update a profile.", - "type": "string" - }, - "traits": { - "description": "Traits contains all of the identity's traits.", - "type": "object" - } - }, - "required": ["traits", "method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowWithTotpMethodBody": { - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to \"totp\" when trying to add, update, or remove a totp pairing.", - "type": "string" - }, - "totp_code": { - "description": "ValidationTOTP must contain a valid TOTP based on the", - "type": "string" - }, - "totp_unlink": { - "description": "UnlinkTOTP if true will remove the TOTP pairing,\neffectively removing the credential. This can be used\nto set up a new TOTP device.", - "type": "boolean" - } - }, - "required": ["method"], - "type": "object" - }, - "submitSelfServiceSettingsFlowWithWebAuthnMethodBody": { - "properties": { - "csrf_token": { - "description": "CSRFToken is the anti-CSRF token", - "type": "string" - }, - "method": { - "description": "Method\n\nShould be set to \"webauthn\" when trying to add, update, or remove a webAuthn pairing.", - "type": "string" - }, - "webauthn_register": { - "description": "Register a WebAuthn Security Key\n\nIt is expected that the JSON returned by the WebAuthn registration process\nis included here.", - "type": "string" - }, - "webauthn_register_displayname": { - "description": "Name of the WebAuthn Security Key to be Added\n\nA human-readable name for the security key which will be added.", - "type": "string" - }, - "webauthn_remove": { - "description": "Remove a WebAuthn Security Key\n\nThis must contain the ID of the WebAuthN connection.", - "type": "string" - } - }, - "required": ["method"], - "type": "object" - }, - "submitSelfServiceVerificationFlowBody": { - "description": "nolint:deadcode,unused", - "discriminator": { - "mapping": { - "link": "#/components/schemas/submitSelfServiceVerificationFlowWithLinkMethodBody" - }, - "propertyName": "method" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/submitSelfServiceVerificationFlowWithLinkMethodBody" - } - ] - }, - "submitSelfServiceVerificationFlowWithLinkMethodBody": { - "properties": { - "csrf_token": { - "description": "Sending the anti-csrf token is only required for browser login flows.", - "type": "string" - }, - "email": { - "description": "Email to Verify\n\nNeeds to be set when initiating the flow. If the email is a registered\nverification email, a verification link will be sent. If the email is not known,\na email with details on what happened will be sent instead.\n\nformat: email", - "type": "string" - }, - "method": { - "description": "Method supports `link` only right now.", - "type": "string" - } - }, - "required": ["email", "method"], - "type": "object" - }, - "successfulSelfServiceLoginWithoutBrowser": { - "description": "The Response for Login Flows via API", - "properties": { - "session": { - "$ref": "#/components/schemas/session" - }, - "session_token": { - "description": "The Session Token\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", - "type": "string" - } - }, - "required": ["session"], - "type": "object" - }, - "successfulSelfServiceRegistrationWithoutBrowser": { - "description": "The Response for Registration Flows via API", - "properties": { - "identity": { - "$ref": "#/components/schemas/identity" - }, - "session": { - "$ref": "#/components/schemas/session" - }, - "session_token": { - "description": "The Session Token\n\nThis field is only set when the session hook is configured as a post-registration hook.\n\nA session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization\nHeader:\n\nAuthorization: bearer ${session-token}\n\nThe session token is only issued for API flows, not for Browser flows!", - "type": "string" - } - }, - "required": ["identity"], - "type": "object" - }, - "uiContainer": { - "description": "Container represents a HTML Form. The container can work with both HTTP Form and JSON requests", - "properties": { - "action": { - "description": "Action should be used as the form action URL `\u003cform action=\"{{ .Action }}\" method=\"post\"\u003e`.", - "type": "string" - }, - "messages": { - "$ref": "#/components/schemas/uiTexts" - }, - "method": { - "description": "Method is the form method (e.g. POST)", - "type": "string" - }, - "nodes": { - "$ref": "#/components/schemas/uiNodes" - } - }, - "required": ["action", "method", "nodes"], - "type": "object" - }, - "uiNode": { - "description": "Nodes are represented as HTML elements or their native UI equivalents. For example,\na node can be an `\u003cimg\u003e` tag, or an `\u003cinput element\u003e` but also `some plain text`.", - "properties": { - "attributes": { - "$ref": "#/components/schemas/uiNodeAttributes" - }, - "group": { - "$ref": "#/components/schemas/uiNodeGroup" - }, - "messages": { - "$ref": "#/components/schemas/uiTexts" - }, - "meta": { - "$ref": "#/components/schemas/uiNodeMeta" - }, - "type": { - "$ref": "#/components/schemas/uiNodeType" - } - }, - "required": ["type", "group", "attributes", "messages", "meta"], - "title": "Node represents a flow's nodes", - "type": "object" - }, - "uiNodeAnchorAttributes": { - "properties": { - "href": { - "description": "The link's href (destination) URL.\n\nformat: uri", - "type": "string" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "$ref": "#/components/schemas/uiNodeType" - }, - "title": { - "$ref": "#/components/schemas/uiText" - } - }, - "required": ["href", "title", "id", "node_type"], - "title": "AnchorAttributes represents the attributes of an anchor node.", - "type": "object" - }, - "uiNodeAttributes": { - "discriminator": { - "mapping": { - "anchor": "#/components/schemas/uiNodeAnchorAttributes", - "image": "#/components/schemas/uiNodeImageAttributes", - "input": "#/components/schemas/uiNodeInputAttributes", - "script": "#/components/schemas/uiNodeScriptAttributes", - "text": "#/components/schemas/uiNodeTextAttributes" - }, - "propertyName": "node_type" - }, - "oneOf": [ - { - "$ref": "#/components/schemas/uiNodeInputAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeTextAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeImageAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeAnchorAttributes" - }, - { - "$ref": "#/components/schemas/uiNodeScriptAttributes" - } - ], - "title": "Attributes represents a list of attributes (e.g. `href=\"foo\"` for links)." - }, - "uiNodeGroup": { - "type": "string" - }, - "uiNodeImageAttributes": { - "properties": { - "height": { - "description": "Height of the image", - "format": "int64", - "type": "integer" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "$ref": "#/components/schemas/uiNodeType" - }, - "src": { - "description": "The image's source URL.\n\nformat: uri", - "type": "string" - }, - "width": { - "description": "Width of the image", - "format": "int64", - "type": "integer" - } - }, - "required": ["src", "id", "node_type"], - "title": "ImageAttributes represents the attributes of an image node.", - "type": "object" - }, - "uiNodeInputAttributeType": { - "type": "string" - }, - "uiNodeInputAttributes": { - "description": "InputAttributes represents the attributes of an input node", - "properties": { - "disabled": { - "description": "Sets the input's disabled field to true or false.", - "type": "boolean" - }, - "label": { - "$ref": "#/components/schemas/uiText" - }, - "name": { - "description": "The input's element name.", - "type": "string" - }, - "node_type": { - "$ref": "#/components/schemas/uiNodeType" - }, - "onclick": { - "description": "OnClick may contain javascript which should be executed on click. This is primarily\nused for WebAuthn.", - "type": "string" - }, - "pattern": { - "description": "The input's pattern.", - "type": "string" - }, - "required": { - "description": "Mark this input field as required.", - "type": "boolean" - }, - "type": { - "$ref": "#/components/schemas/uiNodeInputAttributeType" - }, - "value": { - "description": "The input's value.", - "nullable": true - } - }, - "required": ["name", "type", "disabled", "node_type"], - "type": "object" - }, - "uiNodeMeta": { - "description": "This might include a label and other information that can optionally\nbe used to render UIs.", - "properties": { - "label": { - "$ref": "#/components/schemas/uiText" - } - }, - "title": "A Node's Meta Information", - "type": "object" - }, - "uiNodeScriptAttributes": { - "properties": { - "async": { - "description": "The script async type", - "type": "boolean" - }, - "crossorigin": { - "description": "The script cross origin policy", - "type": "string" - }, - "id": { - "description": "A unique identifier", - "type": "string" - }, - "integrity": { - "description": "The script's integrity hash", - "type": "string" - }, - "node_type": { - "$ref": "#/components/schemas/uiNodeType" - }, - "referrerpolicy": { - "description": "The script referrer policy", - "type": "string" - }, - "src": { - "description": "The script source", - "type": "string" - }, - "type": { - "description": "The script MIME type", - "type": "string" - } - }, - "required": [ - "src", - "async", - "referrerpolicy", - "crossorigin", - "integrity", - "type", - "id", - "node_type" - ], - "title": "ScriptAttributes represent script nodes which load javascript.", - "type": "object" - }, - "uiNodeTextAttributes": { - "properties": { - "id": { - "description": "A unique identifier", - "type": "string" - }, - "node_type": { - "$ref": "#/components/schemas/uiNodeType" - }, - "text": { - "$ref": "#/components/schemas/uiText" - } - }, - "required": ["text", "id", "node_type"], - "title": "TextAttributes represents the attributes of a text node.", - "type": "object" - }, - "uiNodeType": { - "type": "string" - }, - "uiNodes": { - "items": { - "$ref": "#/components/schemas/uiNode" - }, - "type": "array" - }, - "uiText": { - "properties": { - "context": { - "description": "The message's context. Useful when customizing messages.", - "type": "object" - }, - "id": { - "$ref": "#/components/schemas/ID" - }, - "text": { - "description": "The message text. Written in american english.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/uiTextType" - } - }, - "required": ["id", "text", "type"], - "type": "object" - }, - "uiTextType": { - "type": "string" - }, - "uiTexts": { - "items": { - "$ref": "#/components/schemas/uiText" - }, - "type": "array" - }, - "verifiableIdentityAddress": { - "description": "VerifiableAddress is an identity's verifiable address", - "properties": { - "created_at": { - "description": "When this entry was created", - "example": "2014-01-01T23:28:56.782Z", - "format": "date-time", - "type": "string" - }, - "id": { - "$ref": "#/components/schemas/UUID" - }, - "status": { - "$ref": "#/components/schemas/identityVerifiableAddressStatus" - }, - "updated_at": { - "description": "When this entry was last updated", - "example": "2014-01-01T23:28:56.782Z", - "format": "date-time", - "type": "string" - }, - "value": { - "description": "The address value\n\nexample foo@user.com", - "type": "string" - }, - "verified": { - "description": "Indicates if the address has already been verified", - "example": true, - "type": "boolean" - }, - "verified_at": { - "$ref": "#/components/schemas/nullTime" - }, - "via": { - "$ref": "#/components/schemas/identityVerifiableAddressType" - } - }, - "required": ["id", "value", "verified", "via", "status"], - "type": "object" - }, - "version": { - "properties": { - "version": { - "description": "Version is the service's version.", - "type": "string" - } - }, - "type": "object" - }, - "webAuthnJavaScript": { - "type": "string" - } - }, - "securitySchemes": { - "oryAccessToken": { - "in": "header", - "name": "Authorization", - "type": "apiKey" - } - } - }, - "info": { - "contact": { - "email": "hi@ory.sh" - }, - "description": "Documentation for all public and administrative Ory Kratos APIs. Public and administrative APIs\nare exposed on different ports. Public APIs can face the public internet without any protection\nwhile administrative APIs should never be exposed without prior authorization. To protect\nthe administative API port you should use something like Nginx, Ory Oathkeeper, or any other\ntechnology capable of authorizing incoming requests.\n", - "license": { - "name": "Apache 2.0" - }, - "title": "Ory Kratos API", - "version": "v0.8.0-alpha.4.pre.2" - }, - "openapi": "3.0.3", - "paths": { - "/.well-known/ory/webauthn.js": { - "get": { - "description": "This endpoint provides JavaScript which is needed in order to perform WebAuthn login and registration.\n\nIf you are building a JavaScript Browser App (e.g. in ReactJS or AngularJS) you will need to load this file:\n\n```html\n\u003cscript src=\"https://public-kratos.example.org/.well-known/ory/webauthn.js\" type=\"script\" async /\u003e\n```\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "getWebAuthnJavaScript", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/webAuthnJavaScript" - } - } - }, - "description": "webAuthnJavaScript" - } - }, - "summary": "Get WebAuthn JavaScript", - "tags": ["v0alpha2"] - } - }, - "/health/alive": { - "get": { - "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is accepting incoming\nHTTP requests. This status does currently not include checks whether the database connection is working.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", - "operationId": "isAlive", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "properties": { - "status": { - "description": "Always \"ok\".", - "type": "string" - } - }, - "required": ["status"], - "type": "object" - } - } - }, - "description": "Ory Kratos is ready to accept connections." - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/genericError" - } - } - }, - "description": "genericError" - } - }, - "summary": "Check HTTP Server Status", - "tags": ["metadata"] - } - }, - "/health/ready": { - "get": { - "description": "This endpoint returns a HTTP 200 status code when Ory Kratos is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of Ory Kratos, the health status will never\nrefer to the cluster state, only to a single instance.", - "operationId": "isReady", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "properties": { - "status": { - "description": "Always \"ok\".", - "type": "string" - } - }, - "required": ["status"], - "type": "object" - } - } - }, - "description": "Ory Kratos is ready to accept requests." - }, - "503": { - "content": { - "application/json": { - "schema": { - "properties": { - "errors": { - "additionalProperties": { - "type": "string" - }, - "description": "Errors contains a list of errors that caused the not ready status.", - "type": "object" - } - }, - "required": ["errors"], - "type": "object" - } - } - }, - "description": "Ory Kratos is not yet ready to accept requests." - } - }, - "summary": "Check HTTP Server and Database Status", - "tags": ["metadata"] - } - }, - "/identities": { - "get": { - "description": "Lists all identities. Does not support search at the moment.\n\nLearn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).", - "operationId": "adminListIdentities", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page.", - "in": "query", - "name": "per_page", - "schema": { - "default": 100, - "format": "int64", - "maximum": 500, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Pagination Page", - "in": "query", - "name": "page", - "schema": { - "default": 0, - "format": "int64", - "minimum": 0, - "type": "integer" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identityList" - } - } - }, - "description": "identityList" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "List Identities", - "tags": ["v0alpha2"] - }, - "post": { - "description": "This endpoint creates an identity. It is NOT possible to set an identity's credentials (password, ...)\nusing this method! A way to achieve that will be introduced in the future.\n\nLearn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).", - "operationId": "adminCreateIdentity", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/adminCreateIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "201": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Create an Identity", - "tags": ["v0alpha2"] - } - }, - "/identities/{id}": { - "delete": { - "description": "Calling this endpoint irrecoverably and permanently deletes the identity given its ID. This action can not be undone.\nThis endpoint returns 204 when the identity was deleted or when the identity was not found, in which case it is\nassumed that is has been deleted already.\n\nLearn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).", - "operationId": "adminDeleteIdentity", - "parameters": [ - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Delete an Identity", - "tags": ["v0alpha2"] - }, - "get": { - "description": "Learn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).", - "operationId": "adminGetIdentity", - "parameters": [ - { - "description": "ID must be set to the ID of identity you want to get", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "DeclassifyCredentials will declassify one or more identity's credentials\n\nCurrently, only `oidc` is supported. This will return the initial OAuth 2.0 Access,\nRefresh and (optionally) OpenID Connect ID Token.", - "in": "query", - "name": "include_credential", - "schema": { - "items": { - "type": "string" - }, - "type": "array" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Get an Identity", - "tags": ["v0alpha2"] - }, - "put": { - "description": "This endpoint updates an identity. It is NOT possible to set an identity's credentials (password, ...)\nusing this method! A way to achieve that will be introduced in the future.\n\nThe full identity payload (except credentials) is expected. This endpoint does not support patching.\n\nLearn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).", - "operationId": "adminUpdateIdentity", - "parameters": [ - { - "description": "ID must be set to the ID of identity you want to update", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/AdminUpdateIdentityBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identity" - } - } - }, - "description": "identity" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "409": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Update an Identity", - "tags": ["v0alpha2"] - } - }, - "/identities/{id}/sessions": { - "delete": { - "description": "This endpoint is useful for:\n\nTo forcefully logout Identity from all devices and sessions", - "operationId": "adminDeleteIdentitySessions", - "parameters": [ - { - "description": "ID is the identity's ID.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "oryAccessToken": [] - } - ], - "summary": "Calling this endpoint irrecoverably and permanently deletes and invalidates all sessions that belong to the given Identity.", - "tags": ["v0alpha2"] - } - }, - "/recovery/link": { - "post": { - "description": "This endpoint creates a recovery link which should be given to the user in order for them to recover\n(or activate) their account.", - "operationId": "adminCreateSelfServiceRecoveryLink", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/adminCreateSelfServiceRecoveryLinkBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryLink" - } - } - }, - "description": "selfServiceRecoveryLink" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Create a Recovery Link", - "tags": ["v0alpha2"] - } - }, - "/schemas": { - "get": { - "description": "Get all Identity Schemas", - "operationId": "listIdentitySchemas", - "parameters": [ - { - "description": "Items per Page\n\nThis is the number of items per page.", - "in": "query", - "name": "per_page", - "schema": { - "default": 100, - "format": "int64", - "maximum": 500, - "minimum": 1, - "type": "integer" - } - }, - { - "description": "Pagination Page", - "in": "query", - "name": "page", - "schema": { - "default": 0, - "format": "int64", - "minimum": 0, - "type": "integer" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/identitySchemas" - } - } - }, - "description": "identitySchemas" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "tags": ["v0alpha2"] - } - }, - "/schemas/{id}": { - "get": { - "description": "Get a JSON Schema", - "operationId": "getJsonSchema", - "parameters": [ - { - "description": "ID must be set to the ID of schema you want to get", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonSchema" - } - } - }, - "description": "jsonSchema" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "tags": ["v0alpha2"] - } - }, - "/self-service/errors": { - "get": { - "description": "This endpoint returns the error associated with a user-facing self service errors.\n\nThis endpoint supports stub values to help you implement the error UI:\n\n`?id=stub:500` - returns a stub 500 (Internal Server Error) error.\n\nMore information can be found at [Ory Kratos User User Facing Error Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors).", - "operationId": "getSelfServiceError", - "parameters": [ - { - "description": "Error is the error's ID", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceError" - } - } - }, - "description": "selfServiceError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Self-Service Errors", - "tags": ["v0alpha2"] - } - }, - "/self-service/login": { - "post": { - "description": ":::info\n\nThis endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.\n\n:::\n\nUse this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 302 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 302 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "submitSelfServiceLoginFlow", - "parameters": [ - { - "description": "The Login Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/login?flow=abcde`).", - "in": "query", - "name": "flow", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The Session Token of the Identity performing the settings flow.", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceLoginFlowBody" - } - }, - "application/x-www-form-urlencoded": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceLoginFlowBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/successfulSelfServiceLoginWithoutBrowser" - } - } - }, - "description": "successfulSelfServiceLoginWithoutBrowser" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceLoginFlow" - } - } - }, - "description": "selfServiceLoginFlow" - }, - "422": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceBrowserLocationChangeRequiredError" - } - } - }, - "description": "selfServiceBrowserLocationChangeRequiredError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Submit a Login Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/login/api": { - "get": { - "description": "This endpoint initiates a login flow for API clients that do not use a browser, such as mobile devices, smart TVs, and so on.\n\nIf a valid provided session cookie or session token is provided, a 400 Bad Request error\nwill be returned unless the URL query parameter `?refresh=true` is set.\n\nTo fetch an existing login flow call `/self-service/login/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks, including CSRF login attacks.\n\nIn the case of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "initializeSelfServiceLoginFlowWithoutBrowser", - "parameters": [ - { - "description": "Refresh a login session\n\nIf set to true, this will refresh an existing login session by\nasking the user to sign in again. This will reset the\nauthenticated_at time of the session.", - "in": "query", - "name": "refresh", - "schema": { - "type": "boolean" - } - }, - { - "description": "Request a Specific AuthenticationMethod Assurance Level\n\nUse this parameter to upgrade an existing session's authenticator assurance level (AAL). This\nallows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,\nthe AAL is 1. If you wish to \"upgrade\" the session's security by asking the user to perform TOTP / WebAuth/ ...\nyou would set this to \"aal2\".", - "in": "query", - "name": "aal", - "schema": { - "type": "string" - } - }, - { - "description": "The Session Token of the Identity performing the settings flow.", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceLoginFlow" - } - } - }, - "description": "selfServiceLoginFlow" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Login Flow for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/login/browser": { - "get": { - "description": "This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate\ncookies and anti-CSRF measures required for browser-based flows.\n\nIf this endpoint is opened as a link in the browser, it will be redirected to\n`selfservice.flows.login.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists already, the browser will be redirected to `urls.default_redirect_url` unless the query parameter\n`?refresh=true` was set.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "initializeSelfServiceLoginFlowForBrowsers", - "parameters": [ - { - "description": "Refresh a login session\n\nIf set to true, this will refresh an existing login session by\nasking the user to sign in again. This will reset the\nauthenticated_at time of the session.", - "in": "query", - "name": "refresh", - "schema": { - "type": "boolean" - } - }, - { - "description": "Request a Specific AuthenticationMethod Assurance Level\n\nUse this parameter to upgrade an existing session's authenticator assurance level (AAL). This\nallows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,\nthe AAL is 1. If you wish to \"upgrade\" the session's security by asking the user to perform TOTP / WebAuth/ ...\nyou would set this to \"aal2\".", - "in": "query", - "name": "aal", - "schema": { - "type": "string" - } - }, - { - "description": "The URL to return the browser to after the flow was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceLoginFlow" - } - } - }, - "description": "selfServiceLoginFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Login Flow for Browsers", - "tags": ["v0alpha2"] - } - }, - "/self-service/login/flows": { - "get": { - "description": "This endpoint returns a login flow's context with, for example, error details and other information.\n\nBrowser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.\nFor AJAX requests you must ensure that cookies are included in the request or requests will fail.\n\nIf you use the browser-flow for server-side apps, the services need to run on a common top-level-domain\nand you need to forward the incoming HTTP Cookie header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/login', async function (req, res) {\nconst flow = await client.getSelfServiceLoginFlow(req.header('cookie'), req.query['flow'])\n\nres.render('login', flow)\n})\n```\n\nThis request may fail due to several reasons. The `error.id` can be one of:\n\n`session_already_available`: The user is already signed in.\n`self_service_flow_expired`: The flow is expired and you should request a new one.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "getSelfServiceLoginFlow", - "parameters": [ - { - "description": "The Login Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/login?flow=abcde`).", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "HTTP Cookies\n\nWhen using the SDK on the server side you must include the HTTP Cookie Header\noriginally sent to your HTTP handler here.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceLoginFlow" - } - } - }, - "description": "selfServiceLoginFlow" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Login Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/logout": { - "get": { - "description": "This endpoint logs out an identity in a self-service manner.\n\nIf the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 302 Found)\nto the `return_to` parameter of the initial request or fall back to `urls.default_return_to`.\n\nIf the `Accept` HTTP header is set to `application/json`, a 204 No Content response\nwill be sent on successful logout instead.\n\nThis endpoint is NOT INTENDED for API clients and only works\nwith browsers (Chrome, Firefox, ...). For API clients you can\ncall the `/self-service/logout/api` URL directly with the Ory Session Token.\n\nMore information can be found at [Ory Kratos User Logout Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-logout).", - "operationId": "submitSelfServiceLogoutFlow", - "parameters": [ - { - "description": "A Valid Logout Token\n\nIf you do not have a logout token because you only have a session cookie,\ncall `/self-service/logout/urls` to generate a URL for this endpoint.", - "in": "query", - "name": "token", - "schema": { - "type": "string" - } - }, - { - "description": "The URL to return to after the logout was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Complete Self-Service Logout", - "tags": ["v0alpha2"] - } - }, - "/self-service/logout/api": { - "delete": { - "description": "Use this endpoint to log out an identity using an Ory Session Token. If the Ory Session Token was successfully\nrevoked, the server returns a 204 No Content response. A 204 No Content response is also sent when\nthe Ory Session Token has been revoked already before.\n\nIf the Ory Session Token is malformed or does not exist a 403 Forbidden response will be returned.\n\nThis endpoint does not remove any HTTP\nCookies - use the Browser-Based Self-Service Logout Flow instead.", - "operationId": "submitSelfServiceLogoutFlowWithoutBrowser", - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceLogoutFlowWithoutBrowserBody" - } - } - }, - "required": true, - "x-originalParamName": "Body" - }, - "responses": { - "204": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Perform Logout for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/logout/browser": { - "get": { - "description": "This endpoint initializes a browser-based user logout flow and a URL which can be used to log out the user.\n\nThis endpoint is NOT INTENDED for API clients and only works\nwith browsers (Chrome, Firefox, ...). For API clients you can\ncall the `/self-service/logout/api` URL directly with the Ory Session Token.\n\nThe URL is only valid for the currently signed in user. If no user is signed in, this endpoint returns\na 401 error.\n\nWhen calling this endpoint from a backend, please ensure to properly forward the HTTP cookies.", - "operationId": "createSelfServiceLogoutFlowUrlForBrowsers", - "parameters": [ - { - "description": "HTTP Cookies\n\nIf you call this endpoint from a backend, please include the\noriginal Cookie header in the request.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceLogoutUrl" - } - } - }, - "description": "selfServiceLogoutUrl" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Create a Logout URL for Browsers", - "tags": ["v0alpha2"] - } - }, - "/self-service/recovery": { - "post": { - "description": "Use this endpoint to complete a recovery flow. This endpoint\nbehaves differently for API and browser flows and has several states:\n\n`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent\nand works with API- and Browser-initiated flows.\nFor API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.\nand a HTTP 302 Found redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).\nFor Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Recovery UI URL with the Recovery Flow ID appended.\n`sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It\nworks for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.\n`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow (\"sending a recovery link\")\ndoes not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL\n(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with\na new Recovery Flow ID which contains an error message that the recovery link was invalid.\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery.mdx).", - "operationId": "submitSelfServiceRecoveryFlow", - "parameters": [ - { - "description": "The Recovery Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/recovery?flow=abcde`).", - "in": "query", - "name": "flow", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Recovery Token\n\nThe recovery token which completes the recovery request. If the token\nis invalid (e.g. expired) an error will be shown to the end-user.\n\nThis parameter is usually set in a link and not used by any direct API call.", - "in": "query", - "name": "token", - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceRecoveryFlowBody" - } - }, - "application/x-www-form-urlencoded": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceRecoveryFlowBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryFlow" - } - } - }, - "description": "selfServiceRecoveryFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryFlow" - } - } - }, - "description": "selfServiceRecoveryFlow" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Complete Recovery Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/recovery/api": { - "get": { - "description": "This endpoint initiates a recovery flow for API clients such as mobile devices, smart TVs, and so on.\n\nIf a valid provided session cookie or session token is provided, a 400 Bad Request error.\n\nTo fetch an existing recovery flow call `/self-service/recovery/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery.mdx).", - "operationId": "initializeSelfServiceRecoveryFlowWithoutBrowser", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryFlow" - } - } - }, - "description": "selfServiceRecoveryFlow" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Recovery Flow for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/recovery/browser": { - "get": { - "description": "This endpoint initializes a browser-based account recovery flow. Once initialized, the browser will be redirected to\n`selfservice.flows.recovery.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists, the browser is returned to the configured return URL.\n\nIf this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects\nor a 400 bad request error if the user is already authenticated.\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery.mdx).", - "operationId": "initializeSelfServiceRecoveryFlowForBrowsers", - "parameters": [ - { - "description": "The URL to return the browser to after the flow was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryFlow" - } - } - }, - "description": "selfServiceRecoveryFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Recovery Flow for Browsers", - "tags": ["v0alpha2"] - } - }, - "/self-service/recovery/flows": { - "get": { - "description": "This endpoint returns a recovery flow's context with, for example, error details and other information.\n\nBrowser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.\nFor AJAX requests you must ensure that cookies are included in the request or requests will fail.\n\nIf you use the browser-flow for server-side apps, the services need to run on a common top-level-domain\nand you need to forward the incoming HTTP Cookie header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/recovery', async function (req, res) {\nconst flow = await client.getSelfServiceRecoveryFlow(req.header('Cookie'), req.query['flow'])\n\nres.render('recovery', flow)\n})\n```\n\nMore information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery.mdx).", - "operationId": "getSelfServiceRecoveryFlow", - "parameters": [ - { - "description": "The Flow ID\n\nThe value for this parameter comes from `request` URL Query parameter sent to your\napplication (e.g. `/recovery?flow=abcde`).", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "HTTP Cookies\n\nWhen using the SDK on the server side you must include the HTTP Cookie Header\noriginally sent to your HTTP handler here.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRecoveryFlow" - } - } - }, - "description": "selfServiceRecoveryFlow" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Recovery Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/registration": { - "post": { - "description": "Use this endpoint to complete a registration flow by sending an identity's traits and password. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and respond with\nHTTP 200 and a application/json body with the created identity success - if the session hook is configured the\n`session` and `session_token` will also be included;\nHTTP 302 redirect to a fresh registration flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 302 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;\na HTTP 302 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "submitSelfServiceRegistrationFlow", - "parameters": [ - { - "description": "The Registration Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/registration?flow=abcde`).", - "in": "query", - "name": "flow", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceRegistrationFlowBody" - } - }, - "application/x-www-form-urlencoded": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceRegistrationFlowBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/successfulSelfServiceRegistrationWithoutBrowser" - } - } - }, - "description": "successfulSelfServiceRegistrationWithoutBrowser" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRegistrationFlow" - } - } - }, - "description": "selfServiceRegistrationFlow" - }, - "422": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceBrowserLocationChangeRequiredError" - } - } - }, - "description": "selfServiceBrowserLocationChangeRequiredError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Submit a Registration Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/registration/api": { - "get": { - "description": "This endpoint initiates a registration flow for API clients such as mobile devices, smart TVs, and so on.\n\nIf a valid provided session cookie or session token is provided, a 400 Bad Request error\nwill be returned unless the URL query parameter `?refresh=true` is set.\n\nTo fetch an existing registration flow call `/self-service/registration/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nIn the case of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "initializeSelfServiceRegistrationFlowWithoutBrowser", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRegistrationFlow" - } - } - }, - "description": "selfServiceRegistrationFlow" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Registration Flow for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/registration/browser": { - "get": { - "description": "This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate\ncookies and anti-CSRF measures required for browser-based flows.\n\n:::info\n\nThis endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.\n\n:::\n\nIf this endpoint is opened as a link in the browser, it will be redirected to\n`selfservice.flows.registration.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists already, the browser will be redirected to `urls.default_redirect_url`.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n\nIf this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "initializeSelfServiceRegistrationFlowForBrowsers", - "parameters": [ - { - "description": "The URL to return the browser to after the flow was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRegistrationFlow" - } - } - }, - "description": "selfServiceRegistrationFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Registration Flow for Browsers", - "tags": ["v0alpha2"] - } - }, - "/self-service/registration/flows": { - "get": { - "description": "This endpoint returns a registration flow's context with, for example, error details and other information.\n\nBrowser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.\nFor AJAX requests you must ensure that cookies are included in the request or requests will fail.\n\nIf you use the browser-flow for server-side apps, the services need to run on a common top-level-domain\nand you need to forward the incoming HTTP Cookie header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/registration', async function (req, res) {\nconst flow = await client.getSelfServiceRegistrationFlow(req.header('cookie'), req.query['flow'])\n\nres.render('registration', flow)\n})\n```\n\nThis request may fail due to several reasons. The `error.id` can be one of:\n\n`session_already_available`: The user is already signed in.\n`self_service_flow_expired`: The flow is expired and you should request a new one.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).", - "operationId": "getSelfServiceRegistrationFlow", - "parameters": [ - { - "description": "The Registration Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/registration?flow=abcde`).", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "HTTP Cookies\n\nWhen using the SDK on the server side you must include the HTTP Cookie Header\noriginally sent to your HTTP handler here.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceRegistrationFlow" - } - } - }, - "description": "selfServiceRegistrationFlow" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Registration Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/settings": { - "post": { - "description": "Use this endpoint to complete a settings flow by sending an identity's updated password. This endpoint\nbehaves differently for API and browser flows.\n\nAPI-initiated flows expect `application/json` to be sent in the body and respond with\nHTTP 200 and an application/json body with the session token on success;\nHTTP 302 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\nHTTP 401 when the endpoint is called without a valid session token.\nHTTP 403 when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.\nImplies that the user needs to re-authenticate.\n\nBrowser flows without HTTP Header `Accept` or with `Accept: text/*` respond with\na HTTP 302 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;\na HTTP 302 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.\na HTTP 302 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.\n\nBrowser flows with HTTP Header `Accept: application/json` respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 401 when the endpoint is called without a valid session cookie.\nHTTP 403 when the page is accessed without a session cookie or the session's AAL is too low.\nHTTP 400 on form validation errors.\n\nDepending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.\n\nIf this endpoint is called with a `Accept: application/json` HTTP header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_refresh_required`: The identity requested to change something that needs a privileged session. Redirect\nthe identity to the login init endpoint with query parameters `?refresh=true\u0026return_to=\u003cthe-current-browser-url\u003e`,\nor initiate a refresh login flow otherwise.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`session_inactive`: No Ory Session was found - sign in a user first.\n`security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other\nidentity logged in instead.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Settings \u0026 Profile Management Documentation](../self-service/flows/user-settings).", - "operationId": "submitSelfServiceSettingsFlow", - "parameters": [ - { - "description": "The Settings Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/settings?flow=abcde`).", - "in": "query", - "name": "flow", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The Session Token of the Identity performing the settings flow.", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowBody" - } - }, - "application/x-www-form-urlencoded": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceSettingsFlowBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceSettingsFlow" - } - } - }, - "description": "selfServiceSettingsFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceSettingsFlow" - } - } - }, - "description": "selfServiceSettingsFlow" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "422": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceBrowserLocationChangeRequiredError" - } - } - }, - "description": "selfServiceBrowserLocationChangeRequiredError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "security": [ - { - "sessionToken": [] - } - ], - "summary": "Complete Settings Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/settings/api": { - "get": { - "description": "This endpoint initiates a settings flow for API clients such as mobile devices, smart TVs, and so on.\nYou must provide a valid Ory Kratos Session Token for this endpoint to respond with HTTP 200 OK.\n\nTo fetch an existing settings flow call `/self-service/settings/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nDepending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor or change the configuration.\n\nIn the case of an error, the `error.id` of the JSON response body can be one of:\n\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`session_inactive`: No Ory Session was found - sign in a user first.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos User Settings \u0026 Profile Management Documentation](../self-service/flows/user-settings).", - "operationId": "initializeSelfServiceSettingsFlowWithoutBrowser", - "parameters": [ - { - "description": "The Session Token of the Identity performing the settings flow.", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceSettingsFlow" - } - } - }, - "description": "selfServiceSettingsFlow" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Settings Flow for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/settings/browser": { - "get": { - "description": "This endpoint initializes a browser-based user settings flow. Once initialized, the browser will be redirected to\n`selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid\nOry Kratos Session Cookie is included in the request, a login flow will be initialized.\n\nIf this endpoint is opened as a link in the browser, it will be redirected to\n`selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid user session\nwas set, the browser will be redirected to the login endpoint.\n\nIf this endpoint is called via an AJAX request, the response contains the settings flow without any redirects\nor a 401 forbidden error if no valid session was set.\n\nDepending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`session_inactive`: No Ory Session was found - sign in a user first.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n\nThis endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.\n\nMore information can be found at [Ory Kratos User Settings \u0026 Profile Management Documentation](../self-service/flows/user-settings).", - "operationId": "initializeSelfServiceSettingsFlowForBrowsers", - "parameters": [ - { - "description": "The URL to return the browser to after the flow was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceSettingsFlow" - } - } - }, - "description": "selfServiceSettingsFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Settings Flow for Browsers", - "tags": ["v0alpha2"] - } - }, - "/self-service/settings/flows": { - "get": { - "description": "When accessing this endpoint through Ory Kratos' Public API you must ensure that either the Ory Kratos Session Cookie\nor the Ory Kratos Session Token are set.\n\nDepending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor or change the configuration.\n\nYou can access this endpoint without credentials when using Ory Kratos' Admin API.\n\nIf this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`session_inactive`: No Ory Session was found - sign in a user first.\n`security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other\nidentity logged in instead.\n\nMore information can be found at [Ory Kratos User Settings \u0026 Profile Management Documentation](../self-service/flows/user-settings).", - "operationId": "getSelfServiceSettingsFlow", - "parameters": [ - { - "description": "ID is the Settings Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/settings?flow=abcde`).", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The Session Token\n\nWhen using the SDK in an app without a browser, please include the\nsession token here.", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - }, - { - "description": "HTTP Cookies\n\nWhen using the SDK on the server side you must include the HTTP Cookie Header\noriginally sent to your HTTP handler here. You only need to do this for browser-\nbased flows.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceSettingsFlow" - } - } - }, - "description": "selfServiceSettingsFlow" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "410": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Settings Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/verification": { - "post": { - "description": "Use this endpoint to complete a verification flow. This endpoint\nbehaves differently for API and browser flows and has several states:\n\n`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent\nand works with API- and Browser-initiated flows.\nFor API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid\nand a HTTP 302 Found redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).\nFor Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Verification UI URL with the Verification Flow ID appended.\n`sent_email` is the success state after `choose_method` when using the `link` method and allows the user to request another verification email. It\nworks for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.\n`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow (\"sending a verification link\")\ndoes not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL\n(if the link was valid) and instructs the user to update their password, or a redirect to the Verification UI URL with\na new Verification Flow ID which contains an error message that the verification link was invalid.\n\nMore information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).", - "operationId": "submitSelfServiceVerificationFlow", - "parameters": [ - { - "description": "The Verification Flow ID\n\nThe value for this parameter comes from `flow` URL Query parameter sent to your\napplication (e.g. `/verification?flow=abcde`).", - "in": "query", - "name": "flow", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "Verification Token\n\nThe verification token which completes the verification request. If the token\nis invalid (e.g. expired) an error will be shown to the end-user.\n\nThis parameter is usually set in a link and not used by any direct API call.", - "in": "query", - "name": "token", - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceVerificationFlowBody" - } - }, - "application/x-www-form-urlencoded": { - "schema": { - "$ref": "#/components/schemas/submitSelfServiceVerificationFlowBody" - } - } - }, - "x-originalParamName": "Body" - }, - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceVerificationFlow" - } - } - }, - "description": "selfServiceVerificationFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceVerificationFlow" - } - } - }, - "description": "selfServiceVerificationFlow" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Complete Verification Flow", - "tags": ["v0alpha2"] - } - }, - "/self-service/verification/api": { - "get": { - "description": "This endpoint initiates a verification flow for API clients such as mobile devices, smart TVs, and so on.\n\nTo fetch an existing verification flow call `/self-service/verification/flows?flow=\u003cflow_id\u003e`.\n\nYou MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server\nPages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make\nyou vulnerable to a variety of CSRF attacks.\n\nThis endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).\n\nMore information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).", - "operationId": "initializeSelfServiceVerificationFlowWithoutBrowser", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceVerificationFlow" - } - } - }, - "description": "selfServiceVerificationFlow" - }, - "400": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Verification Flow for APIs, Services, Apps, ...", - "tags": ["v0alpha2"] - } - }, - "/self-service/verification/browser": { - "get": { - "description": "This endpoint initializes a browser-based account verification flow. Once initialized, the browser will be redirected to\n`selfservice.flows.verification.ui_url` with the flow ID set as the query parameter `?flow=`.\n\nIf this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects.\n\nThis endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).\n\nMore information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).", - "operationId": "initializeSelfServiceVerificationFlowForBrowsers", - "parameters": [ - { - "description": "The URL to return the browser to after the flow was completed.", - "in": "query", - "name": "return_to", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceVerificationFlow" - } - } - }, - "description": "selfServiceVerificationFlow" - }, - "302": { - "$ref": "#/components/responses/emptyResponse" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Initialize Verification Flow for Browser Clients", - "tags": ["v0alpha2"] - } - }, - "/self-service/verification/flows": { - "get": { - "description": "This endpoint returns a verification flow's context with, for example, error details and other information.\n\nBrowser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.\nFor AJAX requests you must ensure that cookies are included in the request or requests will fail.\n\nIf you use the browser-flow for server-side apps, the services need to run on a common top-level-domain\nand you need to forward the incoming HTTP Cookie header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/recovery', async function (req, res) {\nconst flow = await client.getSelfServiceVerificationFlow(req.header('cookie'), req.query['flow'])\n\nres.render('verification', flow)\n})\n\nMore information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).", - "operationId": "getSelfServiceVerificationFlow", - "parameters": [ - { - "description": "The Flow ID\n\nThe value for this parameter comes from `request` URL Query parameter sent to your\napplication (e.g. `/verification?flow=abcde`).", - "in": "query", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "HTTP Cookies\n\nWhen using the SDK on the server side you must include the HTTP Cookie Header\noriginally sent to your HTTP handler here.", - "in": "header", - "name": "cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/selfServiceVerificationFlow" - } - } - }, - "description": "selfServiceVerificationFlow" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "404": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Get Verification Flow", - "tags": ["v0alpha2"] - } - }, - "/sessions/whoami": { - "get": { - "description": "Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.\nReturns a session object in the body or 401 if the credentials are invalid or no credentials were sent.\nAdditionally when the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header in the response.\n\nIf you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:\n\n```js\npseudo-code example\nrouter.get('/protected-endpoint', async function (req, res) {\nconst session = await client.toSession(undefined, req.header('cookie'))\n\nconsole.log(session)\n})\n```\n\nWhen calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:\n\n```js\npseudo-code example\n...\nconst session = await client.toSession(\"the-session-token\")\n\nconsole.log(session)\n```\n\nDepending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator\nAssurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn\ncredentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user\nto sign in with the second factor or change the configuration.\n\nThis endpoint is useful for:\n\nAJAX calls. Remember to send credentials and set up CORS correctly!\nReverse proxies and API Gateways\nServer-side calls - use the `X-Session-Token` header!\n\nThis endpoint authenticates users by checking\n\nif the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie;\nif the `Authorization: bearer \u003cory-session-token\u003e` HTTP header was set with a valid Ory Kratos Session Token;\nif the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token.\n\nIf none of these headers are set or the cooke or token are invalid, the endpoint returns a HTTP 401 status code.\n\nAs explained above, this request may fail due to several reasons. The `error.id` can be one of:\n\n`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token).\n`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.", - "operationId": "toSession", - "parameters": [ - { - "description": "Set the Session Token when calling from non-browser clients. A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.", - "example": "MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj", - "in": "header", - "name": "X-Session-Token", - "schema": { - "type": "string" - } - }, - { - "description": "Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that\nscenario you must include the HTTP Cookie Header which originally was included in the request to your server.\nAn example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.\n\nIt is ok if more than one cookie are included here as all other cookies will be ignored.", - "example": "ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==", - "in": "header", - "name": "Cookie", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/session" - } - } - }, - "description": "session" - }, - "401": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "403": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - }, - "500": { - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/jsonError" - } - } - }, - "description": "jsonError" - } - }, - "summary": "Check Who the Current HTTP Session Belongs To", - "tags": ["v0alpha2"] - } - }, - "/version": { - "get": { - "description": "This endpoint returns the version of Ory Kratos.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the version will never\nrefer to the cluster state, only to a single instance.", - "operationId": "getVersion", - "responses": { - "200": { - "content": { - "application/json": { - "schema": { - "properties": { - "version": { - "description": "The version of Ory Kratos.", - "type": "string" - } - }, - "required": ["version"], - "type": "object" - } - } - }, - "description": "Returns the Ory Kratos version." - } - }, - "summary": "Return Running Software Version.", - "tags": ["metadata"] - } - } - }, - "x-forwarded-proto": "string", - "x-request-id": "string" -} diff --git a/docs/versioned_docs/version-v/admin/managing-users-identities.mdx b/docs/versioned_docs/version-v/admin/managing-users-identities.mdx deleted file mode 100644 index 2384ed203f9..00000000000 --- a/docs/versioned_docs/version-v/admin/managing-users-identities.mdx +++ /dev/null @@ -1,208 +0,0 @@ ---- -id: managing-users-identities -title: Managing Users and Identities ---- - -import Tabs from '@theme/Tabs' -import TabItem from '@theme/TabItem' - -This document walks you through the administrative identity management in Ory -Kratos. You should already be familiar with the -[Identity Schema](../concepts/identity-schema.mdx) before reading this guide. - -## Creating an Identity - -There are three principal flows supported for creating identities as an -administrator: - -1. Inviting users - e.g. inviting a new employee to your organization IT. -2. Importing existing users - e.g. when migrating from another system to Ory - Kratos. -3. Creating machine users - e.g. creating Service Accounts. - -:::note - -Similar to other guides, we assume that Ory Kratos runs on 127.0.0.1:4433 -(public endpoint) and 127.0.0.1:4434 (admin endpoint) in this guide, which is -the default when running the quickstart. - -::: - -### Invite a User - -The goal of this flow is to create an identity and provide the end-user with a -way of signing into the identity (account) and setting their password (or any -other type of credential) for future logins. To achieve this, first create the -identity and set its traits and schema: - -```shell script -$ curl --request POST -sL \ - --header "Content-Type: application/json" \ - --request POST \ - --data '{ - "schema_id": "default", - "traits": { - "email": "foo@ory.sh" - } -}' \ - http://127.0.0.1:4434/identities - -{ - "id": "954f7f59-16a5-4152-8ce7-ad7c73bb124a", - "schema_id": "default", - "traits":{ - "email": "foo@ory.sh" - } -} -``` - -Keep in mind that you can change the `schema_id` to reflect the schema you want -to use for this user. Similarly, the trait key/values depend on your schema as -well. The command shown does not create a password for the identity or any other -type of credential. Instead, we will use another REST call to create a recovery -link (here "invite link" is probably more appropriate, but the flow uses an -account recovery link). It's possible to generate a link for an account without -a recovery address via the admin API, but if the recovery link expires the user -won't be able to reinitiate the flow by himself as long as the recovery address -has been added. - -To create the account recovery link, use: - - - - -```shell script -$ curl --request POST -sL \ - --header "Content-Type: application/json" \ - --request POST \ - --data '{ - "expires_in": "12h", - "identity_id": "954f7f59-16a5-4152-8ce7-ad7c73bb124a" -}' \ - http://127.0.0.1:4434/recovery/link - -{ - "expires_at": "2020-07-27T10:47:45.806Z", - "recovery_link": "https://playground.projects.oryapis.com/api/kratos/public/self-service/browser/flows/recovery/link?request=8b6fd3e4-1de2-49bf-aa88-1a26634bf062\u0026token=b1tGmHf64cYDeHB9wKiuCF1FfycMJEyf" -} -``` - - - - -```go -package main - -import ( - "fmt" - "github.com/ory/kratos-client-go/client" - "github.com/ory/kratos-client-go/client/admin" - "github.com/ory/kratos-client-go/models" -) - -func main() { - c := client.New(nil, &client.TransportConfig{ - Host: "127.0.0.1:4434", - BasePath: "/", - Schemes: []string{"http"}, - }) - - res, err := c.Admin.CreateRecoveryLink(admin.NewCreateRecoveryLinkParams().WithBody(admin.CreateRecoveryLinkBody{ - IdentityID: models.UUID("the-uuid"), - })) - if err != nil { - // ... - } - - fmt.Printf("Use link: %s", *res.Payload.RecoveryLink) -} -``` - -The response contains a `recovery_link` value which is the link the user should -use to set up his or her credentials (e.g. connect to a Social Sign In Provider, -set up a password, ...). The user has only a limited amount of time to do so - -the amount of time is specified in the Ory Kratos config: - -```yaml title="path/to/kratos/config.yml" -selfservice: - flows: - settings: - privileged_session_max_age: 30m -``` - -If the user fails to set up his / her credentials in time, another recovery link -needs to be issued and the user needs to re-do the flow. - -It is currently not possible to send the recovery link directly to a user's -email, this feature is tracked as -[#595](https://github.com/ory/kratos/issues/595). - - - - -### Import a User Identity - -This feature is not implemented yet. - -### Creating a Machine Identity - -This feature is not implemented yet. - -### Enable recovery flows - -To enable recovery flows, make the following adjustments to your Ory Kratos -configuration: - -```yaml title="path/to/config/kratos.yml" -selfservice: - methods: - link: - enabled: true - flows: - recovery: - enabled: true -``` - -To specify that an identity's trait is a recovery email, use the following -Identity Schema: - -```diff - { - "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - }, -+ "recovery": { -+ "via": "email" -+ } - } - } - } - "additionalProperties": false - } - } - } -``` - -For more detailed information and general guidelines on these flows, take a look -at the -[Account Recovery and Password Reset](../self-service/flows/account-recovery.mdx) -section. diff --git a/docs/versioned_docs/version-v/cli/kratos-courier-watch.md b/docs/versioned_docs/version-v/cli/kratos-courier-watch.md deleted file mode 100644 index e73cb6cfd33..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-courier-watch.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -id: kratos-courier-watch -title: kratos courier watch -description: kratos courier watch Starts the Ory Kratos message courier ---- - - - -## kratos courier watch - -Starts the Ory Kratos message courier - -``` -kratos courier watch [flags] -``` - -### Options - -``` - --expose-metrics-port int The port to expose the metrics endpoint on (not exposed by default) - -h, --help help for watch -``` - -### Options inherited from parent commands - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. -``` - -### SEE ALSO - -- [kratos courier](kratos-courier) - Commands related to the Ory Kratos message - courier diff --git a/docs/versioned_docs/version-v/cli/kratos-courier.md b/docs/versioned_docs/version-v/cli/kratos-courier.md deleted file mode 100644 index ced7845d74d..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-courier.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -id: kratos-courier -title: kratos courier -description: kratos courier Commands related to the Ory Kratos message courier ---- - - - -## kratos courier - -Commands related to the Ory Kratos message courier - -### Options - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - -h, --help help for courier -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos courier watch](kratos-courier-watch) - Starts the Ory Kratos message - courier diff --git a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-calibrate.md b/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-calibrate.md deleted file mode 100644 index a64d6cf3869..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-calibrate.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -id: kratos-hashers-argon2-calibrate -title: kratos hashers argon2 calibrate -description: kratos hashers argon2 calibrate Computes Optimal Argon2 Parameters ---- - - - -## kratos hashers argon2 calibrate - -Computes Optimal Argon2 Parameters - -### Synopsis - -This command helps you calibrate the configuration parameters for Argon2. -Password hashing is a trade-off between security, resource consumption, and user -experience. Resource consumption should not be too high and the login should not -take too long. - -We recommend that the login process takes between half a second and one second -for password hashing, giving a good balance between security and user -experience. - -Please note that the values depend on the machine you run the hashing on. If you -have RAM constraints, please set the memory dedicated to Ory Kratos to avoid out -of memory panics. - -``` -kratos hashers argon2 calibrate <requests-per-minute> [flags] -``` - -### Options - -``` - --adjust-memory-by byte_size Amount by which the memory is adjusted in every step while probing. (default 512.00MB) - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - --dedicated-memory byte_size Amount of memory dedicated for password hashing. Kratos will try to not consume more memory. (default 1.00GB) - --expected-deviation duration Expected deviation of the time a hashing operation (~login request) takes. (default 500ms) - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -h, --help help for calibrate - --key-length uint32 Length of the key in bytes. (default 32) - --max-concurrent uint8 Maximum number of concurrent hashing operations. (default 16) - --max-memory byte_size Maximum memory allowed (0 means no limit). (default 0.00B) - --min-duration duration Minimal duration a hashing operation (~login request) takes. (default 500ms) - --parallelism uint8 Number of threads to use. (default 72) - -r, --probe-runs int Runs per probe, median of all runs is taken as the result. (default 2) - -q, --quiet Be quiet with output printing. - --salt-length uint32 Length of the salt in bytes. (default 16) - -i, --start-iterations uint32 Number of iterations to start probing at. (default 1) - -m, --start-memory byte_size Amount of memory to start probing at. (default 0.00B) -``` - -### SEE ALSO - -- [kratos hashers argon2](kratos-hashers-argon2) - diff --git a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-hash.md b/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-hash.md deleted file mode 100644 index e33a2a9e79e..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-hash.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -id: kratos-hashers-argon2-hash -title: kratos hashers argon2 hash -description: - kratos hashers argon2 hash Hash a list of passwords for benchmarking the - hashing parameters ---- - - - -## kratos hashers argon2 hash - -Hash a list of passwords for benchmarking the hashing parameters - -``` -kratos hashers argon2 hash <password1> [<password2> ...] [flags] -``` - -### Options - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - --dedicated-memory byte_size Amount of memory dedicated for password hashing. Kratos will try to not consume more memory. (default 1.00GB) - --expected-deviation duration Expected deviation of the time a hashing operation (~login request) takes. (default 500ms) - -h, --help help for hash - --iterations uint32 Number of iterations to start probing at. (default 1) - --key-length uint32 Length of the key in bytes. (default 32) - --memory byte_size Memory to use. (default 128.00MB) - --min-duration duration Minimal duration a hashing operation (~login request) takes. (default 500ms) - --parallel Run all hashing operations in parallel. - --parallelism uint8 Number of threads to use. (default 72) - --salt-length uint32 Length of the salt in bytes. (default 16) -``` - -### SEE ALSO - -- [kratos hashers argon2](kratos-hashers-argon2) - diff --git a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-load-test.md b/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-load-test.md deleted file mode 100644 index 2b0e77b08bb..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2-load-test.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -id: kratos-hashers-argon2-load-test -title: kratos hashers argon2 load-test -description: - kratos hashers argon2 load-test Simulate the password hashing with a number of - concurrent requests/minute. ---- - - - -## kratos hashers argon2 load-test - -Simulate the password hashing with a number of concurrent requests/minute. - -### Synopsis - -Simulates a number of concurrent authentication requests per minute. Gives -statistical data about the measured performance and resource consumption. Can be -used to tune and test the hashing parameters for peak demand situations. - -``` -kratos hashers argon2 load-test <authentication-requests-per-minute> [flags] -``` - -### Options - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - --dedicated-memory byte_size Amount of memory dedicated for password hashing. Kratos will try to not consume more memory. (default 1.00GB) - --expected-deviation duration Expected deviation of the time a hashing operation (~login request) takes. (default 500ms) - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -h, --help help for load-test - --iterations uint32 Number of iterations to start probing at. (default 1) - --key-length uint32 Length of the key in bytes. (default 32) - --memory byte_size Memory to use. (default 128.00MB) - --min-duration duration Minimal duration a hashing operation (~login request) takes. (default 500ms) - --parallelism uint8 Number of threads to use. (default 72) - -q, --quiet Be quiet with output printing. - --salt-length uint32 Length of the salt in bytes. (default 16) -``` - -### SEE ALSO - -- [kratos hashers argon2](kratos-hashers-argon2) - diff --git a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2.md b/docs/versioned_docs/version-v/cli/kratos-hashers-argon2.md deleted file mode 100644 index dfcf9960d84..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-hashers-argon2.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -id: kratos-hashers-argon2 -title: kratos hashers argon2 -description: kratos hashers argon2 ---- - - - -## kratos hashers argon2 - -### Options - -``` - -h, --help help for argon2 -``` - -### SEE ALSO - -- [kratos hashers](kratos-hashers) - This command contains helpers around - hashing -- [kratos hashers argon2 calibrate](kratos-hashers-argon2-calibrate) - Computes - Optimal Argon2 Parameters -- [kratos hashers argon2 hash](kratos-hashers-argon2-hash) - Hash a list of - passwords for benchmarking the hashing parameters -- [kratos hashers argon2 load-test](kratos-hashers-argon2-load-test) - Simulate - the password hashing with a number of concurrent requests/minute. diff --git a/docs/versioned_docs/version-v/cli/kratos-hashers.md b/docs/versioned_docs/version-v/cli/kratos-hashers.md deleted file mode 100644 index c789cdcf704..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-hashers.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: kratos-hashers -title: kratos hashers -description: kratos hashers This command contains helpers around hashing ---- - - - -## kratos hashers - -This command contains helpers around hashing - -### Options - -``` - -h, --help help for hashers -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos hashers argon2](kratos-hashers-argon2) - diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-delete.md b/docs/versioned_docs/version-v/cli/kratos-identities-delete.md deleted file mode 100644 index d49c283406a..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-delete.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -id: kratos-identities-delete -title: kratos identities delete -description: kratos identities delete Delete identities by ID ---- - - - -## kratos identities delete - -Delete identities by ID - -### Synopsis - -This command deletes one or more identities by ID. To delete an identity by some -selector, e.g. the recovery email address, use the list command in combination -with jq. - -We have to admit, this is not easy if you don't speak jq fluently. What -about opening an issue and telling us what predefined selectors you want to -have? https://github.com/ory/kratos/issues/new/choose - -``` -kratos identities delete <id-0 [id-1 ...]> [flags] -``` - -### Examples - -``` -To delete the identity with the recovery email address "foo@bar.com", run: - - $ kratos identities delete $(kratos identities list --format json | jq -r 'map(select(.recovery_addresses[].value == "foo@bar.com")) | .[].id') -``` - -### Options - -``` - -h, --help help for delete -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-get.md b/docs/versioned_docs/version-v/cli/kratos-identities-get.md deleted file mode 100644 index 5ca6a98965b..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-get.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -id: kratos-identities-get -title: kratos identities get -description: kratos identities get Get one or more identities by ID ---- - - - -## kratos identities get - -Get one or more identities by ID - -### Synopsis - -This command gets all the details about an identity. To get an identity by some -selector, e.g. the recovery email address, use the list command in combination -with jq. - -We have to admit, this is not easy if you don't speak jq fluently. What -about opening an issue and telling us what predefined selectors you want to -have? https://github.com/ory/kratos/issues/new/choose - -``` -kratos identities get <id-0 [id-1 ...]> [flags] -``` - -### Examples - -``` -To get the identities with the recovery email address at the domain "ory.sh", run: - - $ kratos identities get $(kratos identities list --format json | jq -r 'map(select(.recovery_addresses[].value | endswith("@ory.sh"))) | .[].id') -``` - -### Options - -``` - -h, --help help for get - -i, --include-credentials stringArray Include third party tokens (only "oidc" supported) -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-import.md b/docs/versioned_docs/version-v/cli/kratos-identities-import.md deleted file mode 100644 index 89484d38b84..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-import.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -id: kratos-identities-import -title: kratos identities import -description: kratos identities import Import identities from files or STD_IN ---- - - - -## kratos identities import - -Import identities from files or STD_IN - -### Synopsis - -Import identities from files or STD_IN. - -Files can contain only a single or an array of identities. The validity of files -can be tested beforehand using "... identities validate". - -WARNING: Importing credentials is not yet supported. - -``` -kratos identities import <file.json [file-2.json [file-3.json] ...]> [flags] -``` - -### Examples - -``` -$ cat > ./file.json <<EOF -{ - "schema_id": "default", - "traits": { - "email": "foo@example.com" - } -} -EOF - -$ kratos identities import file.json -# Alternatively: -$ cat file.json | kratos identities import -``` - -### Options - -``` - -h, --help help for import -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-list.md b/docs/versioned_docs/version-v/cli/kratos-identities-list.md deleted file mode 100644 index 6859d65444b..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-list.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -id: kratos-identities-list -title: kratos identities list -description: kratos identities list List identities ---- - - - -## kratos identities list - -List identities - -### Synopsis - -List identities (paginated) - -``` -kratos identities list [<page> <per-page>] [flags] -``` - -### Options - -``` - -h, --help help for list -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-patch.md b/docs/versioned_docs/version-v/cli/kratos-identities-patch.md deleted file mode 100644 index 4e172c08da4..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-patch.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -id: kratos-identities-patch -title: kratos identities patch -description: - kratos identities patch Patch identities by ID (not yet implemented) ---- - - - -## kratos identities patch - -Patch identities by ID (not yet implemented) - -``` -kratos identities patch <file.json [file-2.json [file-3.json] ...]> [flags] -``` - -### Options - -``` - -h, --help help for patch -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-put.md b/docs/versioned_docs/version-v/cli/kratos-identities-put.md deleted file mode 100644 index ac06d1d3354..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-put.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -id: kratos-identities-put -title: kratos identities put -description: kratos identities put Put identities from files or STD_IN ---- - - - -## kratos identities put - -Put identities from files or STD_IN - -### Synopsis - -Put (as in http PUT) identities from files or STD_IN. Files are expected to each -contain a single identity. The validity of files can be tested beforehand using -`... identities validate`. - -``` -kratos identities put [flags] -``` - -### Options - -``` - -h, --help help for put -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The upstream admin endpoint URL. Alternatively set using the KRATOS_ADMIN_ENDPOINT environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. - -q, --quiet Prints only IDs, one per line. Takes precedence over --format. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities-validate.md b/docs/versioned_docs/version-v/cli/kratos-identities-validate.md deleted file mode 100644 index 291f2634e1b..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities-validate.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -id: kratos-identities-validate -title: kratos identities validate -description: kratos identities validate Validate local identity files ---- - - - -## kratos identities validate - -Validate local identity files - -### Synopsis - -This command allows validation of identity files. It validates against the -payload of the API and the identity schema as configured in Ory Kratos. -Identities can be supplied via STD_IN or JSON files containing a single or an -array of identities. - -``` -kratos identities validate <file.json [file-2.json [file-3.json] ...]> [flags] -``` - -### Options - -``` - -h, --help help for validate -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos identities](kratos-identities) - Tools to interact with remote - identities diff --git a/docs/versioned_docs/version-v/cli/kratos-identities.md b/docs/versioned_docs/version-v/cli/kratos-identities.md deleted file mode 100644 index 443f04c46a2..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-identities.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -id: kratos-identities -title: kratos identities -description: kratos identities Tools to interact with remote identities ---- - - - -## kratos identities - -Tools to interact with remote identities - -### Options - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -h, --help help for identities - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos identities delete](kratos-identities-delete) - Delete identities by ID -- [kratos identities get](kratos-identities-get) - Get one or more identities by - ID -- [kratos identities import](kratos-identities-import) - Import identities from - files or STD_IN -- [kratos identities list](kratos-identities-list) - List identities -- [kratos identities patch](kratos-identities-patch) - Patch identities by ID - (not yet implemented) -- [kratos identities validate](kratos-identities-validate) - Validate local - identity files diff --git a/docs/versioned_docs/version-v/cli/kratos-jsonnet-format.md b/docs/versioned_docs/version-v/cli/kratos-jsonnet-format.md deleted file mode 100644 index 2956a8b1b17..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-jsonnet-format.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -id: kratos-jsonnet-format -title: kratos jsonnet format -description: kratos jsonnet format ---- - - - -## kratos jsonnet format - -### Synopsis - -Formats JSONNet files using the official JSONNet formatter. - -Use -w or --write to write output back to files instead of stdout. - -Glob Syntax: - - pattern: - { term } - - term: - '*' matches any sequence of non-separator characters - '**' matches any sequence of characters - '?' matches any single non-separator character - '[' [ '!' ] { character-range } ']' - character class (must be non-empty) - '{' pattern-list '}' - pattern alternatives - c matches character c (c != '*', '**', '?', '\', '[', '{', '}') - '\' c matches character c - - character-range: - c matches character c (c != '\\', '-', ']') - '\' c matches character c - lo '-' hi matches character c for lo <= c <= hi - - pattern-list: - pattern { ',' pattern } - comma-separated (without spaces) patterns - -``` -kratos jsonnet format path/to/files/*.jsonnet [more/files.jsonnet, [supports/**/{foo,bar}.jsonnet]] [flags] -``` - -### Options - -``` - -h, --help help for format - -w, --write Write formatted output back to file. -``` - -### SEE ALSO - -- [kratos jsonnet](kratos-jsonnet) - Helpers for linting and formatting JSONNet - code diff --git a/docs/versioned_docs/version-v/cli/kratos-jsonnet-lint.md b/docs/versioned_docs/version-v/cli/kratos-jsonnet-lint.md deleted file mode 100644 index c368e431e2c..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-jsonnet-lint.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -id: kratos-jsonnet-lint -title: kratos jsonnet lint -description: kratos jsonnet lint ---- - - - -## kratos jsonnet lint - -### Synopsis - -Lints JSONNet files using the official JSONNet linter and exits with a status -code of 1 when issues are detected. - -Glob Syntax: - - pattern: - { term } - - term: - '*' matches any sequence of non-separator characters - '**' matches any sequence of characters - '?' matches any single non-separator character - '[' [ '!' ] { character-range } ']' - character class (must be non-empty) - '{' pattern-list '}' - pattern alternatives - c matches character c (c != '*', '**', '?', '\', '[', '{', '}') - '\' c matches character c - - character-range: - c matches character c (c != '\\', '-', ']') - '\' c matches character c - lo '-' hi matches character c for lo <= c <= hi - - pattern-list: - pattern { ',' pattern } - comma-separated (without spaces) patterns - -``` -kratos jsonnet lint path/to/files/*.jsonnet [more/files.jsonnet, [supports/**/{foo,bar}.jsonnet]] [flags] -``` - -### Options - -``` - -h, --help help for lint -``` - -### SEE ALSO - -- [kratos jsonnet](kratos-jsonnet) - Helpers for linting and formatting JSONNet - code diff --git a/docs/versioned_docs/version-v/cli/kratos-jsonnet.md b/docs/versioned_docs/version-v/cli/kratos-jsonnet.md deleted file mode 100644 index 0e25ae8e25a..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-jsonnet.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: kratos-jsonnet -title: kratos jsonnet -description: kratos jsonnet Helpers for linting and formatting JSONNet code ---- - - - -## kratos jsonnet - -Helpers for linting and formatting JSONNet code - -### Options - -``` - -h, --help help for jsonnet -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos jsonnet format](kratos-jsonnet-format) - -- [kratos jsonnet lint](kratos-jsonnet-lint) - diff --git a/docs/versioned_docs/version-v/cli/kratos-migrate-sql.md b/docs/versioned_docs/version-v/cli/kratos-migrate-sql.md deleted file mode 100644 index 7a766c00f01..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-migrate-sql.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -id: kratos-migrate-sql -title: kratos migrate sql -description: kratos migrate sql Create SQL schemas and apply migration plans ---- - - - -## kratos migrate sql - -Create SQL schemas and apply migration plans - -### Synopsis - -Run this command on a fresh SQL installation and when you upgrade Ory Kratos to -a new minor version. - -It is recommended to run this command close to the SQL instance (e.g. same -subnet) instead of over the public internet. This decreases risk of failure and -decreases time required. - -You can read in the database URL using the -e flag, for example: export DSN=... -kratos migrate sql -e - -### WARNING - -Before running this command on an existing database, create a back up! - -``` -kratos migrate sql <database-url> [flags] -``` - -### Options - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - -h, --help help for sql - -e, --read-from-env If set, reads the database connection string from the environment variable DSN or config file key dsn. - -y, --yes If set all confirmation requests are accepted without user interaction. -``` - -### SEE ALSO - -- [kratos migrate](kratos-migrate) - Various migration helpers diff --git a/docs/versioned_docs/version-v/cli/kratos-migrate.md b/docs/versioned_docs/version-v/cli/kratos-migrate.md deleted file mode 100644 index e3cf1cc934c..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-migrate.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: kratos-migrate -title: kratos migrate -description: kratos migrate Various migration helpers ---- - - - -## kratos migrate - -Various migration helpers - -### Options - -``` - -h, --help help for migrate -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos migrate sql](kratos-migrate-sql) - Create SQL schemas and apply - migration plans diff --git a/docs/versioned_docs/version-v/cli/kratos-remote-status.md b/docs/versioned_docs/version-v/cli/kratos-remote-status.md deleted file mode 100644 index ae0d2875231..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-remote-status.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -id: kratos-remote-status -title: kratos remote status -description: - kratos remote status Print the alive and readiness status of a Ory Kratos - instance ---- - - - -## kratos remote status - -Print the alive and readiness status of a Ory Kratos instance - -``` -kratos remote status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos remote](kratos-remote) - Helpers and management for remote Ory Kratos - instances diff --git a/docs/versioned_docs/version-v/cli/kratos-remote-version.md b/docs/versioned_docs/version-v/cli/kratos-remote-version.md deleted file mode 100644 index fe2dc34772b..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-remote-version.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -id: kratos-remote-version -title: kratos remote version -description: kratos remote version Print the version of an Ory Kratos instance ---- - - - -## kratos remote version - -Print the version of an Ory Kratos instance - -``` -kratos remote version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### Options inherited from parent commands - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos remote](kratos-remote) - Helpers and management for remote Ory Kratos - instances diff --git a/docs/versioned_docs/version-v/cli/kratos-remote.md b/docs/versioned_docs/version-v/cli/kratos-remote.md deleted file mode 100644 index 31eab8ff0ad..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-remote.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -id: kratos-remote -title: kratos remote -description: - kratos remote Helpers and management for remote Ory Kratos instances ---- - - - -## kratos remote - -Helpers and management for remote Ory Kratos instances - -### Options - -``` - -e, --endpoint string The URL of Ory Kratos' Admin API. Alternatively set using the KRATOS_ADMIN_URL environmental variable. - -f, --format string Set the output format. One of table, json, and json-pretty. (default "default") - -h, --help help for remote - -q, --quiet Be quiet with output printing. -``` - -### SEE ALSO - -- [kratos](kratos) - -- [kratos remote status](kratos-remote-status) - Print the alive and readiness - status of a Ory Kratos instance -- [kratos remote version](kratos-remote-version) - Print the version of an Ory - Kratos instance diff --git a/docs/versioned_docs/version-v/cli/kratos-serve.md b/docs/versioned_docs/version-v/cli/kratos-serve.md deleted file mode 100644 index 4ceea0589af..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-serve.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -id: kratos-serve -title: kratos serve -description: kratos serve Run the Ory Kratos server ---- - - - -## kratos serve - -Run the Ory Kratos server - -``` -kratos serve [flags] -``` - -### Options - -``` - -c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file. - --dev Disables critical security features to make development easier - -h, --help help for serve - --sqa-opt-out Disable anonymized telemetry reports - for more information please visit https://www.ory.sh/docs/ecosystem/sqa - --watch-courier Run the message courier as a background task, to simplify single-instance setup -``` - -### SEE ALSO - -- [kratos](kratos) - diff --git a/docs/versioned_docs/version-v/cli/kratos-version.md b/docs/versioned_docs/version-v/cli/kratos-version.md deleted file mode 100644 index 47cf2e3ed93..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos-version.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -id: kratos-version -title: kratos version -description: kratos version Show the build version, build time, and git hash ---- - - - -## kratos version - -Show the build version, build time, and git hash - -``` -kratos version [flags] -``` - -### Options - -``` - -h, --help help for version -``` - -### SEE ALSO - -- [kratos](kratos) - diff --git a/docs/versioned_docs/version-v/cli/kratos.md b/docs/versioned_docs/version-v/cli/kratos.md deleted file mode 100644 index 5758d087f97..00000000000 --- a/docs/versioned_docs/version-v/cli/kratos.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -id: kratos -title: kratos -description: kratos ---- - - - -## kratos - -### Options - -``` - -h, --help help for kratos -``` - -### SEE ALSO - -- [kratos courier](kratos-courier) - Commands related to the Ory Kratos message - courier -- [kratos hashers](kratos-hashers) - This command contains helpers around - hashing -- [kratos identities](kratos-identities) - Tools to interact with remote - identities -- [kratos jsonnet](kratos-jsonnet) - Helpers for linting and formatting JSONNet - code -- [kratos migrate](kratos-migrate) - Various migration helpers -- [kratos remote](kratos-remote) - Helpers and management for remote Ory Kratos - instances -- [kratos serve](kratos-serve) - Run the Ory Kratos server -- [kratos version](kratos-version) - Show the build version, build time, and git - hash diff --git a/docs/versioned_docs/version-v/concepts/browser-redirect-flow-completion.mdx b/docs/versioned_docs/version-v/concepts/browser-redirect-flow-completion.mdx deleted file mode 100644 index 99f64bf516b..00000000000 --- a/docs/versioned_docs/version-v/concepts/browser-redirect-flow-completion.mdx +++ /dev/null @@ -1,153 +0,0 @@ ---- -id: browser-redirect-flow-completion -title: HTTP Redirection Configuration ---- - -Self-Service flows such as Login, Registration, Updating Settings support two -successful response modes: - -- For browsers, the response will be a [redirection](#redirection). -- For API clients (this includes AJAX) the response will be in [JSON](#json). - -## Redirection - -Browser requests, identified by the `Accept: text/html` header, complete with a -redirection flow. If no redirection URL is set for the flow, the Default -Redirect URL will be used for most flows (e.g. login, registration): - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - default_browser_return_url: https://always-end-up-here-per-default/ -``` - -It is possible to specify a redirect URL per Self-Service Flow: - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - flows: - login: - after: - default_browser_return_url: https://end-up-here-after-login/ - registration: - after: - default_browser_return_url: https://end-up-here-after-registration/ - # verification - # ... -``` - -You may also set redirect URLs per method (overrides -`selfservice.flows..default_return_to`): - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - flows: - login: - after: - default_browser_return_url: https://this-is-overridden-by-password/ - password: - default_browser_return_url: https://end-up-here-after-login-with-password/ - # ... -``` - -It is also possible to redirect someone back to the original URL. For example, -if a user requests `https://www.myapp.com/blog/write` but is not logged in, we -want the user to end up at that page after login. To achieve that, you append -`?return_to=https://www.myapp.com/blog/write` when initializing the Login / -Registration /Settings flow. - -Because Ory Kratos prevents Open Redirect Attacks, you need to whitelist the -domain in your Ory Kratos config when using the `?return_to=` query parameter. -For other return urls specified inside the configuration it is not necessary to -add the domain to the whitelist. - -Let's look at an example, here we are adding `myapp.com` to the whitelist, thus -we can now specify a dynamic return url like so -`?return_to=https://www.myapp.com/blog/write`. - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - whitelisted_return_urls: - - https://www.myapp.com/ -``` - -### Post-Login Redirection - -Post-login redirection considers the following configuration keys: - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - default_browser_return_url: https://end-up-here-per-default/ - flows: - login: - after: - # overrides url.default_browser_return_url - default_browser_return_url: https://this-is-overridden-by-password/ - password: - # overrides selfservice.login.after.default_browser_return_url - default_browser_return_url: https://end-up-here-after-login-with-password/ -``` - -### Post-Registration Redirection - -Post-login redirection considers the following configuration keys: - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - default_browser_return_url: https://end-up-here-per-default/ - flows: - registration: - after: - # overrides url.default_browser_return_url - default_browser_return_url: https://this-is-overridden-by-password/ - password: - # overrides selfservice.registration.after.default_browser_return_url - default_browser_return_url: https://end-up-here-after-registration-with-password/ -``` - -### Post-Settings Redirection - -Post-settings redirection **does not use** the `urls.default_redirect_to` -configuration key. Instead the redirect ends at the same Settings UI with the -same Settings Request ID and key `state` set to `success`. If the listed keys -are set, the redirection will end up at the specified values: - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - flows: - settings: - after: - default_redirect_to: https://this-is-overridden-by-password/ - password: - # overrides selfservice.settings.after.default_redirect_to - default_redirect_to: https://end-up-here-after-settings-with-password/ -``` - -### Post-Verification Redirection - -Post-verification redirection **does not use** the `urls.default_redirect_to` -configuration key. Instead the redirect ends at the same Verification UI with -the same Verification Request ID and key `state` set to `passed_challenge`. If -the listed keys are set, the redirection will end up at the specified values: - -```yaml file="path/to/my/kratos.config.yml" -selfservice: - flows: - verification: - after: - default_redirect_to: https://this-is-overridden-by-password/ -``` - -#### Specify Redirection URL during Registration - -Verification emails are usually sent in response to a successful registration -flow. To specify the redirect URL for the verification flow after registration, -append `after_verification_return_to` to the Browser Registration Init endpoint: - -``` -https://public.kratos/self-service/registration/browser?after_verification_return_to=https://my-redirect/foo -``` - -## JSON - -This feature is currently in prototype phase and will be documented at a later -stage. diff --git a/docs/versioned_docs/version-v/concepts/credentials.mdx b/docs/versioned_docs/version-v/concepts/credentials.mdx deleted file mode 100644 index f2884dd0cac..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials.mdx +++ /dev/null @@ -1,182 +0,0 @@ ---- -id: credentials -title: Overview ---- - -Each identity has one or more credentials associated with it: - -```yaml -credentials: - password: - id: password - identifiers: - - john.doe@acme.com - - johnd@ory.sh - config: - hashed_password: ... - oidc: - id: oidc - identifiers: - - google:j8kf7a3... - - facebook:83475891... - config: - - provider: google - identifier: j8kf7a3 - - provider: facebook - identifier: 83475891 -``` - -Ory Kratos supports several credential types: - -- `password`: The most common _identifier (username, email, ...) + password_ - credential. -- `oidc`: The "Log in with Google/Facebook/GitHub/..." credential. -- Other credentials - support other credential types (X509 Certificates, - Biometrics, ...) at will be added a later stage. - -Each credential - regardless of its type - has one or more identifiers attached -to it. Each identifier is universally unique. Assuming we had one identity with -credentials - -```yaml -credentials: - password: - id: password - identifiers: - - john.doe@acme.com -``` - -and tried to create (or update) another identity with the same identifier -(`john.doe@acme.com`), the system would reject the request with a 409 Conflict -state. - -While credentials must be unique per type, there can be duplicates amongst -multiple types: - -```yaml -# This is ok: -credentials: - password: - id: password - identifiers: - - john.doe@acme.com - oidc: - id: oidc - identifiers: - - john.doe@acme.com -``` - -The same would apply if those were two separate identities: - -```yaml -# Identity 1 -credentials: - password: - id: password - identifiers: - - john.doe@acme.com ---- -# Identity 2 -credentials: - oidc: - id: oidc - identifiers: - - john.doe@acme.com -``` - -## Authenticator Assurance Level (AAL) / Multi-Factor Authentication (MFA / 2FA) - -A detailed explanation of AAL can be found in the -[NIST Digital Identity Guidelines Section 4](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf): - -> The strength of an authentication transaction is characterized by an ordinal -> measurement known as the AAL. Stronger authentication (a higher AAL) requires -> malicious actors to have better capabilities and expend greater resources in -> order to successfully subvert the authentication process. Authentication at -> higher AALs can effectively reduce the risk of attacks. - -If an Ory Kratos Session meets AAL2, then it also meets AAL1. If it meets AAL3, -it also meets AAL2 and AAL1. - -### Authenticator Assurance Level 1 (AAL1) - -AAL1 provides some assurance that the claimant controls an authenticator bound -to the subscriber’s account. AAL1 requirements are met if the identity -authenticates with - -1. an identifier and password. -2. an out-of-band one time password (e.g. sending a login code to your email / - phone). -3. an OpenID Connect ID token. - -It is recommended to reauthenticate the session every 30 days. You can configure -this by setting the session age to 30 days. - - - - - This option is currently not configurable. - - - - - You can configure the session lifespan in the configuration: - - ```yaml title="path/to/kratos/config.yml - session: - lifespan: 720h # 30 days - ``` - - - - -### Authenticator Assurance Level 2 (AAL2) - -AAL2 can be achieved by combining two single-factor authenticators. AAL2 is met -if the Ory Kratos Session already meets AAL1 and - -1. a TOTP (Google Authenticator) challenge was completed. - -It is recommended to reauthenticate the session every 12 hours or after every 30 -minutes of inactivity: - -> At AAL2, authentication of the subscriber SHALL be repeated at least once per -> 12 hours during an extended usage session, regardless of user activity. -> Reauthentication of the subscriber SHALL be repeated following any period of -> inactivity lasting 30 minutes or longer. - -The 12 hours enforcement can be set on the session level. The inactive -enforcment needs to be implemented in your application. - - - - - This option is currently not configurable. - - - - - You can configure the session lifespan in the configuration: - - ```yaml title="path/to/kratos/config.yml - session: - lifespan: 12h - ``` - - - - -### Authenticator Assurance Level 3 (AAL3) - -AAL3 can currently not be achieved using Ory Kratos. We plan to provide AAL3 -capabilities once WebAuth is implemented. diff --git a/docs/versioned_docs/version-v/concepts/credentials/lookup-secrets.mdx b/docs/versioned_docs/version-v/concepts/credentials/lookup-secrets.mdx deleted file mode 100644 index 974bd622e66..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials/lookup-secrets.mdx +++ /dev/null @@ -1,40 +0,0 @@ ---- -id: lookup-secrets -title: 2FA Look-up Secrets and Recovery Codes ---- - -Lookup secrets (`lookup_secret`) are passwords generated by the server. These -passwords can only be used once, and the end-user typically downloads them, -stores them in their password manager, or writes them down. Lookup secrets are -commonly used when the end-user loses access to their TOTP or WebAuthn device! - -![Generating new recovery codes](../../images/lookup-codes/1.png) - -## Configuration - -Enabling this method is as easy as setting - -```yaml title="kratos.config.yml" -selfservice: - methods: - lookup_secret: - enabled: true -``` - -## Identity Credentials - -The `lookup_secret` method would generate a credentials block as follows: - -```yaml -credentials: - password: - id: lookup_secret - identifiers: - # This is the identity's ID - - 802471b9-06f5-49d4-a88d-5e7d6bcfed22 - config: - recovery_codes: - - code: 1bc6bea - - code: 1bc6bea - used_at: 2021-10-14T07:38:51Z -``` diff --git a/docs/versioned_docs/version-v/concepts/credentials/openid-connect-oidc-oauth2.mdx b/docs/versioned_docs/version-v/concepts/credentials/openid-connect-oidc-oauth2.mdx deleted file mode 100644 index 0cf3fe0d430..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials/openid-connect-oidc-oauth2.mdx +++ /dev/null @@ -1,318 +0,0 @@ ---- -id: openid-connect-oidc-oauth2 -title: Social Sign In, OpenID Connect, and OAuth2 ---- - -import useBaseUrl from '@docusaurus/useBaseUrl' - -The `oidc` method uses OpenID Connect, or OAuth2 where OpenID Connect is not -supported, to authenticate identities using a third-party identity provider, -such as Google, Microsoft, GitHub - or any other OAuth2 / OpenID Connect -provider (for example [Ory Hydra](https://www.ory.sh/hydra)). "Social Sign In" -or "Sign in with ..." are common aliases for this flow. - -This strategy expects that you've set up your -[Default Identity Schema](../identity-schema.mdx). - -## Configuration - -You can configure multiple OAuth2 / OpenID Connect providers. First, enable the -`oidc` method: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - oidc: - enabled: true -``` - -Next, you need to configure the providers you want to use (e.g. GitHub). - -:::info - -The most important configuration key is the provider's `id`. Once set, you -should never remove or change that `id`. Otherwise, your existing users will no -longer be able to sign in. - -::: - -The provider configuration looks as follows: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - oidc: - config: - providers: - - # REQUIRED - The ID of the provider. - # DO NOT change this once this is in use. - id: github - - # REQUIRED - The provider you would like to use. Ory Kratos comes with some predefined providers to make - # life easier for you, but you can always opt for the "generic" provider, which works - # with any Certified OpenID Connect Provider (Google, Ory Hydra, ...): - # - # provider: github - # provider: google - # .... more to come - # - provider: generic - - # REQUIRED - See section "Data Mapping with Jsonnet" for more information. - mapper_url: http://mydomain.com/github.schema.json - - # The OAuth2 / OpenID Connect provider will provide you with a OAuth2 Client ID and Client Secret. You need - # to set them here: - client_id: ... - client_secret: ... - - # What scope to request. Usually, this would be something like "profile" or "email". - # Please check the documentation of the OAuth2 / OpenID Connect provider to see what's allowed here. - scope: - - email - - # issuer_url is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`. - # If set, neither `auth_url` nor `token_url` are required. - issuer_url: http://openid-connect-provider/ - - # auth_url is the authorize url, typically something like: https://example.org/oauth2/auth - # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when - # `provider` is set to `generic`. - auth_url: http://openid-connect-provider/oauth2/auth - - # token_url is the token url, typically something like: https://example.org/oauth2/token - # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when - # `provider` is set to `generic`. - token_url: http://openid-connect-provider/oauth2/token - - # requested_claims json object that specifies claims and optionally their properties which should - # be included in the id_token or returned from the UserInfo Endpoint. - # - # More information: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter - requested_claims: - userinfo: - given_name: - essential: true - nickname: null - email: - essential: true - email_verified: - essential: true - picture: null - http://example/info/claims/groups: null - id_token: - auth_time: - essential: true - acr: - values: ['urn:mace:incommon:iap:silver'] - sub: - value: 248289761001 -``` - -:::info - -It is very important to add the "session" hook to the after oidc registration -hooks. Otherwise your users need to use the login flow again to be able to get a -session. - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - flows: - registration: - after: - oidc: - hooks: - - hook: session -``` - -::: - -## Data Mapping with Jsonnet - -The data provided by Google, GitHub, Facebook, and others will vary in payloads. -One service might include the `website` or `phone_number` while another might -not. - -Therefore you need to specify how this data maps to the identity's traits. You -can do that by writing a [Jsonnet Code Snippet](../../reference/jsonnet.mdx) and -referencing that in your Ory Kratos config file: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - oidc: - config: - providers: - - id: github - # ... - mapper_url: file://path/to/my/kratos/github.data-mapper.jsonnet - # You can also load this from a HTTP(S) source: - mapper_url: https://domain.com/path/to/my/kratos/github.data-mapper.jsonnet - # Or inline it using base64 encoding: - mapper_url: base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7CmlmIHN0ZC5sZW5ndGgoY2xhaW1zLnN1YikgPT0gMCB0aGVuCiAgZXJyb3IgJ2NsYWltIHN1YiBub3Qgc2V0JwplbHNlCiAgewogICAgaWRlbnRpdHk6IHsKICAgICAgdHJhaXRzOiB7CiAgICAgICAgZW1haWw6IGNsYWltcy5zdWIsCiAgICAgICAgW2lmICJ3ZWJzaXRlIiBpbiBjbGFpbXMgdGhlbiAid2Vic2l0ZSIgZWxzZSBudWxsXTogY2xhaW1zLndlYnNpdGUsCiAgICAgIH0sCiAgICB9LAogIH0= -``` - -Ory Kratos adds an external variable called `claims` to the data mapper. It -contains all the claims (e.g. username, email, ...) for the OpenID Connect or -OAuth2 Provider. Keep in mind that the claims will vary per provider and per -flow - depending on what permissions the user grants you (e.g. "App XYZ cannot -see my private email"). Your Jsonnet code must return a JSON object that looks -like: - -```json5 -{ - identity: { - traits: { - /* ... */ - } - } -} -``` - -:::note - -For more information on Jsonnet check out our -[Jsonnet Documentation](../../reference/jsonnet.mdx). - -To debug Jsonnet payloads, use the `--dev` flag and set `log.level` to `debug` -(e.g. `LOG_LEVEL=debug kratos serve --dev`). Logs with detailed payloads will be -emitted once you complete an OpenID Connect / OAuth2 login or registration. - -::: - -The Jsonnet code snippet - -```jsonnet title="path/to/my/kratos/github.data-mapper.jsonnet" -# claims contains all the data sent by the upstream. -local claims = std.extVar('claims'); - -{ - identity: { - traits: { - email: claims.email, // If email is not set the Jsonnet snippet will fail with an error. - [if "website" in claims then "website" else null]: claims.website, // The website claim is optional. - }, - }, -} -``` - -returns - -```json -{ - "identity": { - "traits": { - "email": "foo@ory.sh", - "website": "https://www.ory.sh" - } - } -} -``` - -when the ID Token body (or the OAuth2 equivalent) returned by the OpenID Connect -provider contains: - -```json -{ - "sub": "some-identity-id-4hA8gk", - "email": "foo@ory.sh", - "website": "https://www.ory.sh" -} -``` - -which is then being used for the identity's traits. - -The `sub` field, which is returned by OpenID Connect and OAuth2 servers alike is -used as the primary credential identifier for the provider. This allows Ory -Kratos to link the identity to the "social sign in profile" for future login -flows: - -```yaml -# This is the YAML representation of an identity -id: '9f425a8d-7efc-4768-8f23-7647a74fdf13' - -credentials: - oidc: - id: oidc - identifiers: - - example:some-identity-id-4hA8gk - config: - - provider: example - identifier: some-identity-id-4hA8gk - -schema_url: http://foo.bar.com/person.schema.json # This comes from the default identity schema url. - -traits: - email: foo@ory.sh # This is extracted from `username` using - website: https://www.ory.sh # This is extracted from `username` using -``` - -### External Variable `claims` - -The `std.ExtVar('claims')` object has the following structure and keys -available: - -```go -package oidc - -type Claims struct { - Issuer string `json:"iss,omitempty"` - Subject string `json:"sub,omitempty"` - Name string `json:"name,omitempty"` - GivenName string `json:"given_name,omitempty"` - FamilyName string `json:"family_name,omitempty"` - LastName string `json:"last_name,omitempty"` - MiddleName string `json:"middle_name,omitempty"` - Nickname string `json:"nickname,omitempty"` - PreferredUsername string `json:"preferred_username,omitempty"` - Profile string `json:"profile,omitempty"` - Picture string `json:"picture,omitempty"` - Website string `json:"website,omitempty"` - Email string `json:"email,omitempty"` - EmailVerified bool `json:"email_verified,omitempty"` - Gender string `json:"gender,omitempty"` - Birthdate string `json:"birthdate,omitempty"` - Zoneinfo string `json:"zoneinfo,omitempty"` - Locale string `json:"locale,omitempty"` - PhoneNumber string `json:"phone_number,omitempty"` - PhoneNumberVerified bool `json:"phone_number_verified,omitempty"` - UpdatedAt int64 `json:"updated_at,omitempty"` - HD string `json:"hd,omitempty"` -} -``` - -## Identity Traits Validation and Data Completion - -Sometimes the data provided by OpenID Connect or OAuth2 Providers is not enough. -A common example is asking the user to consent to the terms of service. No -OpenID Connect or OAuth2 provider will be able to give you this information -because these are your terms. Another example would be a user not agreeing to -share his/her email address with you when authorizing your OAuth2 app. - -If such a validation error occurs, the user will be redirected to the -Registration UI. The Registration Flow includes all the valid and invalid -fields: - -Missing website field in OpenID Connect / OAuth2 provider claims - -When submitting the form again, the data provided by the user and the data -coming from the OpenID Connect / OAuth2 provider will be merged. This process -repeats itself - -Invalid website field in OpenID Connect / OAuth2 provider claims - -until the identity's traits are valid against the defined JSON Schema. - -For more information on this flow (network flow, examples, UI, ...) head over to -the -[OpenID Connect and OAuth2 Self-Service Method Documentation](../../self-service/flows/user-registration.mdx). diff --git a/docs/versioned_docs/version-v/concepts/credentials/totp.mdx b/docs/versioned_docs/version-v/concepts/credentials/totp.mdx deleted file mode 100644 index 23de8bf9b4a..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials/totp.mdx +++ /dev/null @@ -1,85 +0,0 @@ ---- -id: totp -title: 2FA TOTP (Google Authenticator) ---- - -Time-Based One-Time Password (TOTP) is a standardized algorithm (see -[RFC6238](https://datatracker.ietf.org/doc/html/rfc6238)) that is used by apps -supported by apps like Google Authenticator -([iOS](https://apps.apple.com/us/app/google-authenticator/id388497605), -[Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)), -[1Password](https://support.1password.com/one-time-passwords/), -[Bitwarden](https://bitwarden.com/help/article/authenticator-keys/), and many -others. - -![Google Authenticator App](../../images/totp-google-auth-app.png) - -## Configuration - -Enabling this method is as easy as setting - -```yaml title="kratos.config.yml" -selfservice: - methods: - totp: - enabled: true - config: - # The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes. - issuer: Example.com -``` - -### Identity Schema - -To help the user identify the correct code in their TOTP authenticator app, you -should set the `issuer` (see code example above) to your brand name or domain -name. However, users might have multiple identities registered in your system. -To help them distinguish between them, you can specify a traits in your Identity -Schema which should be the TOTP account name (in the screenshot above -`alice@example.org`): - -```patch title="identity.schema.json" -{ - $schema: 'http://json-schema.org/draft-07/schema#', - type: 'object', - properties: { - traits: { - type: 'object', - properties: { - email: { - type: 'string', - format: 'email', - title: 'Your E-Mail', - minLength: 3, - 'ory.sh/kratos': { - credentials: { - // ... -+ totp: { -+ account_name: true -+ } - } - // ... - } - } - // ... - } - // ... - } - } -} -``` - -## Identity Credentials - -The `totp` method would generate a credentials block as follows: - -```yaml -credentials: - password: - id: totp - identifiers: - # This is the identity's ID - - 802471b9-06f5-49d4-a88d-5e7d6bcfed22 - config: - # This is the TOTP URL which contains the pre-shared key and some additional meta-information. - totp_url: otpauth://totp/Example:alice@example.org?secret=JBSWY3DPEHPK3PXP&issuer=Example -``` diff --git a/docs/versioned_docs/version-v/concepts/credentials/username-email-password.mdx b/docs/versioned_docs/version-v/concepts/credentials/username-email-password.mdx deleted file mode 100644 index 6c0a4ca8055..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials/username-email-password.mdx +++ /dev/null @@ -1,435 +0,0 @@ ---- -id: username-email-password -title: Username / Email & Password ---- - -The `password` method is the most commonly used form of authentication, it -requires an `identifier` (username, email, phone number, ...) and a `password` -during registration and login. - -Ory Kratos hashes the password after registration, password reset, and password -change using: - -- BCrypt (default). -- [Argon2](../security.mdx#Argon2) - -## Configuration - -Enabling this method is as easy as setting - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - password: - enabled: true -``` - -in your Ory Kratos configuration. - -You can configure the BCrypt hasher using the following options: - -```yaml title="path/to/my/kratos/config.yml" -hashers: - algorithm: bcrypt -``` - -:::warning - -BCrypt has a maximum length of 72 bytes for passwords. If a longer password is -attempted to be used, an error will be returned to the user. - -::: - -Bcrypt algorithm can be configured only by the following `cost` option (default -value is 12): - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -hashers: - bcrypt: - cost: 12 -``` - -By default, Kratos uses BCrypt algorithm for password hashing. Use the following -option to use the Argon2id algorithm: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -hashers: - argon2: - parallelism: 1 - memory: 128MB - iterations: 3 - salt_length: 16 - key_length: 32 -``` - -To determine the ideal parameters, head over to the -[setup guide](../../guides/setting-up-password-hashing-parameters). - -When a user signs up using this method, the Default Identity Schema (set using -`identity.default_schema_url`) is used: - -```yaml title="path/to/my/kratos/config.yml" -identity: - default_schema_url: file:///path/to/default-identity.schema.json - # also works with HTTP(S): - # - # default_schema_url: https://mydomain.com/path/to/default-identity.schema.json -``` - -If you don't know what that means, please read the -[Identity Schema Chapter](../../concepts/identity-schema.mdx) in the docs' -concepts section. - -For a complete reference, defaults, and description please check the -[Configuration Reference](../../reference/configuration.md). - -For a better understanding of security implications imposed by Argon2 -Configuration, head over to [Argon2 Security](../security.mdx#argon2). - -## Choosing between Username, Email, Phone Number - -Before you start, you need to decide what data you want to collect from your -users and why! It is hard to change this decision afterwards, so make sure -you've taken everything into account! - -When logging in, the user will use a login identifier and a password to sign up -and in. The identifier can be - -- a username - e.g. "john.doe" or "johndoe123" or "oryuser", -- an email address - e.g. `john.doe@gmail.com`, -- a phone number - e.g. `+49-1234-4321-1234-4321`. - -All of these approaches have up- and downsides. - -Using the email address as the login identifier is easy to remember, does not -require additional fields (because the email address is already being -collected), and is usually unique. It's usually unique because sometimes -companies use a "shared" email account (e.g. office@acme.org) to access -services. In that case, multiple real identities are using the same email -identifier to log in. - -The email address however represents a unique identifier and personally -identifiable information (PII). An attacker could for example check if an email -address (e.g. `john.doe@gmail.com`) is registered at a site (e.g. an adult -website) and use that information for blackmail (see -[Account Enumeration Attacks](../security.mdx#account-enumeration-attacks)). - -The same considerations apply to using a phone number as the primary -registration & login identifier. - -Using a free text username reduces the privacy risk because it is much harder to -make a connection between the username and a real world identity. It's still -possible in cases where users choose a username such as -"john.doe.from.newyork.1970", but finding the right username identifier is still -difficult and there is plausible deniability because anyone could use that -username. - -A free text username however requires capturing additional fields (e.g. an email -address for password resets / account recovery) and is hard to remember. It is -often very difficult to find unique usernames as people tend to use a -combination of their names and initials (e.g. `john.doe`) which has a high -chance of collision. Therefore, one ends up with usernames such as -`john.doe1234432`. - -It is important to understand that Ory Kratos lowercases all `password` -identifiers and therefore E-Mail addresses. Characters `+` or `.` which have -special meaning for some E-Mail Providers (e.g. GMail) are not normalized: - -- `userNAME` is equal to `username` -- `foo@BaR.com` is equal to `foo@bar.com` -- `foo+baz@bar.com` is NOT equal to `foo@bar.com` -- `foo.baz@bar.com` is NOT equal to `foobaz@bar.com` - -You need to decide which route you want to take. - -### Picking the right Identity Schema - -When processing an identity and its traits, the method will use -[JSON Schema](../../reference/json-schema-json-paths.md) to extract one or more -identifiers. - -#### Use Case: Email and Password - -To use the email address as the login identifier, define the following Identity -JSON Schema: - -```json -{ - "$id": "https://example.com/registration.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - } - } - } -} -``` - -#### Use Case: Multiple E-Mails and Password - -You can allow users to sign up with multiple E-Mail Addresses and use any of -those for log in: - -```json -{ - "$id": "https://example.com/registration.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "emails": { - "type": "array", - "items": { - "type": "string", - "format": "email", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - } - } - } - } -} -``` - -#### Use Case: Username and Password - -To use a username as the login identifier, define the following Identity JSON -Schema: - -```json -{ - "$id": "https://example.com/registration.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "username": { - "type": "string", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - } - } - } -} -``` - -#### Use Case: Username and Email and Password - -You may also mix usernames and passwords: - -```json -{ - "$id": "https://example.com/registration.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - }, - "username": { - "type": "string", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - } - } - } -} -``` - -### Use Case: Phone Number And Password - -> This will be addressed in a future release and is tracked as -> [kratos#137](https://github.com/ory/kratos/issues/137). - -## Hashed Password Format - -### BCrypt - -Ory Kratos can hash passwords by BCrypt and can compare stored BCrypt hash and -migrate if configured hasher (`hashers.algorithm`) is not BCrypt. - -#### Format - -BCrypt format is described -[here](https://en.wikipedia.org/wiki/Bcrypt#Description). - -### Argon2 - -Ory Kratos can hash passwords by Argon2 and can compare stored Argon2 hash and -migrate if configured hasher (`hashers.algorithm`) is not Argon2. - -#### Format - -`$argon2id$v=$m=,t=,p=$` - -#### Parameters - -- `version`(`number`): The current version. -- `memory`(`number`): Amount of memory to use. -- `iterations`(`number`): Number of iterations to perform. -- `parallelism`(`number`): Degree of parallelism. -- `hash`(`string`): The computed derived key by the Argon2 algorithm encoded in - base64. - -#### Example - -`$argon2id$v=19$m=32,t=2,p=4$cm94YnRVOW5jZzFzcVE4bQ$MNzk5BtR2vUhrp6qQEjRNw` - -### PBKDF2 - -Ory Kratos doesn't hash passwords by PBKDF2 but can compare stored PBKDF2 hash -and migrate to configured hasher (`hashers.algorithm`). - -But Kratos doesn't have ability to import credentials now. There is an open -issue for this feature:[Issue](https://github.com/ory/kratos/issues/605). - -#### Format - -`$pbkdf2-$i=,l=$$` - -#### Parameters - -- `digest`(`string`): The HMAC digest algorithm applied to derive a key of the - input password. -- `iterations`(`number`): The number of iterations desired. The higher the - number of iterations, the more secure the derived key will be, but will take a - longer amount of time to complete. -- `length`(`number`): Length in octets of derived key. -- `salt`(`string`): A sequence of bits, known as a cryptographic salt encoded in - base64. -- `hash`(`string`): The computed derived key by the PBKDF2 algorithm encoded in - base64. - -#### Example - -`$pbkdf2-sha256$i=100000,l=32$1jP+5Zxpxgtee/iPxGgOz0RfE9/KJuDElP1ley4VxXc$QJxzfvdbHYBpydCbHoFg3GJEqMFULwskiuqiJctoYpI` - -## Example - -Assuming your Identity Schema is as follows: - -```json -{ - "$id": "https://example.com/example.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "first_name": { - "type": "string" - }, - "email": { - "type": "string", - "format": "email", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - }, - "username": { - "type": "string", - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - }, - "additionalProperties": false - } - } -} -``` - -And an identity registers with the following JSON payload (more on registration -in [Selfservice Registration](../../self-service/flows/user-registration.mdx)): - -```json -{ - "traits": { - "first_name": "John Doe", - "email": "john.doe@example.org", - "username": "johndoe123" - }, - "password": "my-secret-password" -} -``` - -The `password` method would generate a credentials block as follows: - -```yaml -credentials: - password: - id: password - identifiers: - - john.doe@example.org - - johndoe123 - config: - hashed_password: ... # this would be a hash of `my-secret-password` string -``` - -Because credential identifiers need to be unique, no other identity can be -created that has `johndoe123` or `john.doe@example.org` as their `email` or -`username`. diff --git a/docs/versioned_docs/version-v/concepts/credentials/webauthn.mdx b/docs/versioned_docs/version-v/concepts/credentials/webauthn.mdx deleted file mode 100644 index 5a962e36573..00000000000 --- a/docs/versioned_docs/version-v/concepts/credentials/webauthn.mdx +++ /dev/null @@ -1,4 +0,0 @@ ---- -id: webauthn -title: 2FA FIDO2 & U2F (WebAuthn) ---- diff --git a/docs/versioned_docs/version-v/concepts/docker.md b/docs/versioned_docs/version-v/concepts/docker.md deleted file mode 100644 index b90e0e70061..00000000000 --- a/docs/versioned_docs/version-v/concepts/docker.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -id: docker -title: Docker Images ---- - -## Supported tags and respective `Dockerfile` links - -- [`latest`, `v0.4.3-alpha.1`, `v0.4.3`, `v0.4`, `v0`](https://github.com/ory/kratos/blob/v0.4.3-alpha.1/.docker/Dockerfile) -- [`latest-sqlite`, `v0.4.3-alpha.1-sqlite`, `v0.4.3-sqlite`, `v0.4-sqlite`, `v0-sqlite`](https://github.com/ory/kratos/blob/v0.4.3-alpha.1/.docker/Dockerfile-sqlite) - -## Image Variants - -The `Kratos` Docker images come in two different flavors, one with and one -without SQLite support. All Docker images with the postfix -`kratos:-sqlite` in the tag are compiled with embed SQLite support and -uses libmusl. All Docker images (`kratos:`) without the postfix -`-sqlite` are compiled without SQLite support and therefore also don't include -libmusl. - -If you don't make use of the embedded SQLite support we recommend to use the -Docker images without SQLite support as they are smaller in size, include fewer -libraries and therefore have a smaller attack surface. - -## How to use these images - -In order to make the provided Docker images as useful as possible they can be -configured through a set of supported Environment variables. In addition the -default configuration directory can be bound to a directory of choice to make it -simple to pass in your own configuration files. - -### Environment Variables - -#### `DSN` - -This environment variable allows you to specify the database source name. As the -`DSN` normally consists of the url to the database system and the credentials to -access the database it is recommended to specify the `DSN` using a Environment -variable. - -**Example:** - -`docker run -e DSN="memory" oryd/kratos:latest` - -#### `SECRETS_DEFAULT` - -This environment variable allows you to specify the secret used to sign and -verify signatures and encrypt things: - -**Example:** - -`docker run -e SECRETS_DEFAULT="CHANGE-ME" oryd/kratos:v0.4.3-alpha.1` - -### Volumes - -If the file `$HOME/.kratos.yaml` exists, it will be used as the configuration -file. The provided Kratos Docker images currently do not include a default -configuration file, but make it easy to pass in your own configuration file(s) -by either binding a local directory or by creating your own custom Docker Image -and adding the configuration file(s) to the custom image. - -#### Binding host directory - -**Example:** In this example we start the standard Docker container with SQLite -support and use the quickstart email-password example configuration files by -bind mounting the local directory. This example assumes that you checked out the -Kratos Git repo and execute the Docker command in the Kratos Git repo directory: - -``` -docker run -it -e DSN="memory" \ - --mount type=bind,source="$(pwd)"/contrib/quickstart/kratos/email-password,target=/home/ory \ - oryd/kratos:latest-sqlite -``` - -In general we only recommend this approach for local development. - -#### Creating custom Docker image - -You can create your own, custom Kratos Docker images which embeds your -configuration files by simply using the official Kratos Docker images as the -Base Image and just adding your configuration file(s) as shown in the example -below: - -```dockerfile -FROM oryd/kratos:latest -COPY contrib/quickstart/kratos/email-password/kratos.yml /home/ory -``` - -### Examples - -Below you find different examples how to use the official Kratos Docker images. diff --git a/docs/versioned_docs/version-v/concepts/email-sms.md b/docs/versioned_docs/version-v/concepts/email-sms.md deleted file mode 100644 index 02cf2400ef6..00000000000 --- a/docs/versioned_docs/version-v/concepts/email-sms.md +++ /dev/null @@ -1,219 +0,0 @@ ---- -id: email-sms -title: Out-of-band communication via E-Mail and SMS ---- - -Ory Kratos sends out-of-band messages via SMS or E-Mail. These messages are -required for The following exemplary use cases require these messages: - -- Send an account activation email -- Verify an E-Mail address or mobile phone number using SMS -- Preventing Account Enumeration Attacks -- Sending a 2FA Codes -- ... - -## Mail courier - -Ory Kratos processes email dispatch using a mail courier worker, which must run -as a singleton in order to process the mail queue correctly. It can be run as a -background worker on a single-instance Kratos setup or as a distinct singleton -foreground worker in multi-instance deployments. - -### Single instance - -To run the mail courier in the background on your single Kratos instance, add -the `--watch-courier` flag to your `kratos serve` command, as outlined in the -[CLI docs](../cli/kratos-serve.md) - -### Multi-instance - -If you're running multiple instances of Kratos (eg replicated Kubernetes -deployment), you need to run the mail courier as a separate singleton job. The -courier can be started with the `kratos courier watch` command -([CLI docs](../cli/kratos-courier.md)). - -## Sending E-Mails via SMTP - -To have E-Mail delivery running with Ory Kratos requires an SMTP server. This is -set up in the configuration file using an absolute URL with the `smtp` or -`smtps` scheme: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -courier: - smtp: - connection_uri: smtps://foo:bar@my-smtp-server:1234/ - # Examples: - # - "smtp://foo:bar@my-mailserver:1234/?disable_starttls=true - # (NOT RECOMMENDED: Cleartext smtp for devel and legacy infrastructure - # only)" - # - smtp://foo:bar@my-mailserver:1234/ (Explicit StartTLS with certificate - # trust verification) - # - "smtp://foo:bar@my-mailserver:1234/?skip_ssl_verify=true (NOT - # RECOMMENDED: Explicit StartTLS without certificate trust verification)" - # - smtps://foo:bar@my-mailserver:1234/ (Implicit TLS with certificate trust - # verification) - # - "smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=true (NOT - # RECOMMENDED: Implicit TLS without certificate trust verification)" -``` - -### Sender Address and Template Customization - -You can customize the sender address and email templates. - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -courier: - ## SMTP Sender Address ## - # - # The recipient of an email will see this as the sender address. - # - # Default value: no-reply@ory.kratos.sh - # - # Set this value using environment variables on - # - Linux/macOS: - # $ export COURIER_SMTP_FROM_ADDRESS= - # - Windows Command Line (CMD): - # > set COURIER_SMTP_FROM_ADDRESS= - # - smtp: - from_address: no-reply@ory.kratos.sh - ## Override message templates ## - # - # You can override certain or all message templates by pointing this key to the path where the templates are located. - # - # Examples: - # - /conf/courier-templates - # - # Set this value using environment variables on - # - Linux/macOS: - # $ export COURIER_TEMPLATE_OVERRIDE_PATH= - # - Windows Command Line (CMD): - # > set COURIER_TEMPLATE_OVERRIDE_PATH= - # - template_override_path: /conf/courier-templates -``` - -Ory Kratos comes with built-in templates. If you wish to define your own, custom -templates, you should define `template_override_path`, as shown above, to -indicate where your custom templates are located. This will become the -`` for your custom templates, as indicated below. - -`email.subject.gotmpl`, `email.body.gotmpl` and `email.body.plaintext.gotmpl` -are common template file names expected in the sub directories of the root -directory, corresponding to the respective methods for filling e-mail subject -and body. - -> Templates use the golang template engine in the `text/template` package for -> rendering the `email.subject.gotmpl` and `email.body.plaintext.gotmpl` -> templates, and the `html/template` package for rendering the -> `email.body.gotmpl` template: https://pkg.go.dev/text/template > -> https://pkg.go.dev/html/template -> -> Templates can use the [Sprig](https://github.com/Masterminds/sprig) library, -> which provides more than 100 commonly used template functions: -> http://masterminds.github.io/sprig/ - -- **recovery**: recovery email templates directory, expected to be located in - `/recovery` - - valid: sub directory, expected to be located in - `/recovery/valid`, containing templates with variables `To`, - `RecoveryURL` and `Identity` for validating a recovery - - invalid: sub directory, expected to be located in - `/recovery/invalid`, containing templates with variables `To` - for invalidating a recovery -- **verification**: verification email templates directory, expected to be - located in `/verification` - - valid: sub directory, expected to be located in - `/verification/valid`, containing templates with variables - `To`, `VerificationURL` and `Identity` for validating a verification - - invalid: sub directory, expected to be located in - `/verification/invalid`, containing templates with variables - `To` for invalidating a verification - -For example: -[`https://github.com/ory/kratos/blob/master/courier/template/courier/builtin/templates/verification/valid/email.body.gotmpl`](https://github.com/ory/kratos/blob/master/courier/template/courier/builtin/templates/verification/valid/email.body.gotmpl) - -```gotmpl title="courier/template/templates/verification/valid/email.body.gotmpl" -Hi, please verify your account by clicking the following link: - -{{ .VerificationURL }} -``` - -```gotmp title="courier/template/templates/verification/valid/email.body.plaintext.gotmpl" -Hi, please verify your account by clicking the following link: {{ .VerificationURL }} -``` - -If you're running multiple instances of Kratos and separate courier job, make -sure to provide templates to all instances (both Kratos and courier). - -### The Identity attribute - -To be able to customize the content of templates based on the identity of the -recipient of the e-mail, the identity has been made available as `Identity`. -This object is a map containing all the attributes of an identity, such as `id`, -`state`, `recovery_addresses`, `verifiable_addresses` and `traits`. - -### Nested templates - -You can use nested templates to render `email.subject.gotmpl`, -`email.body.gotmpl` and `email.body.plaintext.gotmpl` templates. - -#### Example: i18n customization - -Using nested templates, you can either use in-line template definitions, or as -in this example, use separate templates. In this example, we will define the -email body for recovery e-mails. Assuming that we have an attribute named `lang` -that contains the required language in the `traits` of the identity, we can -define our templates as indicated below. - -```txt file="/recovery/valid/email.body.gotmpl" - -{{- if eq .Identity.traits.language "de" -}} -{{ template "email.body.de.gotmpl" . }} -{{- else -}} -{{ template "email.body.en.gotmpl" . }} -{{- end -}} -{{.RecoveryURL }} -``` - -```txt file="/recovery/valid/email.body.de.gotmpl" - -Hallo {{ upper .Identity.traits.firstName }}, - -Um Ihr Konto wiederherzustellen, klicken Sie bitte auf den folgenden Link: -``` - -```txt file="/recovery/valid/email.body.en.gotmpl" - - -Hello {{ upper .Identity.traits.firstName }}, - -to recover your account, please click on the link below: -``` - -As indicated by the example, we need a root template, which is the -`email.body.gotmpl` template, and then we define sub templates that conform to -the following pattern: `email.body*`. You can also see that the `Identity` of -the user is available in all templates, and that you can use Sprig functions -also in the nested templates. - -### Custom Headers - -You can configure custom SMTP headers. For example, if integrating with AWS SES -SMTP interface, the headers can be configured for cross-account sending: - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -courier: - smtp: - headers: - X-SES-SOURCE-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com - X-SES-FROM-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com - X-SES-RETURN-PATH-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com -``` - -## Sending SMS - -The Sending SMS feature is not supported at present. It will be available in a -future version of Ory Kratos. diff --git a/docs/versioned_docs/version-v/concepts/federation.md b/docs/versioned_docs/version-v/concepts/federation.md deleted file mode 100644 index 288c7ef3fa3..00000000000 --- a/docs/versioned_docs/version-v/concepts/federation.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -id: federation -title: Federation ---- - -Ory Kratos does not support federation features itself, but it integrates with -projects like [Ory Hydra](https://www.ory.sh/hydra) that implement federation -protocols. - -## Becoming an OAuth2 and OpenID Connect Provider - -Future releases of Ory Kratos will integrate with -[Ory Hydra](https://www.ory.sh/hydra) natively to support OAuth2 and OpenID -Connect use cases. diff --git a/docs/versioned_docs/version-v/concepts/identity-schema.mdx b/docs/versioned_docs/version-v/concepts/identity-schema.mdx deleted file mode 100644 index 2268c13015b..00000000000 --- a/docs/versioned_docs/version-v/concepts/identity-schema.mdx +++ /dev/null @@ -1,321 +0,0 @@ ---- -id: identity-schema -title: Identity Schema ---- - -import Mermaid from '@theme/Mermaid' - -An identity ("user", "user account", "account", "subject") is the "who" of a -software system. It can be a customer, employee, user, contractor, or even a -programmatic identity such as an IoT device, application, or some other type of -"robot." - -:::info - -In Ory Kratos' terminology we call all of them "identities", and it is always -exposed as `identity` in the API endpoints, requests, and response payloads. In -the documentation however, we mix these words as "account recovery" or "account -activation" is a widely accepted and understood terminology and user flow, while -"identity recovery" or "identity activation" is not. - -::: - -The following examples use YAML for improved readability. However, the API -payload is usually in JSON format. An `identity` has the following properties: - -```yaml title="$ curl http://kratos/admin-endpoint/identities/9f425a8d-7efc-4768-8f23-7647a74fdf13" -# A UUID that is generated when the identity is created and -# which cannot be changed or updated at a later stage. -id: '9f425a8d-7efc-4768-8f23-7647a74fdf13' - -# Every identity has a state. Inactive identities will not be able to log into the system. -state: active - -# This section represents all the credentials associated with this identity. -# It is further explained in the "Credentials" section. -credentials: - password: - id: password - identifiers: - - john.doe@acme.com - - johnd@ory.sh - config: - hashed_password: ... - oidc: - id: oidc - identifiers: - - google:j8kf7a3... - - facebook:83475891... - config: - - provider: google - identifier: j8kf7a3 - - provider: facebook - identifier: 83475891 - -# This is the JSON Schema ID used for validating the identities' traits. -# `default` is a special keyword to set this to the schema set by -# `default_schema_url`, but it can be any another schema as well. -# e.g. customer, employee, employee-v2 -schema_id: default - -# Traits represent information about the identity, such as the first or last name. The traits content is completely -# up to you and will be validated using the JSON Schema at `traits_schema_url`. -traits: - # These are just examples - email: office@ory.sh - name: - first: Aeneas - last: Rekkas - favorite_animal: Dog - accepted_tos: true -``` - -## Identity State - -Identities are - -- `created` - via API or self-service registration; -- `updated` - via API or self-service settings, account recovery, etc.; -- `inactive` - via API only; -- `deleted` - via API or with a self-service flow (not yet implemented see - [#596](https://github.com/ory/kratos/issues/596)). - -The identity state is therefore `active` or `inactive`. - -An inactive identity will not be able to log into the system. It will receive a -401 with a reason indicating that the account has been disabled. More states -will be added later on for specific features. - - Active: create -Active --> Active: update -Active --> Inactive: disable -Inactive --> [*]: delete -Inactive --> Active: enable -`} -/> - -## Identity Traits and JSON Schemas - -Traits are data associated with an identity. You have to define its schema -according to your application's needs. They are also supposed to be modified by -the identity itself e.g. as part of the registration or profile update process -as well as anyone having access to Ory Krato's Admin API. - -Ory Kratos uses -[JSON Schema](https://json-schema.org/learn/getting-started-step-by-step.html) -to validate Identity Traits. - -Ory Kratos defines JSON Schema extension "Vocabulary" that allows you to tell -Ory Kratos that a specific trait adds some specific meaning to the standard JSON -Schema (more on that later). - -Each identity can, theoretically, have a different JSON Schema. This is useful -in the following situations: - -- there is more than one type of identity in the system for instance customers, - support or staff; -- the system includes both users and robots sometimes also known as named - service accounts; -- the system needs to ingest another company's Identity Schema, and -- the system's Identity Schema changes or grows over time and requires - versioning. - -The following example illustrates a usage scenario with three types of -identities: Regular customers, -[grandfather accounts](https://en.wikipedia.org/wiki/Grandfather_clause), and -Service Accounts (e.g. Microsoft provides -[Service Accounts](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts)). -There would be one JSON Schema per type of identity: - -- Customers: `http://mydomain.com/schemas/v2/customer.schema.json` -- Grandfather Accounts: `http://mydomain.com/schemas/v1/customer.schema.json` -- Service Accounts: `http://mydomain.com/schemas/service-account.schema.json` - -Ory Kratos expects the JSON Schemas in its configuration file: - -```yaml -identity: - # This will be the default JSON Schema. If `schema_id` is empty when creating an identity using the - # Admin API, or a user signs up using a selfservice flow, this schema will be used. - # - # This is a required configuration field! - default_schema_url: http://foo.bar.com/person.schema.json - - # Optionally define additional schemas here: - schemas: - # When creating an identity that uses this schema, `traits_schema_id: customer` would be set for that identity. - - id: customer - url: http://foo.bar.com/customer.schema.json -``` - -Ory Kratos validates the Identity Traits against the corresponding schema on all -writing operations (create / update). The employed business logic must be able -to distinguish these three types of identities. You might use a switch statement -like in the following example: - -```go -// This is an example program that can deal with all three types of identities -session, err := ory.SessionFromRequest(r) -// some error handling -switch (session.Identity.SchemaID) { - case "customer": - // ... - case "employee": - // ... - case "default": - fallthrough - default: - // ... -} -``` - -:::warning - -Please keep in mind that the Identity Schema is not a place to store sensitive -information that should not be visible to the end-user! Users can see traits and -other data - except credentials - using the `sessions/whoami` endpoint. The -Identity Schema is not the right place to store data that should be obfuscated -from the user! - -::: - -## Identity Schema Vocabulary Extensions - -Because Ory Kratos does not know that a particular field has a system-relevant -meaning you have to specify these in the schema. This includes for example: - -- The email address for recovering a lost password -- The identifier for logging in with a password e.g. username or email -- The phone number for enabling SMS 2FA -- ... - -Ory Kratos' JSON Schema Vocabulary Extension can be used within a property: - -```json -{ - "$id": "http://mydomain.com/schemas/v2/customer.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "A customer (v2)", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "title": "E-Mail", - "type": "string", - "format": "email", - - // This tells Ory Kratos that the field should be used as the "username" for the username+password flow. - // It is an extension to the regular JSON Schema vocabulary. - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - } - } - } - } -} -``` - -An overview of available configuration options follows in the next sections. - -### Identifier for Username and Password Flows - -You can configure Ory Kratos to use specific fields as the _identifier_ e.g. -username, email, phone number, etc., in the Username and Password Registration -and Login Flow: - -```json -{ - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } -} -``` - -Looking at the traits from above - -```yaml -traits: - # These are just examples - email: office@ory.sh - name: - first: Aeneas - last: Rekkas - favorite_animal: Dog - accepted_tos: true -``` - -and using a JSON Schema that uses the `email` field as the identifier for the -password flow - -```json -{ - "$id": "http://mydomain.com/schemas/v2/customer.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "A customer (v2)", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "title": "E-Mail", - "type": "string", - "format": "email", - - // This tells Ory Kratos that the field should be used as the "username" for the Username and Password Flow. - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - }, - "name": { - "type": "object", - "properties": { - "first": { - "type": "string" - }, - "last": { - "type": "string" - } - } - }, - "favorite_animal": { - "type": "string" - }, - "accepted_tos": { - "type": "string" - } - }, - "required": ["email"], - "additionalProperties": false - } - } -} -``` - -In this example, Ory Kratos understands that traits:email: `office@ory.sh` is -the identity's identifier. The system expects `office@ory.sh` plus a password to -sign in. - -[Username and Password Credentials](credentials/username-email-password.mdx) -contains more information and examples. - -There are currently no other extensions supported for Identity Traits. Further -fields will be added in future releases! diff --git a/docs/versioned_docs/version-v/concepts/index.md b/docs/versioned_docs/version-v/concepts/index.md deleted file mode 100644 index 8c950f14536..00000000000 --- a/docs/versioned_docs/version-v/concepts/index.md +++ /dev/null @@ -1,284 +0,0 @@ ---- -id: index -title: Overview ---- - -Ory Kratos is a new software archetype **Identity Infrastructure Service**. -Traditional identity systems - sometimes referred to as Identity and Access -Management (IAM), Identity Management (IdM), Identity Provider (IP/IdP), or -Identity as a Service (IDaaS) - have shortcomings that highlight the main -differences between Ory Kratos and other systems. - -Ory Kratos solves identity on the network. It is not an on-device, for instance -mobile phones, user database. In Ory Kratos there is always an exchange of -credentials. In the case of web applications and identity: - -- Username + Password -> Cookie, Token, ... -- Email + Password -> Cookie, Token, ... -- Passwordless login -> Cookie, Token, ... - -Even for alternative use cases for example mobile, browser, or native -application there is either a cookie, which accesses the application directly -through the browser, or a token that accesses the application using a -programmatic client via an API. While it is nowadays common - but bad practice - -to use tokens for "Single Page Apps" or apps running on the client-side browser, -there is no real difference between these two approaches as both represent a set -of credentials valid for a certain domain or a number of domains. - -Still, many identity systems primarily rely on OAuth2 and OpenID Connect. The -reasons for this would perhaps include the following: - -- Assumption - it is certifiable; -- Assumption - it offloads complexity to developers who need to interact with - and figure out e.g. `AppAuth`, `PassportJS`, and similar OAuth2 and OpenID - Connect SDKs developed by open source communities; -- Assumption - selling complexity as security; -- Assumption - the nature of closed source does not allow for new, open and - de-facto standards to emerge and instead uses a consenus driven feature set, - even if it doesn't fit the use case 100%. - -While Ory Kratos is currently not certifiable, it tackles these topics as -follows: - -- With inspiration from the approach taken in the Kubernetes Project, Ory - provides an open source project that hopefully becomes an open standard in the - future. -- Prioritise simplicity and ease of use for developers. Ory Kratos integrates - critical security components without relying on complex flows and protocols. - -Using Ory Kratos it is possible to consume OAuth2 and OpenID Connect, and/or -create an OAuth2 and OpenID Connect Provider by combining Ory Kratos with -[Ory Hydra](http://github.com/ory/hydra) . - -With a primary developer audience, Ory designs, secures, and tests critical -network flows, system architectures, user flows, protocols, and business logic. - -## Today's Landscape - -Let's take a look at different approaches and software systems today. - -### Full-stack Identity and Access Management (IAM) - -_Disclaimer: There are neither product nor project names in this section. This -section's goal is to describe circumstances and problems that mostly stem from -the community's experience. For information purposes, there is a preliminary -comparison of Ory Kratos and other projects and products available at -[Comparison](../further-reading/comparison.md)_. - -Full-stack IAM is usually sold as a one-size-fits-all solution. Due to size and -complexity, these full-stack solutions are typically written in an enterprise -class programming language such as Java EE. The full-stack products have rich -feature sets that include: - -- theming to customize the user experience, and to constrain the anticipated - theming use case; -- HTML Template Engines specific to the language used, such as Java Server Pages - or - [Apache FreeMarker™](https://www.keycloak.org/docs/latest/server_development/#html-templates); -- plugin loaders and APIs to add custom logic or even custom API endpoints, - specific to the language used by the project; and -- features such as integrated Load Balancers, Service Discovery, and other - features designed prior to today's mature cloud architectures. - -Full-stack software projects come with some overhead: - -- the software has a large disk, CPU, and memory footprint; -- while scaling and clustering for High Availability is possible, it is complex - since inter-process-communication for caches and other features is required - for example using protocols such as [JGroups](http://jgroups.org/); and -- starting off with pre-defined use cases is easy, yet customization and - application specific features require much more work. - -Most full-stack projects we've seen are in-house solutions for IAM problems. -Imagine Google releasing their IAM as an open source product. It's certainly -great, and it covers a lot of ground, but it also comes with drawbacks: - -- Strict data models specific to the company developing the product: -- Inflexible login process with either a username or an email for login, but not - both or unable to change it later; -- Any application specific additional attributes are stored as unstructured - data, sometimes even as plain key/value pairs; -- Complex build pipelines when using modern frontend frameworks like React or - Angular in the HTML Rendering engine; -- The user model stays the same, even when differentiating between customers and - employees in your system; and -- API consumption is usually an after-thought because most flows are built - around the user doing something in the browser. All of the above leads to - added complexity in application development and deployment due to session - management, cookie management, CSRF protection, and other mechanisms related - to identity and security. - -### Identity as a Service (IDaaS) - -In today's market, with many proprietary SAAS companies offering Identity as a -Service, it seems easy to make sign-on cumbersome for both developers and users. -Even with delegated third party login processes such as "Login with Google," -where OAuth2 and OpenID Connect are often the primary protocols, the challenge -is making a secure and simple login without any extra overhead, for instance, -with Oauth2 and OpenID. - -Ory's focus is on simplicity, user experience, and above all, using the right -tools and technologies for the target application. Feedback from Ory's user -community as well as the open source development efforts in creating the OAuth2 -and OpenID Connect server [Ory Hydra](https://github.com/ory/hydra), show that -implementing OAuth2 or OpenID Connect is often frustrating and too complex. -These technologies are not one size fits all, and not designed for every -implementation scenario. - -The main point is that OAuth2 and OpenID Connect protocols solve identity -federation. For instance, when the target application authenticates an identity -or authorizes access by using a system outside of the application's control, for -example within an enterprise, company domain or another third party service. -These protocols don't solve processes like updating a user's profile, adding a -secondary recovery email, solving 2FA, storing and managing sessions, or solving -global logout. These processes are the developer's responsibility and while the -OAuth2 and OpenID Connect protocols offer a way to securely solve identity -federation over the browser, they do not solve: - -- Storage and management of all these tokens. These would often end up in the - localStore making them vulnerable to XSS attacks. Or in a cookie issued by an - HTTP server; here an extra function would need to be developed. -- Managing and storing the user session. This would require the developer to - create the cookie for the session, delete the cookie at log out, and to make - sure that the cookie implements best security practices. -- Refreshing expiring tokens. While this function is straightforward for one - request, synchronising for example fifteen concurrent requests can be - difficult. - -The point is that OAuth2 is hard to use because the intended use cases (for -instance "Facebook Photo Backups") are very specific, and the proper security -mechanisms need to be in place to deal with malicious third parties. Ory Kratos -simplifies user login. - -### Use a library - -Due to the multitude of programming languages across front end, backend and core -infrastructure, Ory Kratos embraced a polyglot design. In other words Ory Kratos -provides Software Development Kits (SDK) and libraries for the main programming -languages. - -As software development teams grow, product requirements change. During a -development lifecycle different parts, for instance humans, servers, and code, -need to scale to size. Over time, the original product splits into smaller, more -manageable chunks. The libraries chosen at the outset will need to run on the -newest version of the programming language. Sometimes even the programming -language or implementation framework are subject to change as a whole. Still, -the identity system is often so interlinked with all of the source code, -middlewares, annotations, shared state, etc., that it becomes an absolute -nightmare to decouple. - -### Roll your own - -Starting from scratch is sometimes the only option to fulfill the product's -architectural requirements. In this case, the following are some of the main -considerations and challenges in Ory's efforts: - -- To manage changing user models; -- To choose and use some encryption algorithms such as BCrypt, PBKDF2, Scrypt, - Argon2, Argon2i, Argon2id, Argon2d. There are many alternatives and most of - the algorithms have numerous versions and parametrization options for example - "Salt length parameter." The multitude of options makes it hard to configure - the most secure setting; -- To consider and implement a wide range of processes and process variants. For - instance, the user signs up via email, and later uses "Sign up with Google" - that has the same email address. Or, the user previously signed up using the - email/password process or flow, and then signs up using "Sign up with Google" - and vice versa. Even these fairly simple use cases warrant considerable - development effort to correctly implement with some degree of user - friendliness; -- To prevent security threats for example - [account enumeration attacks](); -- To implement two factor authentication (2FA). When the user loses access to a - registered and approved device, there should be a fallback phone number for - SMS or offline security codes; -- To understand and use all of the important rules such as activation, welcome, - etc., around sending emails that don't alert spam filters; -- To support a broad ecosystem of products and services. For example in the - event that a target application needs to notify Stripe when a new customer - signs up. - -The list above is purposely kept short. There are very many things to consider -when building Kratos in concert with the other products Ory Keto, Ory Hydra, and -Ory Oathkeeper. The list is really, really long. - -## Introducing Ory Kratos - -Considering all of the information above, there would be enough context to -understand why and how Ory Kratos started, and why it's different from other -more conventional approaches. Ory Kratos uses a new stack, is open source, and -peer reviewed and developed in a broad community of experts. - -### Solving a specific problem domain - -Ory Kratos addresses a clearly defined problem domain: - -- managing credentials such as passwords, recovery email addresses, and security - questions; -- authentication including secure login, keeping track of sessions and devices; -- selfservice account management for example update profile, add/update email - addresses, and changing passwords; -- account/identity administration such as create, read, delete, update, import, - and get; and -- managing identity data for example first name, last name, profile picture, and - birthday, etc. - -Ory has numerous products that support the protocols OAuth2 or OpenID Connect in -[Ory Hydra](http://github.com/ory/hydra), a permission system in -[Ory Keto](http://github.com/ory/keto), and a Reverse Proxy in -[Ory Oathkeeper](http://github.com/ory/oathkeeper). - -### Software Architecture - -Ory's -[Software Architecture and Philosophy](https://www.ory.sh/docs/ecosystem/software-architecture-philosophy) -document, explains the architectural beliefs and framework behind the Ory -Products in particular: - -- Small runtime footprint with an about five (5) MB binary running on all - operating systems without any system, library, or VM dependencies; -- Fully virtualized in a fifteen (15) MB Docker image; -- Easy to manage with exactly one binary for the server and the cli; -- Run-time orchestration using the latest Kubernetes providing fast and easy to - use [Helm charts](https://github.com/ory/k8s); -- Horizontal scaling with no etcd key value store or memcached or adjacent tool - required. - -### Bring your own User Interface (Framework) - -Ory's approach to user interface and user experience is to provide for an -interaction concept with maximum flexibility and creativity. Some companies need -[progressive profiling](https://blog.hubspot.com/blog/tabid/6307/bid/34155/how-to-capture-more-and-better-lead-intel-with-progressive-profiling.aspx) -and build a NodeJS app. Other companies desire to capture everything in one go, -using Client-Side JavaScript library such as Angular or React. Some companies -want an iOS-native registration and login experience. While Ory's cloud native -headless API approach address many integration and UI issues, with Ory Kratos, -predefined flows make it easy to implement a custom user interface for login, -registration, profile management, account reset, etc. Furthermore, to make it -very easy to get started there is a reference implementation -[github.com/ory/kratos-selfservice-ui-node](https://github.com/ory/kratos-selfservice-ui-node). - -For more details about each individual flow, consult the -[Self-Service Flows Chapter](../self-service.mdx). - -### Bring your own Identity Schema(s) - -Sometimes it is necessary to store more than one type of identity in your -system: - -- A customer that uses email + password to login, and needs to set a birthdate; - or -- An employee that uses a unique username + password to login with a cost center - attached to the profile. - -Ory Kratos implements both scenarios by using -[Identity Schemas](./identity-schema.mdx) - -### Forget passport-js, oidc-client, ... - -While proprietary and bespoke middleware can protect APIs and Web endpoints, Ory -Open Source provides a base solution for many use cases. For example, Ory Kratos -integrates with Ory Oathkeeper, a Reverse Proxy solution. Defining Access Rules -is as easy as writing a few lines of JSON / JSON5 / YAML! - -Please consult the [Quickstart documentation](../quickstart.mdx), for further -information. diff --git a/docs/versioned_docs/version-v/concepts/management-ui.mdx b/docs/versioned_docs/version-v/concepts/management-ui.mdx deleted file mode 100644 index 3c6a1c33e27..00000000000 --- a/docs/versioned_docs/version-v/concepts/management-ui.mdx +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: management-ui -title: Administrative User / Management Interface ---- - -Ory Kratos has an administrative user / management interface which is available -when you run Ory Kratos on [Ory Cloud](https://www.ory.sh/). diff --git a/docs/versioned_docs/version-v/concepts/rest-api.mdx b/docs/versioned_docs/version-v/concepts/rest-api.mdx deleted file mode 100644 index 5af6e407f39..00000000000 --- a/docs/versioned_docs/version-v/concepts/rest-api.mdx +++ /dev/null @@ -1,54 +0,0 @@ ---- -id: rest-api -title: REST API Design ---- - -This chapter contains generally applicable information on API design. When using -Ory services, one can expect a consistent experience when interacting with REST -APIs. - -## Pagination - -On REST endpoints that are explicitly labeled as such, pagination information is -available through the `Link` HTTP header. - -The `Link` header contains a comma-delimited list of links to the following -pages (where applicable): - -- First -- Next -- Previous (prev) -- Last - -Pages are created based on the values of `per_page` and `page` provided in the -querystring, where `per_page` is the page size, and `page` is the current page. - -In most scenarios, the `per_page` should be a multiple of the `page`. - -Example: - -``` -> GET /resources?per_page=5&page=10 HTTP/1.1 -> Host: localhost:4445 -> User-Agent: curl/7.64.1 -> Accept: */* -> -< HTTP/1.1 200 OK -< Content-Type: application/json -< Link: ; rel="first",; rel="next",; rel="prev",; rel="last" -< Date: Mon, 22 Apr 2019 23:34:29 GMT -< Transfer-Encoding: chunked -< -[...] -``` - -## Date Format - -Ory's APIs use [rfc3339](https://tools.ietf.org/html/rfc3339) as the date -format: - -``` -{ - "created_at": "2006-01-02T15:04:05+07:00" -} -``` diff --git a/docs/versioned_docs/version-v/concepts/securing-applications.md b/docs/versioned_docs/version-v/concepts/securing-applications.md deleted file mode 100644 index c9a44d6b3b6..00000000000 --- a/docs/versioned_docs/version-v/concepts/securing-applications.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -id: securing-applications -title: Securing Applications ---- - -This chapter will cover how to secure applications using Ory Kratos and Ory -Oathkeeper. In the future, we will also provide reference to using Ory Keto for -permissions. diff --git a/docs/versioned_docs/version-v/concepts/security.mdx b/docs/versioned_docs/version-v/concepts/security.mdx deleted file mode 100644 index 07c99f5a872..00000000000 --- a/docs/versioned_docs/version-v/concepts/security.mdx +++ /dev/null @@ -1,433 +0,0 @@ ---- -id: security -title: Threat Models and Security Profiles ---- - -:::warning - -Please be aware that this chapter is still work in progress. Not all mitigation -strategies have been implemented yet in Ory Kratos! - -::: - -Running any software that stores personal information exposes the -developer/company to risks. Analyzing which threat agents pose a risk, -understanding the possible motivations for an attack, or why an agent is a -threat, knowing the attack surface, the likelihood, and the impact are important -all aspects of a threat model. - -This documentation can not substitute a thorough and serious threat model, yet -it will provide some guidelines to help configure Ory Kratos in a way that makes -it best suited for any risk assessment. - -## Account Enumeration Attacks - -:::warning - -This feature is a work in progress and is tracked as -[kratos#133](https://github.com/ory/kratos/issues/133). - -It does not yet work as documented! - -::: - -> "Often, web applications reveal when a username exists on system, either as a -> consequence of a misconfiguration or as a design decision. For example, -> sometimes, when we submit wrong credentials, we receive a message that states -> that either the username is present on the system or the provided password is -> wrong. The information obtained can be used by an attacker to gain a list of -> users on system. This information can be used to attack the web application, -> for example, through a brute force or default username/password attack. -> Description of the Issue" -> -> [Source]() - -Considering the above, an example would be for example an adult website. A -threat agent wants to blackmail a well known politician by checking if someone -can sign up at that website using the `well-known-politician@email.com` email. - -If the service responds with -`Sorry, that email is already signed up here. Did you try to log in instead?`, -the agent is able to proceed with some type of blackmail scheme. - -[OWASP defines several Black-Box tests]() -that cover Account Enumeration Scenarios. - -This attack usually makes only sense if an email address or a phone number is -collected during registration. For chosen usernames, this attack is much more -difficult, as the attacker has to know what usernames the victim is using. - -There are three common ways an attacker can figure out if a user is signed up at -a service: - -- During login: "No user with this email address was found" -- During registration or email update: "A user with this email address exists - already" -- During password reset: "No user with this email address was found" - -To mitigate this attack, the following methods need to be deployed: - -- The login form should return the same message regardless of whether the - password is wrong or the email/username does not exist: "The provided - credentials are invalid." -- The password reset form should always return a success message and send out an - email. If the email address is registered, a normal password reset email is - sent. If the email address is not registered, an email is sent to the address - indicating that no account is set up with that email address. This is helpful - to users that have multiple email addresses and are using the wrong email - address for the password reset. -- The registration form should also always return a success message and send out - an email. If the email address is not yet registered, a regular "account - activation" email is sent out. If the email address is registered already, a - email is sent out telling the user that the account is already set up, and - link to the login screen. - -:::important - -If you wish to mitigate account enumeration attacks, it is important to note -that you cannot sign in users directly after sign up! Depending on the type of -service you provide, you might not care about this specific attack in which case -direct login after sign up would be ok. - -::: - -### Hash Timing Attack Mitigation - -A timing attack against password hashing looks as follows: - -1. Login to an existing account and measure time which takes, depending on the - hashing configuration, between 200ms and 2s;0 -2. Try out other accounts (e.g. `alice@example.org`). If the account does not - exist, password hashing does not run, hence it takes much less time for the - server to answer (< 100ms). - -To protect against this attack, Ory Kratos adds a configurable delay with -standard deviation to login flows where the account does not exist. - -### Enabling Account Enumeration Defenses - -Assuming you wish to enable account enumeration defenses, you need to configure -Ory Kratos as follows: - -- Collect one or more email addresses during sign up and enable email - verification. -- **Do not** enable the `session` post-registration workflow. - -```yaml -selfservice: - flows: - verification: - enabled: true -``` - -#### Defending Against Account Enumeration when using OpenID Connect - -Scenario: In some cases you might want to use the email address returned by e.g. -the GitHub profile to be added to your identity's account. You might also want -to use it as an email + password identifier so that the identity is able to log -in with a password as well. An attacker is able to exploit that by creating a -social profile on another site (e.g. Google) and use the victims email address -to set it up (this only works when the victim does not yet have an account with -that email at Google). The attacker can then use that "spoofed" social profile -to try and sign up with your Ory Kratos installation. Because the victim's email -address is already known to Ory Kratos, the attacker might be able to observe -the behavior (e.g. seeing an error page) and come to the conclusion that the -victim already has an account at the website. - -Mitigation: This attack surface is rather small and requires a lot of effort, -including forging an e.g. Google profile, and can fail at several stages. To -completely mitigate any chance of that happening, only accept email addresses -that are marked as verified in your Jsonnet code: - -```json title="contrib/quickstart/kratos/email-password/oidc.github.jsonnet" -local claims = { - email_verified: false -} + std.extVar('claims'); - -{ - identity: { - traits: { - // Allowing unverified email addresses enables account - // enumeration attacks, especially if the value is used for - // e.g. verification or as a password login identifier. - // - // Therefore we only return the email if it (a) exists and (b) is marked verified - // by GitHub. - [if "email_primary" in claims && claims.email_verified then "email" else null]: claims.email_primary, - }, - }, -} -``` - -### Disabling Account Enumeration Defenses - -Enforcing email verification, which requires an email round trip and disrupts -the sign up process, is not always feasible. In these cases, you might want to -disable account enumeration defenses. - -If you enable the `session` post-registration workflow - signing the user in -directly after registration - disables account enumeration defenses: - -```yaml -selfservice: - flows: - registration: - after: - password: - - hook: session -``` - -## Account Takeover Defenses - -The Settings Flow implements account takeover defenses as it is not possible to -change the password without knowing the existing password. A good example of -this flow is the -[GitHub sudo mode](https://help.github.com/en/github/authenticating-to-github/sudo-mode). - -## Passwords - -Password-based authentication flows are subject to frequent abuse through - -- Social Engineering Attacks; -- Password Guessing Attacks; -- Phishing Attacks. - -:::info - -Further improvements are work in progress and are tracked on -[GitHub](https://github.com/ory/kratos/labels/package%2Fselfservice%2Fpassword). - -::: - -### Expensive Hashing with BCrypt - -Ory Kratos supports BCrypt for password hashing per default. BCrypt is -recommended when you want hashing to take at most one second: - -```yaml -hashers: - algorithm: bcrypt - bcrypt: - cost: 12 -``` - -### Expensive Hashing with Argon2 - -Ory Kratos supports Argon2 for password hashing. Argon2 is recommended when you -want hashing to take at least 2 seconds. You can tweak the Argon2 configuration -in your Ory Kratos configuration file: - -```yaml -hashers: - algorithm: argon2 - argon2: - memory: 128MB - iterations: 2 - parallelism: 4 - salt_length: 16 - key_length: 32 -``` - -To determine the ideal parameters, head over to the -[setup guide](../guides/setting-up-password-hashing-parameters.md). - -### Password Policy - -To prevent weak passwords Ory Kratos implements different measures. Users often -choose passwords similar to their traits. To prevent this Ory Kratos ensures -there is a sufficient -[Levenshtein-Distance](https://en.wikipedia.org/wiki/Levenshtein_distance) (aka -"Edit-Distance") between the identifier and the password. It also makes sure -that the identifier and password have a small enough longest common substring. - -Furthermore the `password` method comes with a build-in check against the -["Have I been pwned"](https://haveibeenpwned.com) breach database. This way Ory -Kratos makes sure your users cannot use passwords like "password", "123456" or -any other commonly used one. To protect the value of the password the -[range API](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange) is -being used. - -#### Password Policy Best Practices - -Almost every service with a login offers some type of registration using a -password. Therefore, there are many strategies floating around, with many of -them implementing terrible and insecure patterns such as: - -- Not allowing special characters in passwords. -- Not allowing the use of password managers by disabling the "paste" - functionality in password fields. -- Requiring you to rotate your password every month (passwords expire). -- ... - -Troy Hunt has written an -[excellent piece on password policies](https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/) -and why they recently changed and how. - -Ory Kratos implements a password policy that: - -- Checks if a password has previously been leaked using the - [HIBP API](https://haveibeenpwned.com/API/v2), -- Checks if a password is too similar to one of the identifiers, -- Does not expire passwords. - -This is a rundown of all the practices Ory Kratos implements and why. **Some -things need to be implemented by yourself** as they must be implemented in the -User Interface that interfaces with Ory Kratos. You can find these in the -[User Interface Guidelines](#user-interface-guidelines) section. - -##### Password Complexity - -This outline and quotes are defined in the -[NIST Digital Identity Guidelines - 5.1.1.2 Memorized Secret Verifiers](https://pages.nist.gov/800-63-3/sp800-63b.html). -Ory Kratos, unless explicitly advertised, implements these guidelines and best -practices. - -Passwords must have a minimum length of 8 characters and all characters -(unicode, ASCII) must be allowed: - -> Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 -> characters in length. Verifiers SHOULD permit subscriber-chosen memorized -> secrets at least 64 characters in length. All printing ASCII [RFC 20] -> characters as well as the space character SHOULD be acceptable in memorized -> secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To -> make allowances for likely mistyping, verifiers MAY replace multiple -> consecutive space characters with a single space character prior to -> verification, provided that the result is at least 8 characters in length. -> Truncation of the secret SHALL NOT be performed. For purposes of the above -> length requirements, each Unicode code point SHALL be counted as a single -> character. - -Passwords must be checked against a database of compromised secrets such as -[Have I Been Pwnd](https://haveibeenpwned.com): - -> When processing requests to establish and change memorized secrets, verifiers -> SHALL compare the prospective secrets against a list that contains values -> known to be commonly-used, expected, or compromised. For example, the list MAY -> include, but is not limited to: -> -> - Passwords obtained from previous breach corpuses. -> - Dictionary words. -> - Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). -> - Context-specific words, such as the name of the service, the username, and -> derivatives thereof. -> -> If the chosen secret is found in the list, the CSP or verifier SHALL advise -> the subscriber that they need to select a different secret, SHALL provide the -> reason for rejection, and SHALL require the subscriber to choose a different -> value. - -Do not require mixtures of characters types or prohibiting repeated characters: - -> Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures -> of different character types or prohibiting consecutively repeated characters) -> for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be -> changed arbitrarily (e.g., periodically). However, verifiers SHALL force a -> change if there is evidence of compromise of the authenticator. - -##### User Interface Guidelines - -These best practices need to be implemented in your User Interface and can not -be handled by Ory Kratos. All Ory-built reference and demo applications -implement these best practices: - -Allow pasting of passwords: - -> Verifiers SHOULD permit claimants to use “paste” functionality when entering a -> memorized secret. This facilitates the use of password managers, which are -> widely used and in many cases increase the likelihood that users will choose -> stronger memorized secrets. - -Allow the user to show the secret in the UI: - -> In order to assist the claimant in successfully entering a memorized secret, -> the verifier SHOULD offer an option to display the secret — rather than a -> series of dots or asterisks — until it is entered. This allows the claimant to -> verify their entry if they are in a location where their screen is unlikely to -> be observed. The verifier MAY also permit the user’s device to display -> individual entered characters for a short time after each character is typed -> to verify correct entry. This is particularly applicable on mobile devices. - -##### Password Hints - -> Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” -> that is accessible to an unauthenticated claimant. -> -> [NIST Digital Identity Guidelines - 5.1.1.2 Memorized Secret Verifiers](https://pages.nist.gov/800-63-3/sp800-63b.html) - -##### Password Expiry - -> Forcing password expiry carries no real benefits because: -> -> - the user is likely to choose new passwords that are only minor variations of -> the old -> - stolen passwords are generally exploited immediately -> - resetting the password gives you no information about whether a compromise -> has occurred -> - an attacker with access to the account will probably also receive the -> request to reset the password -> - if compromised via insecure storage, the attacker will be able to find the -> new password in the same place -> -> [NSCS Password administration for system owners](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) - -## Anti-Automation - -:::warning - -This feature is a work in progress and is tracked as -[kratos#138](https://github.com/ory/kratos/issues/138). - -::: - -Actions that cause out-of-band communications, such as sending an activation -link via email or an activation code via SMS, can be abused by automated -systems. The goal of such an attack is to send out so many emails or SMS, that -your reputation worsens (spam filters) or you're faced with massive costs -(carrier fees). - -CAPTCHA renders these attacks either very difficult or impossible. CAPTCHA will -be required in the following scenarios: - -- The user tries to register more than one account within 72 hours. -- The user failed provide valid credentials for the third time within 12 hours. -- The user tries to recover their account for the second time within 72 hours. - -For integration guidelines, please check the individual flow's (registration, -login, account recovery) integration documentation. - -## Bruteforce Attacks - -Will be addressed in a future release. - -## Phishing Attacks - -Will be addressed in a future release. - -## Social Engineering Attacks - -Will be addressed in a future release. - -## SMS Spoofing Attacks - -Will be addressed in a future release. - -## Account Enumeration - -:::warning - -This feature is a work in progress and is tracked as -[kratos#133](https://github.com/ory/kratos/issues/133). - -It does not yet work as documented! - -::: - -## Digital Identity Guidelines - -There is no one standard to digital identity. Ory Kratos closely follows -emerging frameworks and guidelines such as: -[Digital Identity Guidelines established by the National Institute of Standards and Technology (NIST)](https://pages.nist.gov/800-63-3/) -(and a follow-up [FAQ](https://pages.nist.gov/800-63-3/)) . - -As Ory Kratos grows, this document will continue to expand and add sections -covering individual security recommendations established by NIST. diff --git a/docs/versioned_docs/version-v/concepts/session.mdx b/docs/versioned_docs/version-v/concepts/session.mdx deleted file mode 100644 index bcb7cd99a60..00000000000 --- a/docs/versioned_docs/version-v/concepts/session.mdx +++ /dev/null @@ -1,182 +0,0 @@ ---- -id: session -title: Ory Session Token / Ory Session Cookie ---- - -When an identity or end-user authenticates using e.g. the `password` method, -they will receive an Ory Session. The Ory Session can either be issued as an - -- Ory Session Cookie, which is used for all browser-flows (e.g. PHP app, single - page app, ...); -- Ory Session Token, which is used for non-browser flows (e.g. native apps). - -The session's content may look like the following: - -```json5 -{ - id: '1338410d-c473-4503-a96a-53efa06e2531', - active: true, - expires_at: '2021-10-15T15:58:57.683338Z', - authenticated_at: '2021-10-14T15:58:57.683338Z', - authenticator_assurance_level: 'aal2', - authentication_methods: [ - { - method: 'password', - completed_at: '2021-10-14T15:55:19.03621Z' - }, - { - method: 'lookup_secret', - completed_at: '2021-10-14T15:56:21.257867Z' - }, - { - method: 'lookup_secret', - completed_at: '2021-10-14T15:58:57.683337Z' - }, - { - method: 'lookup_secret', - completed_at: '2021-10-14T16:03:14.833192Z' - } - ], - issued_at: '2021-10-14T15:58:57.683338Z', - identity: { - id: '9496bbd5-f426-473f-b087-c7df853f274a', - schema_id: 'default', - schema_url: 'https://.projects.oryapis.com/schemas/default', - state: 'active', - state_changed_at: '2021-10-14T17:55:17.885497+02:00', - traits: { - website: 'https://www.ory.sh/', - email: '0.wz4yhr0zwyd@ory.sh' - }, - verifiable_addresses: [ - { - id: '4de14270-ca13-4efb-ac3f-8f03b1f649d8', - value: '0.wz4yhr0zwyd@ory.sh', - verified: false, - via: 'email', - status: 'sent', - created_at: '2021-10-14T17:55:17.886639+02:00', - updated_at: '2021-10-14T18:03:14.839009+02:00' - } - ], - recovery_addresses: [ - { - id: 'fdab5a5f-5efc-4202-93b5-fd3ee632420b', - value: '0.wz4yhr0zwyd@ory.sh', - via: 'email', - created_at: '2021-10-14T17:55:17.886831+02:00', - updated_at: '2021-10-14T18:03:14.839105+02:00' - } - ], - created_at: '2021-10-14T17:55:17.886237+02:00', - updated_at: '2021-10-14T17:55:17.886237+02:00' - } -} -``` - -### `active` - -If set to true, Ory Session is active and can be used to authenticate requests. - -### `expires_at` - -Indicates when the Ory Session expires. - -### `authenticated_at` - -Indicates the time of the most recent authentication. When a new Ory Session is -created (e.g. because of a successful login), this is set to the current time. - -This field is updated when: - -- The end-user authenticates with a second factor (e.g. TOTP) -- The end-user refreshes their Ory Session using the - [`/self-service/login/browser`](../reference/api#operation/initializeSelfServiceLoginFlowForBrowsers) - or - [`/self-service/login/api`](../reference/api#operation/initializeSelfServiceLoginFlowWithoutBrowser) - endpoint and setting `refresh` to `true` - -## Ory Session Cookie - -The Ory Session Cookie will be issued when the end-user is using a browser (e.g. -Chrome) to sign in. You can fetch the session's payload using the -`/sessions/whoami` endpoint: - -``` -curl 'https://.projects.oryapis.com/sessions/whoami' \ - -H 'Accept: application/json \ - -H 'Cookie: ory_kratos_session=MTYzNDIyNzEzN3xEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJRTFDYWtvME5VNVlaVWxvYVZWeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cL21Dclk3nCoXV41N6bFxvVJSt7CeICy_815Aw==' -``` - -## Ory Session Token - -The Ory Session Token will be issued when the end-user is using, for example, a -native mobile app to sign in. In this case, you need to include the Ory Session -Token in the `Authorization` HTTP Header - -``` -curl 'https://.projects.oryapis.com/sessions/whoami' \ - -H 'Accept: application/json \ - -H 'Authorization: Bearer BRFbGMzTnBiMjVmZEcEdjM1J5YVc1bkRDSUFvME5VNVlaVeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cLXV41N6bFxvVJSt7CeICy' -``` - -or alternatively in the `X-Session-Token` HTTP Header: - -``` -curl 'https://.projects.oryapis.com/sessions/whoami' \ - -H 'Accept: application/json \ - -H 'X-Session-Token: BRFbGMzTnBiMjVmZEcEdjM1J5YVc1bkRDSUFvME5VNVlaVeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cLXV41N6bFxvVJSt7CeICy' -``` - -## Privileged Sessions - -import { privilegedVideo } from '../self-service/flows/code/settings' - -Some profile changes, such as updating the password or adding / removing second -factors, require a privileged Ory Session Token or Ory Session Cookie to be -completed successfully: - - - -Ory Sessions are considered "privileged" if their `authenticated_at` time is not -older than the `privileged_session_max_age` specified in your config: - -```yml title="path/to/kratos/config.yml" -selfservice: - flows: - settings: - privileged_session_max_age: 15m -``` - -In the example above, an Ory Session would be considered "privileged" for 15 -minutes. The end-user can perform any profile changes (e.g. update password, -link another social provider, add a 2fa method, ...) without being prompted to -re-authenticate. - -This flow is similar to -[GitHub's sudo mode](https://help.github.com/en/github/authenticating-to-github/sudo-mode)! - -## Refreshing Sessions - -You can prompt the user to re-authenticate by interacting with the -[`/self-service/login/browser`](../reference/api#operation/initializeSelfServiceLoginFlowForBrowsers) -or -[`/self-service/login/api`](../reference/api#operation/initializeSelfServiceLoginFlowWithoutBrowser) -API and setting the `refresh` parameter to true. Once the user has -re-authenticated, the `authenticated_at` timestamp of the Ory Session will be -set to the current time. - -``` -/self-service/login/browser?refresh=true -``` - -If enabled, you can also refresh the second factor by setting both `refresh` and -`aal`: - -``` -/self-service/login/browser?refresh=true&aal=aal2 -``` diff --git a/docs/versioned_docs/version-v/concepts/terminology.mdx b/docs/versioned_docs/version-v/concepts/terminology.mdx deleted file mode 100644 index e0e047dfb4b..00000000000 --- a/docs/versioned_docs/version-v/concepts/terminology.mdx +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: terminology -title: Terminology ---- - -The purpose of this document is to define terminology used through this -documentation. - -## End-User - -The person who actually uses a particular product that uses Ory Kratos. - -## Identity - -the "who" of a software system. It can be a customer, employee, user, -contractor, or even a programmatic identity such as an IoT device, application, -or some other type of "robot." - -Common aliases are "user", "user account", "account", "subject". - -## Self-Service - -Interfaces and flows allowing customers to produce services independent of -involvement of direct service employee. - -You perform self-service registration when signing up for a new Google account, -because no one (e.g. support) else is involved in the process. diff --git a/docs/versioned_docs/version-v/concepts/ui-user-interface.mdx b/docs/versioned_docs/version-v/concepts/ui-user-interface.mdx deleted file mode 100644 index d016069fbbe..00000000000 --- a/docs/versioned_docs/version-v/concepts/ui-user-interface.mdx +++ /dev/null @@ -1,1881 +0,0 @@ ---- -id: ui-user-interface -title: Customize User Interface ---- - -Ory Kratos is an HTTP API server and does not include a traditional HTML user -interface (rendering forms such as "Login" or "Registration") in its code base. -We provide several reference UI implementations which you can use to get started -quickly, or as the basis for your own UI: - -- The [Ory Cloud Managed UI](https://playground.projects.oryapis.com/ui/welcome) - is available when you run Ory Kratos in Ory Cloud. -- [React Native Reference Implementation](https://github.com/ory/kratos-selfservice-ui-react-native) -- [NodeJS Reference Implementation](https://github.com/ory/kratos-selfservice-ui-node) -- [React / SPA Reference Implementation](https://github.com/ory/react-nextjs-example) - -Ory Kratos' HTTP APIs make it easy and straight forward to write your own UI -(e.g. "login" screen, "update profile settings", ...) in any programming -languages and framework! It can be built in any programming language including -Java, Node, or Python and can be run both a server or an end-user device for -example a browser, or a mobile phone. Implementing your own UI is simple and -straight forward. There is no complex authentication mechanism required and no -need to worry about possible attack vectors such as CSRF or Session Attacks -since Ory Kratos provides the preventive measures built in. - -Chapter [Self-Service Flows](../self-service.mdx) contains further information -on APIs and flows related to the SSUI, and build self-service applications. - -import CodeFromRemote from '@theme/CodeFromRemote' -import Tabs from '@theme/Tabs' -import TabItem from '@theme/TabItem' - -## UI Payloads - -To make UI customization easy, Ory Kratos prepares all the necessary data for -forms that need to be shown during e.g. login, registration: - -```json5 -{ - id: '9b527900-2199-4221-9252-7971b3362282', - type: 'browser', - expires_at: '2021-04-28T13:55:36.046466067Z', - issued_at: '2021-04-28T12:55:36.046466067Z', - ui: { - action: 'https://playground.projects.oryapis.com/api/kratos/public/self-service/settings?flow=9b527900-2199-4221-9252-7971b3362282', - method: 'POST', - nodes: [ - { - type: 'input', - group: 'default', - attributes: { - node_type: 'input', - name: 'csrf_token', - type: 'hidden', - value: 'U3r/lgEfT8rA1Lg0Eeo06oGO8mX6T4TKoe/z7rbInhvYeacbRg0IW9zrqnpU1wmQJXKiekNzdLnypx5naHXoPg==', - required: true, - disabled: false - }, - messages: null, - meta: {} - }, - { - type: 'input', - group: 'profile', - attributes: { - node_type: 'input', - name: 'traits.email', - type: 'email', - value: 'foo@ory.sh', - disabled: false - }, - messages: null, - meta: { - label: { - id: 1070002, - text: 'E-Mail', - type: 'info' - } - } - } - // ... - ] - } -} -``` - -The above example would be rendered in HTML like this: - -```html -
- - - - - - -
-``` - -As you can see, the JSON can be mapped almost 1:1 to HTML! This method makes it -easy for you to implement complex forms without having to deal with state -management, form validation, and more! - -## UI Node Groups - -Nodes are grouped (using the `group` key) based on the source that generated the -node. Sources are the different methods such as "password" ("Sign in/up with ID -& password"), "oidc" (Social Sign In), "link" (Password reset and email -verification), "profile" ("Update your profile") and the "default" group which -typically contains the CSRF token. - -You can use the node group to filter out items, re-arrange them, render them -differently - up to you! - -## UI Node Types - -UI Nodes can have several types! - -### UI Script Nodes - -The `script` node type is primarily used to load required scripts for WebAuthn! - -```json -{ - "type": "script", - "group": "webauthn", - "attributes": { - "src": "http://localhost:4455/.well-known/ory/webauthn.js", - "async": true, - "referrerpolicy": "no-referrer", - "crossorigin": "anonymous", - "integrity": "sha512-E3ctShTQEYTkfWrjztRCbP77lN7L0jJC2IOd6j8vqUKslvqhX/Ho3QxlQJIeTI78krzAWUQlDXd9JQ0PZlKhzQ==", - "type": "text/javascript", - "id": "webauthn_script", - "node_type": "script" - }, - "messages": [], - "meta": {} -} -``` - -Rendering it is straight forward if you are on the server-side: - - - -For single-page apps, you might need a different set up to load the script -asynchronously. In ReactJS you might want to do something like the following: - - - -### UI Anchor Nodes - -Nodes of type `a` are currently not used in Ory Kratos, but we have them around -in case they are needed at a later stage! - - - -### UI Image Nodes - -Nodes of type `img` are used as QR codes, for example. - -```json -{ - "type": "img", - "group": "totp", - "attributes": { - "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAEAAAAAApiSv5AAAHP0lEQVR4nOyd0Y4kOwoFt1fz/7989+1mSWORUJzMXikinkbdZZuuOUIIDP7zzz//ETD//W0D5HdRAHAUABwFAOfP9c+fn8SG86DyOvdae/pZd5faqvlp8+9lvku94mTphs/T9ABwFAAcBQBHAcD5c/rhJpDr/vY6Y5OL7AaLm9CvG4LVFtS7ZALNmvMZegA4CgCOAoCjAOAcg8CLTdhTh36bzF3mc7XN9YrTb7t/0fxbq9n8H+kB8CgAOAoAjgKAcxMEPkc3k7Up0J5Cunlwt7G0tqpe+85tTT0AHAUARwHAUQBwXgkC56Xa7m8zNwY3Ocsu3V3ebtTRA8BRAHAUABwFAOcmCEyHJPMWjE0hd57XOxV3N+Xb7t87zzte7P6P9ABwFAAcBQBHAcA5BoGZ3NeczI3BTbPI5oxMk0rXvtT/kR4AjgKAowDgKAA4P8+VH7t337q7vNtFXPPczcKTLU+WiPUAcBQAHAUARwHA+elmt7psZuRtLEj33M7L1Zlz5xbMd/lEDwBHAcBRAHAUAJxjJnDTqjG/15dp7qhPm1uQDrcyBeT63G/O0APAUQBwFAAcBQBnlQl8LtxKj2/OjH7OFIu79p3ID8fWA8BRAHAUABwFAOejMeS5GXnz4u6mKaI7SmYTwqaDynQHcv8WoR4AjgKAowDgKAA4N+XgE8/lyDI7n9i9qjFlU0rOlNP7ZXc9ABwFAEcBwFEAcL4YFr3JkT3X8Zq5bZhua6nPSAfC3zTW6AHgKAA4CgCOAoDzRWPIcZtwvi4zDqZLpnGla8tzbTLflKb1AHAUABwFAEcBwLmZE7jJbmUeXnsuKMqMdO7ud9q5u0umH9tysBxQAHAUABwFAOfmxZA6mHhjxmDXvnmQ2n0xJEN6xmDqPRE9ABwFAEcBwFEAcD6CwOe6W7u71D/LjG+eMw9wNw/S1Z/rfuP9tXoAOAoAjgKAowDgHDOB8/HDm1l/tQVd+2oyc/g2Idhpl9qCeud6rSNipIkCgKMA4CgAODfl4C7pAS2bu4iZQG5OZrLgvNv4tLaPHgCOAoCjAOAoADjHF0MuMm0Z87U1mUzlab+TVfPTTrvMz+2ysV4PgEcBwFEAcBQAnJty8MV8Wt5pbbcFI93NO1+bKbxudskUve0OlhIFAEcBwFEAcG5GxHx8cDHm5WIToG12/q3ZgZt8Ytrm0+f0AHgUABwFAEcBwPmiO3gTvs07gTOvfpx2rndJ3/DrWnBi/j2bCZQmCgCOAoCjAOB8BIGbHNRm5l66ASLdMbzJ4XUD60yo+004qAeAowDgKAA4CgDOTSYw81pGN9fXHUhdk7E5c5uvXjsnM1jnEz0AHAUARwHAUQBwbt4OvsjcVZufMQ/pMvfrTjtfbM6Yj4jp8k0mVQ8ARwHAUQBwFACc44iYTGDzxhy+2oKa+ZiXzBCYOZvO53oXPQAeBQBHAcBRAHBWmcBNGLV5Y+S5oOi5qX+ZppKab3bRA8BRAHAUABwFAOcmE/jxwfCrH0djVn2uPQs2f2VNuo/5nZdP9ABwFAAcBQBHAcA5Dou+2OTr6v265dvN7cB5AJkpB/9+R3PfFj0AHAUARwHAUQBw2sOiP5aMA8P6c/WKE5ky9Kbl5PTbzbmb72+XWdQDwFEAcBQAHAUA5yYT2OW5YnG6l7Ye6TIf/ZIJQ08ruufu0APAUQBwFAAcBQDnGASmi6eb+2ubcmt3aHO9y/zc/DS/vy1I3RPUA8BRAHAUABwFAOcYBGYm43VXZF7BqJmXg9O39DZl6K4F89/qAfAoADgKAI4CgNN+MSRTHq3XdtmEkvNbepuwcf5Xzr/TTTldD4BHAcBRAHAUAJzjiJiLTHk03SixybmlS9jPjZy5eG6Mjx4AjwKAowDgKAA4H5nATXm0DlO6+bDNjcHuYJhNeXk+xzCTd+yeVn/ujB4AjgKAowDgKAA47e7geeNFOk9Yr+jud7Jl3lCRHj6dzif2C+Z6ADgKAI4CgKMA4LSfjbvYlIg3Jef/z1mE3Z3TkwA3VhkEyr8oADgKAI4CgHPTGHLxXO/rfG1NZr/fCj7nBeldj7EeAI4CgKMA4CgAOMc7gXPemP+Xvv9XW5UJ/bo8Z/MdegA4CgCOAoCjAOC0M4Fd5u0g9S6bECczn7AOOd8YTdO1+YTlYClRAHAUABwFAKc9LLpmHrA8V/qtrTpZ0D2jXpsenX0ik3f8RA8ARwHAUQBwFACcm+7gN0KSzMsYXea7zHNz9c82K7r0V+gB4CgAOAoAjgKA0x4Rk2F+u20TKGWKyrWlXeal5E22sY8eAI4CgKMA4CgAOK8EgZmhzZvZfJnpe+mw7I0XTe7QA8BRAHAUABwFAOcmCHyjY3j+Xkf6gbY3epu7n8vn+v5ea2OI/IsCgKMA4CgAOMcgMH37LvN42uaOXIb5gOZ5SDd/IaX+nM/GSYkCgKMA4CgAOMcXQ4SDHgCOAoCjAOAoADgKAM7/AgAA//9RrYZOnxsHAQAAAABJRU5ErkJggg==", - "id": "totp_qr", - "width": 256, - "height": 256, - "node_type": "img" - }, - "messages": [], - "meta": { - "label": { - "id": 1050005, - "text": "Authenticator app QR code", - "type": "info" - } - } -} -``` - -![QR Code](../images/totp/qr.png) - -Here is an example of implementing an `img` node in handlebars: - - - -Here is an example of implementing an `img` node in ReactJS: - - - -### UI Text Nodes - -Nodes of type `text` are commonly used to display secrets (e.g. lookup secrets). - -![Lookup Secret](../images/text-node-1.png) - -![TOTP Secret](../images/text-node-2.png) - -Their JSON usually contains a bit of contextual information. - - - - -```json -{ - "type": "text", - "group": "totp", - "attributes": { - "text": { - "id": 1050006, - "text": "GLAS5YHAJ6V5LT3N7AU2R4AWU6SYOCHS", - "type": "info", - "context": { - "secret": "GLAS5YHAJ6V5LT3N7AU2R4AWU6SYOCHS" - } - }, - "id": "totp_secret_key", - "node_type": "text" - }, - "messages": [], - "meta": { - "label": { - "id": 1050006, - "text": "This is your authenticator app secret. Use it if you can not scan the QR code.", - "type": "info" - } - } -} -``` - - - - -```json -{ - "type": "text", - "group": "lookup_secret", - "attributes": { - "text": { - "id": 1050015, - "text": "8qhkibka, 4m4m0l81, xh7ji7xk, cgi8xfwa, uim1dztu, 1jsjkk2i, 3nw4o5fr, lg77u7rr, hhwmz3rx, kx1cx840, thc7xl8t, osgqai15", - "type": "info", - "context": { - "secrets": [ - { - "id": 1050009, - "text": "8qhkibka", - "type": "info", - "context": { - "secret": "8qhkibka" - } - }, - { - "id": 1050009, - "text": "4m4m0l81", - "type": "info", - "context": { - "secret": "4m4m0l81" - } - }, - { - "id": 1050009, - "text": "xh7ji7xk", - "type": "info", - "context": { - "secret": "xh7ji7xk" - } - }, - { - "id": 1050009, - "text": "cgi8xfwa", - "type": "info", - "context": { - "secret": "cgi8xfwa" - } - }, - { - "id": 1050009, - "text": "uim1dztu", - "type": "info", - "context": { - "secret": "uim1dztu" - } - }, - { - "id": 1050009, - "text": "1jsjkk2i", - "type": "info", - "context": { - "secret": "1jsjkk2i" - } - }, - { - "id": 1050009, - "text": "3nw4o5fr", - "type": "info", - "context": { - "secret": "3nw4o5fr" - } - }, - { - "id": 1050009, - "text": "lg77u7rr", - "type": "info", - "context": { - "secret": "lg77u7rr" - } - }, - { - "id": 1050009, - "text": "hhwmz3rx", - "type": "info", - "context": { - "secret": "hhwmz3rx" - } - }, - { - "id": 1050009, - "text": "kx1cx840", - "type": "info", - "context": { - "secret": "kx1cx840" - } - }, - { - "id": 1050009, - "text": "thc7xl8t", - "type": "info", - "context": { - "secret": "thc7xl8t" - } - }, - { - "id": 1050009, - "text": "osgqai15", - "type": "info", - "context": { - "secret": "osgqai15" - } - } - ] - } - }, - "id": "lookup_secret_codes", - "node_type": "text" - }, - "messages": [], - "meta": { - "label": { - "id": 1050010, - "text": "These are your back up recovery codes. Please keep them in a safe place!", - "type": "info" - } - } -} -``` - - - - -Rendering the text component is usually a bit more complex, as you most likely -want a bit of custom formatting. By the way, you can find an overview of all -message IDs used here in the conditionals at the end of this page! In -handlebars, this could look as follows: - - - -In ReactJS, you will most likely find similar if statements on the message IDs. - - - -### UI Input Nodes - -The most common node type is the `input` type. In general, it represents an HTL -`` field: - -```json -{ - "type": "input", - "group": "default", - "attributes": { - "name": "csrf_token", - "type": "hidden", - "node_type": "input", - "value": "U3r/lgEfT8rA1Lg0Eeo06oGO8mX6T4TKoe/z7rbInhvYeacbRg0IW9zrqnpU1wmQJXKiekNzdLnypx5naHXoPg==", - "required": true, - "disabled": false - }, - "messages": null, - "meta": {} -} -``` - -An `input` node itself has a type as well. These types are taken from HTML: - -- `text` -- `password` -- `number` -- `checkbox` -- `hidden` -- `email` -- `submit` -- `button` -- `datetime-local` -- `date` -- `url` - -#### Checkbox Input Node - -Checkboxes are primarily used when an Identity Schema field is of -`"type": "boolean"`. The following Identity Schema - -```json5 -{ - $schema: 'http://json-schema.org/draft-07/schema#', - type: 'object', - properties: { - traits: { - type: 'object', - properties: { - // ... - tos: { - title: 'Accept Terms of Service', - type: 'boolean' - } - // ... - } - // ... - } - } -} -``` - -would result in such a checkbox node: - -```json -{ - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.tos", - "type": "checkbox", - "disabled": false, - "node_type": "input" - }, - "messages": [], - "meta": { - "label": { - "id": 1070002, - "text": "Accept Terms of Service", - "type": "info" - } - } -} -``` - -When using plain HTML and not a single page app, the best option you have is to -use two input fields - one hidden and one a checkbox - with `false` and `true` -respectively. Make sure that the checkbox input field is second as it needs to -override the hidden field, if set. - - - -In single page apps, such as ReactJS, this trickery is not needed as you have -full control over the form's state: - - - -#### Button Input Node - -Buttons are primarily used to trigger something, which is why it is important to -have the `onclick` attribute handled. If `onclick` exists, you will also find a -`script` node: - -```json -[ - { - "type": "input", - "group": "webauthn", - "attributes": { - "name": "webauthn_register_trigger", - "type": "button", - "value": "", - "disabled": false, - "onclick": "window.__oryWebAuthnRegistration({\"publicKey\":{\"challenge\":\"SOaWrZE4unW3cC57ED52HRnHwd22Fcg8DNf0zf9Jgr0=\",\"rp\":{\"name\":\"Ory\",\"id\":\"localhost\"},\"user\":{\"name\":\"placeholder\",\"icon\":\"https://via.placeholder.com/128\",\"displayName\":\"placeholder\",\"id\":\"q7MFvGN9TzqDTIgEIvkjZw==\"},\"pubKeyCredParams\":[{\"type\":\"public-key\",\"alg\":-7},{\"type\":\"public-key\",\"alg\":-35},{\"type\":\"public-key\",\"alg\":-36},{\"type\":\"public-key\",\"alg\":-257},{\"type\":\"public-key\",\"alg\":-258},{\"type\":\"public-key\",\"alg\":-259},{\"type\":\"public-key\",\"alg\":-37},{\"type\":\"public-key\",\"alg\":-38},{\"type\":\"public-key\",\"alg\":-39},{\"type\":\"public-key\",\"alg\":-8}],\"authenticatorSelection\":{\"requireResidentKey\":false,\"userVerification\":\"preferred\"},\"timeout\":60000}})", - "node_type": "input" - }, - "messages": [], - "meta": { - "label": { - "id": 1050012, - "text": "Add security key", - "type": "info" - } - } - }, - { - "type": "script", - "group": "webauthn", - "attributes": { - "src": "http://localhost:4455/.well-known/ory/webauthn.js", - "async": true, - "referrerpolicy": "no-referrer", - "crossorigin": "anonymous", - "integrity": "sha512-E3ctShTQEYTkfWrjztRCbP77lN7L0jJC2IOd6j8vqUKslvqhX/Ho3QxlQJIeTI78krzAWUQlDXd9JQ0PZlKhzQ==", - "type": "text/javascript", - "id": "webauthn_script", - "node_type": "script" - }, - "messages": [], - "meta": {} - } -] -``` - -For example, when an end-user triggers a WebAuthn flow, the button would trigger -the required JavaScript to get it working! - - - -In a single page application, we need a bit of trickery as we are executing -JavaScript from a JSON source in JavaScript - which essentialy means we need to -execute `eval`. Fortunately, this is only needed in this special case. If you do -not use WebAuthn, you will not need `eval` at all! - - - -#### Submit Input Node - -Submit buttons trigger the form submission. In pure HTML, this is just a simple -submit button: - - - -If you have control over the form's payload, like in ReactJS, you need to ensure -that the name of the form (e.g. `method`) is only submitted once with the -correct value (e.g. `password`). Because in some cases Ory Kratos might generate -multiple submit buttons with the same `name` attribute. - -```json5 -[ - { - type: 'input', - group: 'profile', - attributes: { - name: 'method', - type: 'submit', - value: 'profile', - disabled: false, - node_type: 'input' - }, - messages: [], - meta: { - label: { - id: 1070003, - text: 'Save', - type: 'info' - } - } - }, - // ... - { - type: 'input', - group: 'password', - attributes: { - name: 'method', - type: 'submit', - value: 'password', - disabled: false, - node_type: 'input' - }, - messages: [], - meta: { - label: { - id: 1070003, - text: 'Save', - type: 'info' - } - } - } -] -``` - -You need to ensure that the correct value for the `name` is submitted, or the -user might end up updating their password instead of their email address! - - - -#### Hidden Input Node - -Hidden input fields such as the `csrf_token` - -```json5 -{ - type: 'input', - group: 'default', - attributes: { - name: 'csrf_token', - type: 'hidden', - value: 'By8X7TPnn/NMtXeDpK6sbshISK3t1WnezAtlMnFA6ZPsxxNmRsG8ks7WpsHMQtTLbxtqKJOiu4aArJok6/GOSw==', - required: true, - disabled: false, - node_type: 'input' - }, - messages: [], - meta: {} -} -``` - -are easy to implement in both pure HTML - - - -and single page apps like ReactJS - - - -#### Default Input Node Rendering - -You do not need to have one view for every node type. Instead, you can "fall -back" to a default implementation. The most important node types (`hidden`, -`submit`, `button`, `checkbox`) we already covered! - -Here are some examples for you to get a feeling for possible payloads! - - - - -```json -{ - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.email", - "type": "email", - "value": "foo@ory.sh", - "disabled": false - }, - "messages": null, - "meta": { - "label": { - "id": 1070002, - "text": "E-Mail", - "type": "info" - } - } -} -``` - - - - -```json -{ - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.website", - "type": "url", - "value": "https://www.ory.sh/", - "required": true, - "disabled": false, - "node_type": "input" - }, - "messages": [], - "meta": { - "label": { - "id": 1070002, - "text": "Your website", - "type": "info" - } - } -} -``` - - - - -```json -{ - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.age", - "type": "number", - "disabled": false, - "node_type": "input" - }, - "messages": [], - "meta": { - "label": { - "id": 1070002, - "text": "Age", - "type": "info" - } - } -} -``` - - - - -```json -{ - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.name", - "type": "text", - "disabled": false, - "node_type": "input" - }, - "messages": [], - "meta": { - "label": { - "id": 1070002, - "text": "Name", - "type": "info" - } - } -} -``` - - - - -You should render these components using a generic node input render logic like -the one below: - - - -## Node Order and Labels - -For all traits, the labels and orders are taken from the Identity Schema. An -Identity Schema such as - -```json -{ - "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "title": "E-Mail", - "minLength": 3, - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - } - } - }, - "website": { - "title": "Website", - "type": "string", - "format": "uri", - "minLength": 10 - }, - "consent": { - "title": "Consent", - "const": true - }, - "newsletter": { - "title": "Newsletter", - "type": "boolean" - } - }, - "required": ["email", "website"], - "additionalProperties": false - } - } -} -``` - -will generate the following fields - take note that the order of the JSON Schema -affects the order of the nodes: - -```json -[ - { - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.email", - "type": "email", - "value": "foo@ory.sh", - "disabled": false - }, - "messages": null, - "meta": { - "label": { - "id": 1070002, - "text": "E-Mail", - "type": "info" - } - } - }, - { - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.name.first", - "type": "text", - "value": "Foo", - "disabled": false - }, - "messages": null, - "meta": { - "label": { - "id": 1070002, - "text": "First Name", - "type": "info" - } - } - }, - { - "type": "input", - "group": "profile", - "attributes": { - "name": "traits.name.last", - "type": "text", - "value": "Bar", - "disabled": false - }, - "messages": null, - "meta": { - "label": { - "id": 1070002, - "text": "Last Name", - "type": "info" - } - } - }, - { - "type": "input", - "group": "profile", - "attributes": { - "name": "method", - "type": "submit", - "value": "profile", - "disabled": false - }, - "messages": null, - "meta": { - "label": { - "id": 1070003, - "text": "Save", - "type": "info" - } - } - } -] -``` - -Generally, submit buttons are the last node in a group. If you wish to have more -flexibility with regards to order or labeling the best option is to implement -this in your UI using map, filter, and other JSON transformation functions. - -## Titles, Labels & Validation Messages - -Ory Kratos helps users understand what is happening by providing messages that -explain what went wrong or what needs to be done. Examples are "The provided -credentials are invalid", "Missing property email" and similar. - -Typically login, registration, settings, ... flows include such messages on -different levels: - -1. At the root level, indicating that the message affects the whole request - (e.g. request expired) -2. At the method (password, oidc, profile) level, indicating that the message - affects a specific method / form. -3. At the field level, indicating that the message affects a form field (e.g. - validation errors). - -Each message has a layout of: - -```json5 -{ - id: 1234, - // This ID will not change and can be used to translate the message or use your own message content. - text: 'Some default text', - // A default text in english that you can display if you do not want to customize the message. - context: {} - // A JSON object which may contain additional fields such as `expires_at`. This is helpful if you want to craft your own messages. -} -``` - -The message ID is a 7-digit number (`xyyzzzz`) where - -- `x` is the message type which is either `1` for an info message (e.g. - `1020000`), `4` (e.g. `4020000`) for an input validation error message, and - `5` (e.g. `5020000`) for a generic error message. -- `yy` is the module or flow this error references and can be: -- `01` for login messages (e.g. `1010000`) -- `02` for logout messages (e.g. `1020000`) -- `03` for multi-factor authentication messages (e.g. `1030000`) -- `04` for registration messages (e.g. `1040000`) -- `05` for settings messages (e.g. `1050000`) -- `06` for account recovery messages (e.g. `1060000`) -- `07` for email/phone verification messages (e.g. `1070000`) -- `zzzz` is the message ID and typically starts at `0001`. For example, message - ID `4070001` (`4` for input validation error, `07` for verification, `0001` - for the concrete message) is: - `The verification code has expired or was otherwise invalid. Please request another code.`. - -## UI Error Codes - -When building a single page app, or a native app, Ory Kratos will respond with -errors in some cases. You can find an exemplary error handling logic in our -ReactJS reference implementation: - - - -## UI Message Codes - -UI Messages are always presented as the following JSON - -```json5 -{ - id: 1234, // A unique, fixed number - text: '...', - type: '...', // Usually "error" or "info" - context: { - // Additional, contextual information - } -} -``` - -for the values of these fields, please check the list below. - -:::note - -The section below is auto-generated. Changing it has no effect as any changes -will be overwritten! - -::: - - - -###### Sign in (1010001) - -```json -{ - "id": 1010001, - "text": "Sign in", - "type": "info", - "context": {} -} -``` - -###### Sign in with {provider} (1010002) - -```json -{ - "id": 1010002, - "text": "Sign in with {provider}", - "type": "info", - "context": { - "provider": "{provider}" - } -} -``` - -###### Please confirm this action by verifying that it is you. (1010003) - -```json -{ - "id": 1010003, - "text": "Please confirm this action by verifying that it is you.", - "type": "info", - "context": {} -} -``` - -###### Please complete the second authentication challenge. (1010004) - -```json -{ - "id": 1010004, - "text": "Please complete the second authentication challenge.", - "type": "info", - "context": {} -} -``` - -###### Verify (1010005) - -```json -{ - "id": 1010005, - "text": "Verify", - "type": "info", - "context": {} -} -``` - -###### Authentication code (1010006) - -```json -{ - "id": 1010006, - "text": "Authentication code", - "type": "info", - "context": {} -} -``` - -###### Backup recovery code (1010007) - -```json -{ - "id": 1010007, - "text": "Backup recovery code", - "type": "info", - "context": {} -} -``` - -###### Use security key (1010008) - -```json -{ - "id": 1010008, - "text": "Use security key", - "type": "info" -} -``` - -###### Use Authenticator (1010009) - -```json -{ - "id": 1010009, - "text": "Use Authenticator", - "type": "info", - "context": {} -} -``` - -###### Use backup recovery code (1010010) - -```json -{ - "id": 1010010, - "text": "Use backup recovery code", - "type": "info", - "context": {} -} -``` - -###### Sign up (1040001) - -```json -{ - "id": 1040001, - "text": "Sign up", - "type": "info", - "context": {} -} -``` - -###### Sign up with {provider} (1040002) - -```json -{ - "id": 1040002, - "text": "Sign up with {provider}", - "type": "info", - "context": { - "provider": "{provider}" - } -} -``` - -###### Continue (1040003) - -```json -{ - "id": 1040003, - "text": "Continue", - "type": "info" -} -``` - -###### Your changes have been saved! (1050001) - -```json -{ - "id": 1050001, - "text": "Your changes have been saved!", - "type": "info" -} -``` - -###### Link {provider} (1050002) - -```json -{ - "id": 1050002, - "text": "Link {provider}", - "type": "info", - "context": { - "provider": "{provider}" - } -} -``` - -###### Unlink {provider} (1050003) - -```json -{ - "id": 1050003, - "text": "Unlink {provider}", - "type": "info", - "context": { - "provider": "{provider}" - } -} -``` - -###### Unlink TOTP Authenticator App (1050004) - -```json -{ - "id": 1050004, - "text": "Unlink TOTP Authenticator App", - "type": "info" -} -``` - -###### Authenticator app QR code (1050005) - -```json -{ - "id": 1050005, - "text": "Authenticator app QR code", - "type": "info" -} -``` - -###### This is your authenticator app secret. Use it if you can not scan the QR code. (1050006) - -```json -{ - "id": 1050006, - "text": "This is your authenticator app secret. Use it if you can not scan the QR code.", - "type": "info" -} -``` - -###### {secret} (1050006) - -```json -{ - "id": 1050006, - "text": "{secret}", - "type": "info", - "context": { - "secret": "{secret}" - } -} -``` - -###### Reveal backup recovery codes (1050007) - -```json -{ - "id": 1050007, - "text": "Reveal backup recovery codes", - "type": "info" -} -``` - -###### Generate new backup recovery codes (1050008) - -```json -{ - "id": 1050008, - "text": "Generate new backup recovery codes", - "type": "info" -} -``` - -###### {secret} (1050009) - -```json -{ - "id": 1050009, - "text": "{secret}", - "type": "info", - "context": { - "secret": "{secret}" - } -} -``` - -###### These are your back up recovery codes. Please keep them in a safe place! (1050010) - -```json -{ - "id": 1050010, - "text": "These are your back up recovery codes. Please keep them in a safe place!", - "type": "info" -} -``` - -###### Confirm backup recovery codes (1050011) - -```json -{ - "id": 1050011, - "text": "Confirm backup recovery codes", - "type": "info" -} -``` - -###### Add security key (1050012) - -```json -{ - "id": 1050012, - "text": "Add security key", - "type": "info" -} -``` - -###### Remove security key "{name}" (1050012) - -```json -{ - "id": 1050012, - "text": "Remove security key \"{name}\"", - "type": "info", - "context": { - "added_at": "2020-01-01T00:59:59Z", - "display_name": "{name}" - } -} -``` - -###### Name of the security key (1050013) - -```json -{ - "id": 1050013, - "text": "Name of the security key", - "type": "info" -} -``` - -###### Secret was used at 2020-01-01 00:59:59 +0000 UTC (1050014) - -```json -{ - "id": 1050014, - "text": "Secret was used at 2020-01-01 00:59:59 +0000 UTC", - "type": "info", - "context": { - "used_at": "2020-01-01T00:59:59Z" - } -} -``` - -###### {code-1}, {code-2} (1050015) - -```json -{ - "id": 1050015, - "text": "{code-1}, {code-2}", - "type": "info", - "context": { - "secrets": [ - { - "id": 1050009, - "text": "{code}", - "type": "info", - "context": { - "secret": "{code}" - } - }, - { - "id": 1050014, - "text": "Secret was used at 2020-01-01 00:59:59 +0000 UTC", - "type": "info", - "context": { - "used_at": "2020-01-01T00:59:59Z" - } - } - ] - } -} -``` - -###### Disable this method (1050016) - -```json -{ - "id": 1050016, - "text": "Disable this method", - "type": "info" -} -``` - -###### You successfully recovered your account. Please change your password or set up an alternative login method (e.g. social sign in) within the next 0.02 minutes. (1060001) - -```json -{ - "id": 1060001, - "text": "You successfully recovered your account. Please change your password or set up an alternative login method (e.g. social sign in) within the next 0.02 minutes.", - "type": "info", - "context": { - "privilegedSessionExpiresAt": "2020-01-01T01:01:00Z" - } -} -``` - -###### An email containing a recovery link has been sent to the email address you provided. (1060002) - -```json -{ - "id": 1060002, - "text": "An email containing a recovery link has been sent to the email address you provided.", - "type": "info", - "context": {} -} -``` - -###### Password (1070001) - -```json -{ - "id": 1070001, - "text": "Password", - "type": "info" -} -``` - -###### {title} (1070002) - -```json -{ - "id": 1070002, - "text": "{title}", - "type": "info" -} -``` - -###### Save (1070003) - -```json -{ - "id": 1070003, - "text": "Save", - "type": "info" -} -``` - -###### ID (1070004) - -```json -{ - "id": 1070004, - "text": "ID", - "type": "info" -} -``` - -###### Submit (1070005) - -```json -{ - "id": 1070005, - "text": "Submit", - "type": "info" -} -``` - -###### Verify code (1070006) - -```json -{ - "id": 1070006, - "text": "Verify code", - "type": "info" -} -``` - -###### Email (1070007) - -```json -{ - "id": 1070007, - "text": "Email", - "type": "info" -} -``` - -###### An email containing a verification link has been sent to the email address you provided. (1080001) - -```json -{ - "id": 1080001, - "text": "An email containing a verification link has been sent to the email address you provided.", - "type": "info", - "context": {} -} -``` - -###### You successfully verified your email address. (1080002) - -```json -{ - "id": 1080002, - "text": "You successfully verified your email address.", - "type": "info" -} -``` - -###### {reason} (4000001) - -```json -{ - "id": 4000001, - "text": "{reason}", - "type": "error" -} -``` - -###### Property {field} is missing. (4000002) - -```json -{ - "id": 4000002, - "text": "Property {field} is missing.", - "type": "error", - "context": { - "property": "{field}" - } -} -``` - -###### Length must be >= 1, but got 2. (4000003) - -```json -{ - "id": 4000003, - "text": "Length must be \u003e= 1, but got 2.", - "type": "error", - "context": { - "actual_length": 2, - "expected_length": 1 - } -} -``` - -###### "{value}" is not valid "{format}" (4000004) - -```json -{ - "id": 4000004, - "text": "\"{value}\" is not valid \"{format}\"", - "type": "error", - "context": { - "actual_value": "{value}", - "expected_format": "{format}" - } -} -``` - -###### The password can not be used because {reason}. (4000005) - -```json -{ - "id": 4000005, - "text": "The password can not be used because {reason}.", - "type": "error", - "context": { - "reason": "{reason}" - } -} -``` - -###### The provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number. (4000006) - -```json -{ - "id": 4000006, - "text": "The provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number.", - "type": "error", - "context": {} -} -``` - -###### An account with the same identifier (email, phone, username, ...) exists already. (4000007) - -```json -{ - "id": 4000007, - "text": "An account with the same identifier (email, phone, username, ...) exists already.", - "type": "error", - "context": {} -} -``` - -###### The provided authentication code is invalid, please try again. (4000008) - -```json -{ - "id": 4000008, - "text": "The provided authentication code is invalid, please try again.", - "type": "error", - "context": {} -} -``` - -###### Could not find any login identifiers. Did you forget to set them? (4000009) - -```json -{ - "id": 4000009, - "text": "Could not find any login identifiers. Did you forget to set them?", - "type": "error" -} -``` - -###### Account not active yet. Did you forget to verify your email address? (4000010) - -```json -{ - "id": 4000010, - "text": "Account not active yet. Did you forget to verify your email address?", - "type": "error" -} -``` - -###### You have no TOTP device set up. (4000011) - -```json -{ - "id": 4000011, - "text": "You have no TOTP device set up.", - "type": "error", - "context": {} -} -``` - -###### The backup recovery code is not valid. (4000012) - -```json -{ - "id": 4000012, - "text": "The backup recovery code is not valid.", - "type": "error", - "context": {} -} -``` - -###### This backup recovery code has already been used. (4000012) - -```json -{ - "id": 4000012, - "text": "This backup recovery code has already been used.", - "type": "error", - "context": {} -} -``` - -###### You have no WebAuthn device set up. (4000013) - -```json -{ - "id": 4000013, - "text": "You have no WebAuthn device set up.", - "type": "error", - "context": {} -} -``` - -###### You have no backup recovery codes set up. (4000014) - -```json -{ - "id": 4000014, - "text": "You have no backup recovery codes set up.", - "type": "error", - "context": {} -} -``` - -###### The login flow expired 0.02 minutes ago, please try again. (4010001) - -```json -{ - "id": 4010001, - "text": "The login flow expired 0.02 minutes ago, please try again.", - "type": "error", - "context": { - "expired_at": "2020-01-01T01:01:01Z" - } -} -``` - -###### Could not find a strategy to log you in with. Did you fill out the form correctly? (4010002) - -```json -{ - "id": 4010002, - "text": "Could not find a strategy to log you in with. Did you fill out the form correctly?", - "type": "error" -} -``` - -###### Could not find a strategy to sign you up with. Did you fill out the form correctly? (4010003) - -```json -{ - "id": 4010003, - "text": "Could not find a strategy to sign you up with. Did you fill out the form correctly?", - "type": "error" -} -``` - -###### Could not find a strategy to update your settings. Did you fill out the form correctly? (4010004) - -```json -{ - "id": 4010004, - "text": "Could not find a strategy to update your settings. Did you fill out the form correctly?", - "type": "error" -} -``` - -###### Could not find a strategy to recover your account with. Did you fill out the form correctly? (4010005) - -```json -{ - "id": 4010005, - "text": "Could not find a strategy to recover your account with. Did you fill out the form correctly?", - "type": "error" -} -``` - -###### Could not find a strategy to verify your account with. Did you fill out the form correctly? (4010006) - -```json -{ - "id": 4010006, - "text": "Could not find a strategy to verify your account with. Did you fill out the form correctly?", - "type": "error" -} -``` - -###### The registration flow expired 0.02 minutes ago, please try again. (4040001) - -```json -{ - "id": 4040001, - "text": "The registration flow expired 0.02 minutes ago, please try again.", - "type": "error", - "context": { - "expired_at": "2020-01-01T01:01:01Z" - } -} -``` - -###### The settings flow expired 0.02 minutes ago, please try again. (4050001) - -```json -{ - "id": 4050001, - "text": "The settings flow expired 0.02 minutes ago, please try again.", - "type": "error", - "context": { - "expired_at": "2020-01-01T01:01:01Z" - } -} -``` - -###### The request was already completed successfully and can not be retried. (4060001) - -```json -{ - "id": 4060001, - "text": "The request was already completed successfully and can not be retried.", - "type": "error", - "context": {} -} -``` - -###### The recovery flow reached a failure state and must be retried. (4060002) - -```json -{ - "id": 4060002, - "text": "The recovery flow reached a failure state and must be retried.", - "type": "error", - "context": {} -} -``` - -###### The recovery token is invalid or has already been used. Please retry the flow. (4060004) - -```json -{ - "id": 4060004, - "text": "The recovery token is invalid or has already been used. Please retry the flow.", - "type": "error", - "context": {} -} -``` - -###### The recovery flow expired 0.02 minutes ago, please try again. (4060005) - -```json -{ - "id": 4060005, - "text": "The recovery flow expired 0.02 minutes ago, please try again.", - "type": "error", - "context": { - "expired_at": "2020-01-01T01:01:01Z" - } -} -``` - -###### The verification token is invalid or has already been used. Please retry the flow. (4070001) - -```json -{ - "id": 4070001, - "text": "The verification token is invalid or has already been used. Please retry the flow.", - "type": "error", - "context": {} -} -``` - -###### The request was already completed successfully and can not be retried. (4070002) - -```json -{ - "id": 4070002, - "text": "The request was already completed successfully and can not be retried.", - "type": "error", - "context": {} -} -``` - -###### The verification flow reached a failure state and must be retried. (4070003) - -```json -{ - "id": 4070003, - "text": "The verification flow reached a failure state and must be retried.", - "type": "error", - "context": {} -} -``` - -###### The verification flow expired -0.02 minutes ago, please try again. (4070005) - -```json -{ - "id": 4070005, - "text": "The verification flow expired -0.02 minutes ago, please try again.", - "type": "error", - "context": { - "expired_at": "2020-01-01T01:00:59Z" - } -} -``` - -###### {reason} (5000001) - -```json -{ - "id": 5000001, - "text": "{reason}", - "type": "error", - "context": {} -} -``` - - diff --git a/docs/versioned_docs/version-v/configuring.md b/docs/versioned_docs/version-v/configuring.md deleted file mode 100644 index 22f9d678ad0..00000000000 --- a/docs/versioned_docs/version-v/configuring.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -id: configuring -title: Configuring ---- - -This document describes _how_ the service can be configured. For a documentation -on all configuration values head over to the -[configuration reference](reference/configuration.md). - -## Configuration File - -Files in the format of JSON, YAML and TOML are supported. When starting Kratos -you specify the path to the config file via the `--config` flag. For more -in-depth info run `kratos help`. We recommend you name your configuration file -`kratos.(json|yml|yaml|toml)`. This will enable automatic validation and code -completion in VSCode, JetBrains' IDEs and other tools that utilise -[schemastore.org](https://www.schemastore.org/json/) JSON schemas. Alternatively -you can add the schema mapping manually as well. It is recommended to prevent -leaking of secrets by setting sensitive values via environmental variables as -described in the following section. - -## Environmental Variables - -Environmental variables take precedence over config file values. Nested paths -get mapped to config values by putting an underscore `_` between every level, -e.g. `selfservice.flows.settings.ui_url` becomes -`SELFSERVICE_FLOWS_SETTINGS_UI_URL=`. - -Please note that there are some caveats when using env vars -[documented here](https://www.ory.sh/docs/ecosystem/configuring). diff --git a/docs/versioned_docs/version-v/contributing.md b/docs/versioned_docs/version-v/contributing.md deleted file mode 100644 index 415d03cea86..00000000000 --- a/docs/versioned_docs/version-v/contributing.md +++ /dev/null @@ -1,268 +0,0 @@ ---- -id: contributing -title: Contribution Guidelines ---- - - - -# Contributing to Ory Kratos - - - - -- [Introduction](#introduction) -- [FAQ](#faq) -- [How can I contribute?](#how-can-i-contribute) -- [Communication](#communication) -- [Contributing Code](#contributing-code) -- [Documentation](#documentation) -- [Disclosing vulnerabilities](#disclosing-vulnerabilities) -- [Code Style](#code-style) - - [Working with Forks](#working-with-forks) -- [Conduct](#conduct) - - - -## Introduction - -There are many ways in which you can contribute, beyond writing code. The goal -of this document is to provide a high-level overview of how you can get -involved. - -_Please note_: We take Ory Kratos's security and our users' trust very -seriously. If you believe you have found a security issue in Ory Kratos, please -responsibly disclose by contacting us at security@ory.sh. - -First: As a potential contributor, your changes and ideas are welcome at any -hour of the day or night, weekdays, weekends, and holidays. Please do not ever -hesitate to ask a question or send a pull request. - -If you are unsure, just ask or submit the issue or pull request anyways. You -won't be yelled at for giving it your best effort. The worst that can happen is -that you'll be politely asked to change something. We appreciate any sort of -contributions, and don't want a wall of rules to get in the way of that. - -That said, if you want to ensure that a pull request is likely to be merged, -talk to us! You can find out our thoughts and ensure that your contribution -won't clash or be obviated by Ory Kratos's normal direction. A great way to do -this is via [Ory Kratos Discussions](https://github.com/ory/kratos/discussions) -or the [Ory Chat](https://www.ory.sh/chat). - -## FAQ - -- I am new to the community. Where can I find the - [Ory Community Code of Conduct?](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md) - -- I have a question. Where can I get - [answers to questions regarding Ory Kratos?](#communication) - -- I would like to contribute but I am not sure how. Are there - [easy ways to contribute?](#how-can-i-contribute) - [Or good first issues?](https://github.com/search?l=&o=desc&q=label%3A%22help+wanted%22+label%3A%22good+first+issue%22+is%3Aopen+user%3Aory+user%3Aory-corp&s=updated&type=Issues) - -- I want to talk to other Ory Kratos users. - [How can I become a part of the community?](#communication) - -- I would like to know what I am agreeing to when I contribute to Ory Kratos. - Does Ory have - [a Contributors License Agreement?](https://cla-assistant.io/ory/kratos) - -- I would like updates about new versions of Ory Kratos. - [How are new releases announced?](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53) - -## How can I contribute? - -If you want to start contributing code right away, we have a -[list of good first issues](https://github.com/ory/kratos/labels/good%20first%20issue). - -There are many other ways you can contribute without writing any code. Here are -a few things you can do to help out: - -- **Give us a star.** It may not seem like much, but it really makes a - difference. This is something that everyone can do to help out Ory Kratos. - Github stars help the project gain visibility and stand out. - -- **Join the community.** Sometimes helping people can be as easy as listening - to their problems and offering a different perspective. Join our Slack, have a - look at discussions in the forum and take part in our weekly hangout. More - info on this in [Communication](#communication). - -- **Helping with open issues.** We have a lot of open issues for Ory Kratos and - some of them may lack necessary information, some are duplicates of older - issues. You can help out by guiding people through the process of filling out - the issue template, asking for clarifying information, or pointing them to - existing issues that match their description of the problem. - -- **Reviewing documentation changes.** Most documentation just needs a review - for proper spelling and grammar. If you think a document can be improved in - any way, feel free to hit the `edit` button at the top of the page. More info - on contributing to documentation [here](#documentation). - -- **Help with tests.** Some pull requests may lack proper tests or test plans. - These are needed for the change to be implemented safely. - -## Communication - -We use [Slack](https://www.ory.sh/chat). You are welcome to drop in and ask -questions, discuss bugs and feature requests, talk to other users of Ory, etc. - -Check out [Ory Kratos Discussions](https://github.com/ory/kratos/discussions). -This is a great place for in-depth discussions and lots of code examples, logs -and similar data. - -You can also join our community hangout, if you want to speak to the Ory team -directly or ask some questions. You can find more info on the hangouts in -[Slack](https://www.ory.sh/chat). - -If you want to receive regular notifications about updates to Ory Kratos, -consider joining the mailing list. We will _only_ send you vital information on -the projects that you are interested in. - -Also [follow us on twitter](https://twitter.com/orycorp). - -## Contributing Code - -Unless you are fixing a known bug, we **strongly** recommend discussing it with -the core team via a GitHub issue or [in our chat](https://www.ory.sh/chat) -before getting started to ensure your work is consistent with Ory Kratos's -roadmap and architecture. - -All contributions are made via pull requests. To make a pull request, you will -need a GitHub account; if you are unclear on this process, see GitHub's -documentation on [forking](https://help.github.com/articles/fork-a-repo) and -[pull requests](https://help.github.com/articles/using-pull-requests). Pull -requests should be targeted at the `master` branch. Before creating a pull -request, go through this checklist: - -1. Create a feature branch off of `master` so that changes do not get mixed up. -1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local - changes against the `master` branch. -1. Run the full project test suite with the `go test -tags sqlite ./...` (or - equivalent) command and confirm that it passes. -1. Run `make format` if a `Makefile` is available, `gofmt -s` if the project is - written in Go, `npm run format` if the project is written for NodeJS. -1. Ensure that each commit has a descriptive prefix. This ensures a uniform - commit history and helps structure the changelog. - Please refer to this - [list of prefixes for Kratos](https://github.com/ory/kratos/blob/master/.github/semantic.yml) - for an overview. -1. Sign-up with CircleCI so that it has access to your repository with the - branch containing your PR. Simply creating a CircleCI account is sufficient - for the CI jobs to run, you do not need to setup a CircleCI project for the - branch. - -If a pull request is not ready to be reviewed yet -[it should be marked as a "Draft"](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request). - -Before your contributions can be reviewed you need to sign our -[Contributor License Agreement](https://cla-assistant.io/ory/kratos). - -This agreement defines the terms under which your code is contributed to Ory. -More specifically it declares that you have the right to, and actually do, grant -us the rights to use your contribution. You can see the Apache 2.0 license under -which our projects are published -[here](https://github.com/ory/meta/blob/master/LICENSE). - -When pull requests fail testing, authors are expected to update their pull -requests to address the failures until the tests pass. - -Pull requests eligible for review - -1. follow the repository's code formatting conventions; -2. include tests which prove that the change works as intended and does not add - regressions; -3. document the changes in the code and/or the project's documentation; -4. pass the CI pipeline; -5. have signed our - [Contributor License Agreement](https://cla-assistant.io/ory/kratos); -6. include a proper git commit message following the - [Conventional Commit Specification](https://www.conventionalcommits.org/en/v1.0.0/). - -If all of these items are checked, the pull request is ready to be reviewed and -you should change the status to "Ready for review" and -[request review from a maintainer](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review). - -Reviewers will approve the pull request once they are satisfied with the patch. - -## Documentation - -Please provide documentation when changing, removing, or adding features. -Documentation resides in the project's -[docs](https://github.com/ory/kratos/tree/master/docs) folder. Generate API and -configuration reference documentation using `cd docs; npm run gen`. - -For further instructions please head over to -[docs/README.md](https://github.com/ory/kratos/blob/master/README.md). - -## Disclosing vulnerabilities - -Please disclose vulnerabilities exclusively to -[security@ory.sh](mailto:security@ory.sh). Do not use GitHub issues. - -## Code Style - -Please follow these guidelines when formatting source code: - -- Go code should match the output of `gofmt -s` and pass `golangci-lint run`. -- NodeJS and JavaScript code should be prettified using `npm run format` where - appropriate. - -### Working with Forks - -``` -# First you clone the original repository -git clone git@github.com:ory/ory/kratos.git - -# Next you add a git remote that is your fork: -git remote add fork git@github.com:/ory/kratos.git - -# Next you fetch the latest changes from origin for master: -git fetch origin -git checkout master -git pull --rebase - -# Next you create a new feature branch off of master: -git checkout my-feature-branch - -# Now you do your work and commit your changes: -git add -A -git commit -a -m "fix: this is the subject line" -m "This is the body line. Closes #123" - -# And the last step is pushing this to your fork -git push -u fork my-feature-branch -``` - -Now go to the project's GitHub Pull Request page and click "New pull request" - -## Conduct - -Whether you are a regular contributor or a newcomer, we care about making this -community a safe place for you and we've got your back. - -- We are committed to providing a friendly, safe and welcoming environment for - all, regardless of gender, sexual orientation, disability, ethnicity, - religion, or similar personal characteristic. -- Please avoid using nicknames that might detract from a friendly, safe and - welcoming environment for all. -- Be kind and courteous. There is no need to be mean or rude. -- We will exclude you from interaction if you insult, demean or harass anyone. - In particular, we do not tolerate behavior that excludes people in socially - marginalized groups. -- Private harassment is also unacceptable. No matter who you are, if you feel - you have been or are being harassed or made uncomfortable by a community - member, please contact one of the channel ops or a member of the Ory Kratos - core team immediately. -- Likewise any spamming, trolling, flaming, baiting or other attention-stealing - behaviour is not welcome. - -We welcome discussion about creating a welcoming, safe, and productive -environment for the community. If you have any questions, feedback, or concerns -[please let us know](https://www.ory.sh/chat). diff --git a/docs/versioned_docs/version-v/debug/csrf.mdx b/docs/versioned_docs/version-v/debug/csrf.mdx deleted file mode 100644 index 349eeecadb4..00000000000 --- a/docs/versioned_docs/version-v/debug/csrf.mdx +++ /dev/null @@ -1,147 +0,0 @@ ---- -id: csrf -title: Common Cookie and CSRF Pitfalls ---- - -import useBaseUrl from '@docusaurus/useBaseUrl' -import CodeFromRemote from '@theme/CodeFromRemote' - -Because Ory Kratos is not just an API, but instead talks to your users' browsers -directly, several security measures have been implemented in Ory Kratos. One of -them is protection against CSRF: - -> CSRF is an attack that tricks the victim into submitting a malicious request. -> It inherits the identity and privileges of the victim to perform an undesired -> function on the victim’s behalf. For most sites, browser requests -> automatically include any credentials associated with the site, such as the -> user’s session cookie, IP address, Windows domain credentials, and so forth. -> Therefore, if the user is currently authenticated to the site, the site will -> have no way to distinguish between the forged request sent by the victim and a -> legitimate request sent by the victim. -> -> [Source](https://owasp.org/www-community/attacks/csrf) - -To protect against CSRF, several endpoints are protected by Anti-CSRF measures. -Typically, endpoints accepting `POST`, `DELETE`, `PUT` actions have Anti-CSRF -measures. When rendering a form for example, a -`` HTML Input Element is -added. Ory Kratos compares that value to the value set in the Anti-CSRF Cookie. -If the values match, the request is allowed. - -Ory Kratos uses HTTP Cookies to store login sessions when accessed via a -browser. - -## Common Pitfalls - -Sometimes, cookies and CSRF just wont work - all requests end up with a 401 -Unauthorized or 400 Bad Request. Here are some common causes and easy fixes if -that happens to you! - -Before starting to debug cookie and CSRF issues, make sure to check out the -Chrome Developer Tools (or any comparable technology) Cookies tabs in the -Application tab - -Google Chrome Developer Tools - Application Tab - Cookies - -as well as the network tab - look for `Cookie` and `Set-Cookie` HTTP Headers: - -Google Chrome Developer Tools - Network Tab - Cookies - -### SameSite Attribute - -If you run Ory Kratos in `--dev` mode, it disables `SameSite=Lax` as Google -Chrome rejects all cookies that have `SameSite=Lax` but have `secure` set to -`false`. If you require `SameSite=Lax`, you need to run Ory Kratos with HTTPS -and not use the `--dev` flag. - -### Ory Kratos running over HTTP without dev-mode enabled - -Ory Kratos' cookies have the `Secure` flag enabled by default. This means that -the browser will not send the cookie unless the URL is a HTTPS URL. If you want -Ory Kratos to work with HTTP (e.g. on localhost) you can add the `--dev` flag: -`kratos serve --dev`. - -Do not do this in production! - -### Running on separate (sub-)domains - -Cookies work best on the same domain. While it is possible to get cookies -running on subdomains it is not possible to do that across Top Level Domains -(TLDs). - -Make sure that your application (e.g. the SecureApp from the quickstart) and Ory -Krato's Public API are available on the same domain - preferably without -subdomains. Hosting both systems and routing paths with a Reverse Proxy such as -Nginx or Envoy or AWS API Gateway is the best solution. For example, routing -`https://my-website/kratos/...` to Ory Kratos and `https://my-website/dashboard` -to the SecureApp's Dashboard. Alternatively you can use piping in your app as we -do in the Quickstart guide. - -We do not recommend running them on separate subdomains, e.g. -`https://kratos.my-website/` and `https://secureapp.my-website/`. - -To allow cookies to work across subdomains, make sure to set the domain name in -the Kratos config file under -[`session.cookie.domain`](https://www.ory.sh/kratos/docs/next/guides/configuring-cookies/#session-cookies). - -Running the apps on different TLDs will not work at all, e.g. -`https://kratos-my-website/` and `https://secureapp-my-website/`. - -Running the services on different ports however is ok, if the domain stays the -same. - -### Mixing up 127.0.0.1 and localhost - -As already explained, make sure that the TLD stays the same. This is especially -true for `127.0.0.1` and `localhost` which are both separate TLDs. Make sure -that you use `127.0.0.1` or `localhost` consistently across your configuration! - -### Trying to access Ory Kratos Cookies from client-side JavaScript - -The cookies Ory Kratos sets cannot be accessed directly from Client-Side -JavaScript because the `HttpOnly` flag is set. This flag cannot be modified! - -### Accessing Ory Kratos APIs from client-side JavaScript / AJAX - -When implementing a Single Page App (SPA) using AngularJS or ReactJS you -probably want to access Ory Krato's Public APIs. - -To prevent several attack vectors, Ory Krato's Public API is protected - even -for some GET requests - with Anti-CSRF measures. - -Because AJAX does not send cookies per default, you need to configure your AJAX -request to include cookies. Using the Browser's `fetch` function, you need to -set -[`credentials: 'include'`](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch#Parameters) -for example. - -### Accessing Ory Kratos APIs from a server-side application - -When implementing a server-side application (e.g. in PHP, Java, Go, NodeJS, ...) -make sure to include the `Cookie` header from the client when fetching the -self-service flows (e.g. `GET /self-service/login/flows?id=...`): - -```ts -export default (req: Request, res: Response) => { - // ... - kratos.getSelfServiceLoginFlow(flow, req.header('cookie')) -} -``` - -A complete example looks as follows: - - - -Without forwarding the `Cookie` HTTP Header it will not be possible to fetch the -flow due to a security error. This protection prevents accidental leak of -personal information when users copy/paste, for example, the login URL. diff --git a/docs/versioned_docs/version-v/debug/debug-docker-delve-ory-kratos.mdx b/docs/versioned_docs/version-v/debug/debug-docker-delve-ory-kratos.mdx deleted file mode 100644 index 2f000655e87..00000000000 --- a/docs/versioned_docs/version-v/debug/debug-docker-delve-ory-kratos.mdx +++ /dev/null @@ -1,141 +0,0 @@ ---- -id: debug-docker-delve-ory-kratos -title: Debugging Ory Kratos in Docker with Delve ---- - -Very often, there is a need to debug Kratos being deployed as a Docker image. To -support this, Kratos ships with a couple of files: - -- The `Dockerfile-debug` file, which you can find in the `.docker` directory. -- The `docker-compose.template.dbg` file, which you can find in the same - directory. This file defines a template for a service, one would like to debug - in Docker -- and a supplementary `debug-entrypoint.sh` skript, located in the `script` - directory. - -Actually, these files do not include any Kratos specifica and thus can be used -for any Golang based project. As you already could infer, this support is meant -to be used in a docker-compose setup as described below. You can however run it -as a standalone Docker container as well. You can find some information on how -to achieve this at the end of this document. - -## As part of a docker-compose setup - -Imagine you have the following project structure: - -- docker-compose - a directory containing your `docker-compose.yaml` file -- kratos - a directory containing the Kratos code -- kratos-frontend - a directory containing a frontend application for Kratos - -The `docker-compose.yml` mentioned above could look as follows: - -```yaml -version: '3.7' - -volumes: - postgres-db: - -services: - postgresd: - image: postgres:9.6 - ports: - - '5432:5432' - volumes: - - type: volume - source: postgres-db - target: /var/lib/postgresql/data - read_only: false - environment: - - PGDATA=/var/lib/postgresql/data/pgdata - - POSTGRES_PASSWORD=secret - - POSTGRES_USER=kratos - - kratos-migrate: - image: kratos - build: - context: ../kratos - dockerfile: ./.docker/Dockerfile-build - environment: - - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 - volumes: - - type: bind - source: path-to-kratos-config - target: /etc/config/kratos - command: migrate sql -e --yes - depends_on: - - postgresd - - kratos: - image: kratos - build: - context: ../kratos - dockerfile: ./.docker/Dockerfile-build - depends_on: - - kratos-migrate - ports: - - '4433:4433' # public - - '4434:4434' # admin - command: serve -c /etc/config/kratos/kratos.yml --watch-courier --dev - volumes: - - type: bind - source: path-to-kratos-config - target: /etc/config/kratos - - kratos-frontend: - image: kratos-frontend - build: - context: ../kratos-kratos-frontend - dockerfile: ./Dockerfile - env_file: - - file-containing-all-required-configuration.env -``` - -To enable debugging of Kratos without changing the above docker-compose file, -you can do the following (from the docker-compose directory): - -```bash -SERVICE_NAME=kratos SERVICE_ROOT=../kratos REMOTE_DEBUGGING_PORT=9999 envsubst < ../kratos/.docker/docker-compose.template.dbg \ - > docker-compose.kratos.tmp -docker-compose -f docker-compose.yaml -f docker-compose.kratos.tmp up --build -d kratos -``` - -The first line will create an overwrite docker-compose file to have a debug -configuration for the kratos service. The second line will start a debug -container by - -- mounting your `kratos` directory into the resulting Docker container, -- downloading Delve, -- building Kratos inside the container, -- starting it in Delve with the arguments, you've defined in your regular - docker-compose file - in the example above, this would be - `serve -c /etc/config/kratos/kratos.yml --watch-courier --dev` - and -- watching for changes on any go file within the mounted code base. - -Each time you change a .go file, the Delve process will be stopped, Kratos will -be recompiled and Delve will be started again. With other words, you'll have to -re-connect with your debugger again after each change. - -As you can see from the above usage, the `docker-compose.template.dbg` template -expects the following variables to be defined: - -- `SERVICE_ROOT` - the root directory of the service to be started in the debug - mode. -- `SERVICE_NAME` - the name of the service from the docker-compose file. -- `REMOTE_DEBUGGING_PORT` - the host port, the Delve listening port should be - exposed as. This is the port you should connect your remote debugger to. - -If you run docker-compose this way, the container run with debugging enabled -will wait until the debugger connects. If your IDE supports remote debugging, -set host to `localhost` and port to the value, you've used for -`REMOTE_DEBUGGING_PORT` in your remote debugging configuration. - -## As a standalone Docker container - -If you just would like to start Kratos in a container in debug mode, you can -just use the `Dockerfile-debug` file instead of the regular `Dockerfile`. Make -however sure your build context in the root directory of Kratos and not the -`.docker` directory. In your IDE the debug configuration has to reference that -file. In addition, you'll have to expose the Delve service port 40000 under the -port 8000, as well as the actual port of the service, you'll like to access from -your host, configure the bind mounts and set the run options to -`--security-opt="apparmor=unconfined" --cap-add=SYS_PTRACE`. diff --git a/docs/versioned_docs/version-v/debug/performance-out-of-memory-password-hashing-argon2.md b/docs/versioned_docs/version-v/debug/performance-out-of-memory-password-hashing-argon2.md deleted file mode 100644 index af99f00c920..00000000000 --- a/docs/versioned_docs/version-v/debug/performance-out-of-memory-password-hashing-argon2.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -id: performance-out-of-memory-password-hashing-argon2 -title: Performance Problems and Out Of Memory Panics Caused by Password Hashing ---- - -:::info - -This page only applies to you if you use Argon2 instead of BCrypt hashing - -::: - -To securely check if passwords match, Ory Kratos stores the Argon2 hash of every -password. This algorithm has to be tuned to match the desired security level as -well as responsiveness. Because it is not easy to determine the exact values -without trying them out, Ory Kratos comes with a -[CLI](../cli/kratos-hashers-argon2-calibrate.md) that automatically calibrates -the values, following best practices. You can read more about these best -practices in our -[blog post](https://www.ory.sh/choose-recommended-argon2-parameters-password-hashing/). - -## Common Errors - -There are some errors that indicate your Argon2 parameters need adjustment: - -1. Very slow login and registration requests, might cause network timeouts; -2. Ory Kratos fails with `fatal error: runtime: out of memory`; -3. The host environment (e.g. Minikube, Docker, Kubernetes...) crashes or - becomes unresponsive; - -In any of these cases, try reducing the resources used by Argon2 or increasing -the resources available to Kratos. Use the -[Argon2 calibrate CLI](../cli/kratos-hashers-argon2-calibrate.md) to detect the -best practice values for your server. Note that the calibration has to be done -under the exact same conditions that the server runs at. diff --git a/docs/versioned_docs/version-v/fallback/default_return_to.mdx b/docs/versioned_docs/version-v/fallback/default_return_to.mdx deleted file mode 100644 index 6a3408b9bbb..00000000000 --- a/docs/versioned_docs/version-v/fallback/default_return_to.mdx +++ /dev/null @@ -1,17 +0,0 @@ ---- -id: default_return_to -title: This should be the Error UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - default_browser_return_url: http://my-app.com/dashboard -``` - -You can set this configuration value using environment variable -`SELFSERVICE_DEFAULT_BROWSER_RETURN_URL` as well! - -If you don't know what that means, head over to -[Self-Service Flow Completion](../concepts/browser-redirect-flow-completion.mdx)! diff --git a/docs/versioned_docs/version-v/fallback/error.mdx b/docs/versioned_docs/version-v/fallback/error.mdx deleted file mode 100644 index 8b7c781d012..00000000000 --- a/docs/versioned_docs/version-v/fallback/error.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: error -title: This should be the Error UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - error: - ui_url: http://my-app.com/error -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_ERROR_UI_URL` as well! - -If you don't know what that means, head over to -[User-Facing Error](../self-service/flows/user-facing-errors.md)! diff --git a/docs/versioned_docs/version-v/fallback/login.mdx b/docs/versioned_docs/version-v/fallback/login.mdx deleted file mode 100644 index 766d10f8f4a..00000000000 --- a/docs/versioned_docs/version-v/fallback/login.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: login -title: This should be the Login UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - login: - ui_url: http://my-app.com/login -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_LOGIN_UI_URL` as well! - -If you don't know what that means, head over to -[Self-Service User Login](../self-service/flows/user-login.mdx)! diff --git a/docs/versioned_docs/version-v/fallback/mfa.mdx b/docs/versioned_docs/version-v/fallback/mfa.mdx deleted file mode 100644 index a6af76320da..00000000000 --- a/docs/versioned_docs/version-v/fallback/mfa.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: mfa -title: This should be the Mfa UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - mfa: - ui_url: http://my-app.com/mfa -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_MFA_UI_URL` as well! - -If you don't know what that means, head over to our -[MFA Documentation](../self-service/flows/2fa-mfa-multi-factor-authentication.md)! diff --git a/docs/versioned_docs/version-v/fallback/recovery.mdx b/docs/versioned_docs/version-v/fallback/recovery.mdx deleted file mode 100644 index b778bda9b88..00000000000 --- a/docs/versioned_docs/version-v/fallback/recovery.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: recovery -title: This should be the Recovery UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - recovery: - ui_url: http://my-app.com/recovery -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_RECOVERY_UI_URL` as well! - -If you don't know what that means, head over to our -[User Verification](../self-service/flows/account-recovery)! diff --git a/docs/versioned_docs/version-v/fallback/registration.mdx b/docs/versioned_docs/version-v/fallback/registration.mdx deleted file mode 100644 index fb296e86a4f..00000000000 --- a/docs/versioned_docs/version-v/fallback/registration.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: registration -title: This should be the Registration UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - registration: - ui_url: http://my-app.com/registration -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_REGISTRATION_UI_URL` as well! - -If you don't know what that means, head over to -[Self-Service User Registration](../self-service/flows/user-registration.mdx)! diff --git a/docs/versioned_docs/version-v/fallback/settings.mdx b/docs/versioned_docs/version-v/fallback/settings.mdx deleted file mode 100644 index e06a78bc053..00000000000 --- a/docs/versioned_docs/version-v/fallback/settings.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: settings -title: This should be the Settings UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - settings: - ui_url: http://my-app.com/settings -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_SETTINGS_UI_URL` as well! - -If you don't know what that means, head over to -[User Settings](../self-service/flows/user-settings.mdx)! diff --git a/docs/versioned_docs/version-v/fallback/verification.mdx b/docs/versioned_docs/version-v/fallback/verification.mdx deleted file mode 100644 index b093e2c1c52..00000000000 --- a/docs/versioned_docs/version-v/fallback/verification.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: verification -title: This should be the Verify UI ---- - -You ended up here because you did not set the following configuration value: - -```yaml title="path/to/kratos/config.yml -selfservice: - flows: - verification: - ui_url: http://my-app.com/verify -``` - -You can set this configuration value using environment variable -`SELFSERVICE_FLOWS_VERIFICATION_UI_URL` as well! - -If you don't know what that means, head over to our -[User Verification](../self-service/flows/verify-email-account-activation.mdx)! diff --git a/docs/versioned_docs/version-v/faq.mdx b/docs/versioned_docs/version-v/faq.mdx deleted file mode 100644 index 5240a221525..00000000000 --- a/docs/versioned_docs/version-v/faq.mdx +++ /dev/null @@ -1,255 +0,0 @@ ---- -id: faq -title: Frequently Asked Questions (FAQ) ---- - - - -import { Question, FaqTags } from '@theme/Faq' - - -
-
- - - #kratos #secrets #config -

- Q: Is it possible to pass multiple system.secret values - through the ENV, or do you have to use a config file for that? -

-

- A: Yes, you can set them as environmental variable, you - just have to separate them using a ,. More info on these - conventions in the documentation:{' '} - - Setting configuration values via environmental variables - - . -

- - -
- - #kratos #database -

- Q: We want to seperate our customers and employees, so we - store them in different databases. But we would like to have them use the - same login dialog for our portal. How can I achieve that with Ory Kratos? -

-

- A: You can deploy Ory Kratos two times, and use the same - login UI pointing to two different Kratos login endpoints -{' '} - /login/customer or /login/employee, either by - having two different login routes, or by adding some logic to your login UI - that reroutes customers to /login/customer and employees to{' '} - /login/employee. So you define the same login or registration - UI URLs in both of the Kratos configurations. You may need to tell your - login/registration UI which Kratos it is supposed to talk to. The instances - are cheap to deploy and the databases are completely isolated from each - other. For example something like /login/customer and{' '} - /login/employee. -

- - -
- - #kratos #ecosystem -

- Q: Is the code audited by an independent entity and is - there a bug bounty program? -

-

- A: We will do that when the APIs and core are stable. A bug - bounty program is in the making but not done yet. If you are a security - researcher and interested in working on Kratos, please reach out to{' '} - security@ory.sh. -

- - -
- - #kratos #user #validation #traits -

- Q: What is the correct flow to sanitize the username and - make sure it satisfies a specific regex (e.g. only alphanumeric characters)? -

-

- A: In the Identity Schema using{' '} - - Regular Expressions - - . To sanitize usernames coming from third-party OIDC providers like Google or - GitHub you write jsonnet code. -

- - -
- - #kratos #registration #cors -

- Q: I am currently trying to get the Kratos registration - flow working on a react app that I am creating. I am having CORS issues with - the completeSelfServiceRegistrationFlowWithPasswordMethod call when using - the @oryd/kratos-client JS package. -

-

- A: You are using AJAX to submit the form. This is not - supported right now. You need to submit a regular HTML form. Do not use - AJAX. Do not use fetch. Let the user click the submit button and do not do - anything. AJAX will be better supported starting Kratos v0.6. -

- - -
- - #kratos #traits #feature -

- Q: Is the ability to freeze certain identity fields after - registration anywhere on the roadmap? Also I want read-only or hidden - user-specific data. Can I use traits for that? Example: Some of our identity - trait fields may be the subject to identity validation ( - - know your customer - - ). Once they are validated we do not allow the identity to be edited by the end-user. -

-

- A: Currently traits are visible to the user and also - editable by them. It makes sense to have read-only and/or hidden traits for - users, but we can not give an exact timing when this will be available. - There is an open issue for this feature: - Issue. -

- - -
- - #kratos #hooks #feature -

- Q: Are there plans to provide hooks on - registration/login/logouts/identity updates? -

-

- A: Yes! See these issues for more information on the - current progress:{' '} - - Feature Request: Webhooks - {' '} - and{' '} - - Implement RPC After Hook - - . -

- - -
- - #kratos #registration #traits -

- Q: How can I verify beforehand if a username is available - during registration? -

-

- A: You can not right now. It would allow account - enumeration attacks. See also the{' '} - - section in the documentation - - . -

- - -
- - #kratos #database #migration #feature -

- Q: Do have plans to support user migration scenarios - similar to auth0 automatic migrations? E.g. configure a callback to the - legacy system when you cannot find the corresponding user, and store the - identity on successful legacy system response. -

-

- A: No plans yet, but migration is an important piece of the - puzzle. We will focus on importing existing users first. An alternative to - callback and custom code is fronting the legacy system with Ory Hydra - (OAuth2/OIDC Server) and then using that as an upstream in Ory Kratos. -

- - -
- - #kratos #security -

- Q: Do you have protection or plans for brute force attacks - i.e. repetitive login attempts? Leaked database scans? -

-

- A: See the following document:{' '} - - Ory Kratos Security Measures - -

- - -
- - #kratos #oidc #traits -

- Q: How do I append a random suffix e.g. a number to OIDC - usernames if the username returned by a provider is already taken. -

-

- A: You can use the md5 function built in the{' '} - jsonnet standart library. - See the following issue as well:{' '} - - Add random function to the jsonnet library - - . -

- - -
- - #kratos #spa -

- Q: I want to implement a single-page-app (SPA). Is this - possible with Ory Kratos? -

-

- A: Yes, definitely. We do not have an example-app (yet). - Also, you might not get around some page-reloads as you definitely should, - as it is not possible to use the API flows in the browser. This is important - to prevent{' '} - - CSRF attacks - - . So hopefully you are not too strict with your SPA. A sample app is being worked - on here: - Implement React SPA sample app - . -

- - -
diff --git a/docs/versioned_docs/version-v/further-reading/comparison.md b/docs/versioned_docs/version-v/further-reading/comparison.md deleted file mode 100644 index a3c561f425c..00000000000 --- a/docs/versioned_docs/version-v/further-reading/comparison.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -id: comparison -title: Comparison ---- - -This document will provide you with an overview of how Ory Kratos compares to -other projects and products. diff --git a/docs/versioned_docs/version-v/further-reading/contrib.md b/docs/versioned_docs/version-v/further-reading/contrib.md deleted file mode 100644 index 46044970c42..00000000000 --- a/docs/versioned_docs/version-v/further-reading/contrib.md +++ /dev/null @@ -1,18 +0,0 @@ -This file is meant to collect community contributions (such as articles and how -to's) which will later be merged into appropriate sections. - - diff --git a/docs/versioned_docs/version-v/further-reading/kratos-video-tutorials.mdx b/docs/versioned_docs/version-v/further-reading/kratos-video-tutorials.mdx deleted file mode 100644 index 7a862c7ed01..00000000000 --- a/docs/versioned_docs/version-v/further-reading/kratos-video-tutorials.mdx +++ /dev/null @@ -1,156 +0,0 @@ ---- -id: kratos-video-tutorials -title: Video Tutorials ---- - -In this document we will gather video guides for Ory Kratos. - -Below each video you will find a transcript of the video. If you think we can -improve the video or should make any other changes, you can open an issue here. - - -
Transcript Kratos Quickstart - -Welcome to the Quickstart Introduction of Ory Kratos on Windows. - -First of all you need Docker Desktop and Git to launch this quickstart. - -You will find download links for those in the description. - -I already have my git bash open here and I am starting Docker now. - -Next I will open my browser to navigate to the Kratos Quickstart. - -If you have not already read the whole quickstart, I really recommend it, but I -will focus on the practical steps now. - -So scroll down a little bit and you will see the commands you have to put into -your console to get Kratos running. - -The first command here will clone the Kratos repository to your machine. - -This will take a little bit depending on your internet speed. - -Then you want to set your directory to your Kratos directory and lastly switch -the branch to the 0.3.0alpha version, since this is the version this quickstart -is tailored to. - -As I don't have make installed, I need to docker pull the latest SQL and the -self service as well, that is our SecureApp. - -And now we have all the building parts ready and can use the docker-compose -command to get this thing going. - -So just copy the docker-compose command and cross your fingers that everything -will work correctly. - -This part can actually take a few minutes, but once the output has slowed down -you can see the last two lines here indicate that everything has been set up and -everything is working fine. - -Now we can actually test our SecureApp login and registration. - -So I go back to the quickstart and scroll down where we find the URL to our -SecureApp dashboard. - -In this case I will just use my email to create an account and I will use a very -secure password, which in this case actually "securepassword". - -But oh look, there is an error already since this password is not actually -secure but has been found in more than 200 data leaks, so this is some basic -security that is already set up in your SecureApp. - -And I will try this again with an actually secure password now, I copied it down -in my notepad here. And there we are, we are logged in, everything has worked -correctly. - -Here you will see a bunch of information about your login. - -Now I want to show you the email confirmation real quick. Since we actually -didn't send an email to a real address, but are using Mailslurper as a testing -environment, you can go back to the quickstart page and scroll down a little -bit, there is the url. - -Just click on it and you will see there is our email. And there it is, we have -confirmed our email. - -Now I will logout once more and see if we can get back in. And it seems to work -fine, very nice! - -This is the basic quickstart for Kratos on Windows and I hope this video will -help to get you started. - -If you have any further questions, please leave a comment or visit our community -forum or slack, the links are in the description. - -Don't forget to star us on github and like, subscribe for more upcoming -tutorials. - -
- - - -
Transcript Kratos Sign in with Github - -Welcome to the Sign in with Github Tutorial for Ory Kratos. - -This continues where we left off with the Quickstart Tutorial for Kratos, so if -you haven’t done the Quickstart already, check that out. - -To be able to offer “Sign in with github” you have to create a GitHub OAuth2 -Client. - -So you go to your settings page on your github profile, then developer settings, -then OAuth apps, then register a new application. - -You can pick any name that suits you, then put the Kratos login in the homepage -url, that is the port 4455 on your localhost. - -You use this port in the quickstart for our SecureApp. If you are not familiar -with this self service app, check the links in the description. - -Next you put in the Authorization callback URL. This URL is built really simple, -so first you have the kratos domain and the port and just at the end you put in -the OIDC provider ID, in this case github. - -This provider ID must point to the provider's ID set in the Ory Kratos -configuration file. - -I’ll link a document in the description, that explains this in more detail, also -how you can implement any other OIDC provider. - -Now navigate to the Kratos directory and create a new file. - -If you are unsure where your kratos directory is (in my case it is my Git -folder) you can look it up on docker. - -Now you have to create a JSONNNET code for the provider in this case github. so -you just copy this code, create a new file called O ID C dot github dot jsonnet -and save - -Next you enable the OIDC provider in the Kratos configuration located in the -same directory. Just copy this part of the code, this is basically what Kratos -needs to understand your OIDC provider. Just copy it in your configuration file -and save. - -The final step to get this working is to get the client id and the client secret -. Those are provided to you by the Github oauth app. You input those into your -kratos yaml and now it should be ready to go! - -Now navigate to the login of your selfservice app and you should see “login with -github”. - -Once your account is authorized you will be redirected to the login page and you -can login with github now. - -That was it for this tutorial, if you like to know more check the links in the -description, if you have any feedback leave me a message in the comment section. -and I'm looking forward to seeing you in the next one! - -
diff --git a/docs/versioned_docs/version-v/guides/2fa.mdx b/docs/versioned_docs/version-v/guides/2fa.mdx deleted file mode 100644 index d60f5ea331b..00000000000 --- a/docs/versioned_docs/version-v/guides/2fa.mdx +++ /dev/null @@ -1,391 +0,0 @@ ---- -id: 2fa -title: Add Two Factor Authentication (2FA) to your App -slug: /two-factor-authentication-2fa-mfa -sidebar_label: Add 2FA to your App ---- - -Ory Kratos supports two-factor authentication. Depending on the devices used, -you might want to call this two-factor verification depending on which features -you have enabled. Learn more about the distinction between two-factor -authentication and two-factor verification in this excellent -[1password](https://blog.1password.com/totp-for-1password-users/) blog post! - -There are four key components available in Ory Kratos with regard to -multi-factor authentication. For this guide, we will assume that you are using -the Ory Cloud Managed UI available at -[github.com/ory/kratos-selfservice-ui-node](https://github.com/ory/kratos-selfservice-ui-node). -At the end of this guide you will find details and ideas on how to implement -your own UI with Ory Kratos' MFA features. - -## Terminology - -Before we start let's establish the key terminology to make the following -sections easier to understand! - -### Authenticator Assurance Level (AAL) - -The Authenticator Assurance Level (AAL) has two possible values: - -- `aal1`: Implies that the identity has completed only one authentication factor - (`password`, `oidc`). -- `aal2`: Implies that the identity has completed the first (`password`, `oidc`) - and the second (`totp`, `lookup_secrets`, `webauthn`) authentication factor - (e.g.: `password` + `totp`, `oidc` + `webauthn`, ...). First authentication - factors can not be combined to gain `aal2` (e.g. `password` + `oidc` = `aal1`, - not `aal2`)! - -### Authentication Method Reference (AMR) - -The Authentication Method Reference (AMR) is an array of authentication methods -that were used over the lifetime of an Ory Session. In an Ory Session, this will -have the following layout: - -```json5 title="Example Ory Session JSON Payload" -{ - id: '6b51a3f2-6a2c-4557-90a8-4e23de7072aa', - active: true, - // ... - authenticator_assurance_level: 'aal2', - authentication_methods: [ - { - method: 'password', - completed_at: '2021-10-14T09:37:53.872104Z' - }, - { - method: 'lookup_secret', - completed_at: '2021-10-14T09:41:16.771859Z' - } - ] - // ... -} -``` - -The methods can be one of `password`, `oidc`, `totp`, `webauthn`, -`lookup_secrets`. A method can be included more than once, for example when the -identity refreshes their Ory Session by re-authenticating with e.g. their -password: - -```json5 title="Example Ory Session JSON Payload" -{ - id: '6b51a3f2-6a2c-4557-90a8-4e23de7072aa', - active: true, - // ... - authenticator_assurance_level: 'aal2', - authentication_methods: [ - { - method: 'password', - completed_at: '2021-10-14T09:37:53.872104Z' - }, - { - method: 'lookup_secret', - completed_at: '2021-10-14T09:41:16.771859Z' - }, - { - method: 'password', - completed_at: '2021-10-14T12:00:00.134567Z' - } - ] - // ... -} -``` - -## Strict and Lax Multi-Factor Authentication - -Before jumping into the concrete MFA modules, we take a lok at "Soft -Multi-Factor Authentication". Ory Kratos has two endpoints which require an Ory -Session Token or Ory Session Cookie to function: - -- [`/sessions/whoami`](../reference/api.mdx#operation/toSession) -- The [self-service setting flow](../self-service/flows/user-settings.mdx) - -When you enable one of the 2FA methods, you can configure when an Ory Session -Token or Ory Session Cookie is considered "valid" for these two endpoints: - -```yaml title="kratos.config.yml" -# ... -selfservice: - flows: - settings: - required_aal: aal1 -# ... -session: - whoami: - required_aal: aal1 -# ... -``` - -The field `required_aal` can be one of: - -- `highest_available` (default): If set, requires identities who have set up a - second factor (e.g. `totp`, `webauthn`) to have an Ory Session where both - factors (e.g. `password` + `totp`) have been used to authenticated. -- `aal1`: Even if an identity has a second factor set up, an Ory Session with - only one factor (e.g. `oidc`, `password`) is enough to access it. - -For example, if you want your users to sign in without forcing the second -factor, you could set: - -```yaml title="kratos.config.yml" -# ... -session: - whoami: - required_aal: aal1 -# ... -``` - -When the user is doing something that needs more security (e.g. a bank -transfer), you could add a check which only allows Ory Sessions that have `aal2` -to access that feature. - -The Ory Session, which you can get by calling the -[`/sessions/whoami`](../reference/api.mdx#operation/toSession) endpoint, -contains the session's `authenticator_assurance_level`. For a session which only -completed the first factor, this would be: - -```json5 title="GET /session/whoami" -{ - id: '6b51a3f2-6a2c-4557-90a8-4e23de7072aa', - active: true, - // ... - authenticated_at: '2021-10-14T09:37:53.877216Z', - authenticator_assurance_level: 'aal1' - // ... -} -``` - -A session that has completed the second factor, this would be: - -```json5 title="GET /session/whoami" -{ - id: '6b51a3f2-6a2c-4557-90a8-4e23de7072aa', - active: true, - // ... - authenticated_at: '2021-10-14T09:37:53.877216Z', - authenticator_assurance_level: 'aal2' - // ... -} -``` - -If `highest_available` is configured for the `/session/whoami` endpoint, then -Ory Kratos will instruct the user interface - if it is a browser flow - to -redirect to the 2FA screen after the end-user signs in with their first factor. - -## Requesting Second Factor Authentication - -When an end-user is signed in you may prompt them to provide their second factor -by initiating a new Login using the -[`/self-service/login/browser`](../reference/api#operation/initializeSelfServiceLoginFlowForBrowsers) -or -[`/self-service/login/api`](../reference/api#operation/initializeSelfServiceLoginFlowWithoutBrowser) -API and setting the `aal` parameter to `aal2`. Once the end-user has provided -their second factor, the method (e.g. `totp`) will be added to the Or Session -AMR, the Ory Session AAL will be set to `aal2`, and `authenticated_at` will be -set to the current time. - -``` -/self-service/login/browser?aal=aal2 -/self-service/login/api?aal=aal2 -``` - -If the Ory Session has `aal2` already, this will error. In that case you can -request to refresh the session using the second factor: - -``` -/self-service/login/browser?refresh=true&aal=aal2 -/self-service/login/api?refresh=true&aal=aal2 -``` - -## Time-Based One-Time Password (TOTP) / Authenticator App - -Time-Based One-Time Password (TOTP) is a standardized algorithm (see -[RFC6238](https://datatracker.ietf.org/doc/html/rfc6238)) that is used by apps -supported by apps like Google Authenticator -([iOS](https://apps.apple.com/us/app/google-authenticator/id388497605), -[Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)), -[1Password](https://support.1password.com/one-time-passwords/), -[Bitwarden](https://bitwarden.com/help/article/authenticator-keys/), and many -others. - -![Google Authenticator App](../images/totp-google-auth-app.png) - -You can enable TOTP in your Ory Kratos config: - -```yaml title="kratos.config.yml" -selfservice: - methods: - totp: - enabled: true - config: - # The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes. - issuer: Example.com -``` - -To help the user identify the correct code in their TOTP authenticator app, you -should set the `issuer` (see code example above) to your brand name or domain -name. However, users might have multiple identities registered in your system. -To help them distinguish between them, you can specify a traits in your Identity -Schema which should be the TOTP account name (in the screenshot above -`alice@example.org`): - -```patch title="identity.schema.json" -{ - $schema: 'http://json-schema.org/draft-07/schema#', - type: 'object', - properties: { - traits: { - type: 'object', - properties: { - email: { - type: 'string', - format: 'email', - title: 'Your E-Mail', - minLength: 3, - 'ory.sh/kratos': { - credentials: { - // ... -+ totp: { -+ account_name: true -+ } - } - // ... - } - } - // ... - } - // ... - } - } -} -``` - -In the settings UI, the user will be presented with a QR code, a secret which -can be used instead of the QR code, and a field to enter a TOTP password -generated by the linked TOTP app. - -![Google Authenticator App](../images/totp/1.png) - -To complete the process, the Ory Session must be -[privileged](../concepts/session.mdx#privileged-session). Once set up, the -end-user can unlink the TOTP device if e.g. it is lost: - -![Google Authenticator App](../images/totp/2.png) - -### Writing E2E Tests for TOTP - -If you wish to write TOTP tests, take a look at -[how we solve E2E tests for TOTP](https://github.com/ory/kratos/blob/fc2cecfbeab811aa1a851f953b6bc2a4c119c412/test/e2e/cypress/integration/profiles/mfa/totp.spec.ts). - -## Lookup Secrets - -Lookup secrets are passwords generated by the server. These passwords can only -be used once, and the end-user typically downloads them, stores them in their -password manager, or writes them down. Lookup secrets are commonly used when the -end-user loses access to their TOTP or WebAuthn device! - -On your settings UI, this method could look as follows. First, the end-user -generates new lookup secrets. - -![Generating new recovery codes](../images/lookup-codes/1.png) - -![New recovery codes](../images/lookup-codes/2.png) - -The end-user must confirm these lookup secrets. This action requires a -[privileged Ory Session](../concepts/session.mdx#privileged-session) and the -user might be prompted to confirm the action by re-authenticating! - -![Generating new recovery codes](../images/lookup-codes/privileged.png) - -Once confirmed, the end-user can use these lookup secrets as a second factor! -When a code was used, - -![Used recovery code](../images/lookup-codes/3.png) - -:::warning - -The end-user must ensure to re-generate lookup secrets before all lookup secrets -have been used up! - -::: - -Lookup secrets are known by several names. Google for example calls them "Backup -Codes". Another common name is "2FA Recovery Codes". - -You can enable this method in your Ory Kratos config: - -```yaml title="kratos.config.yml" -selfservice: - methods: - lookup_secret: - enabled: true -``` - -## FIDO2 / U2F WebAuthn - -The Web Authentication Browser API (also known as WebAuthn) is a -[specification](https://w3c.github.io/webauthn/) written by the -[W3C](https://www.w3.org/) and [FIDO](https://fidoalliance.org/). The WebAuthn -API allows servers to register and authenticate users using public key -cryptography instead of a password. Common use cases for WebAuthn are - -- using a USB, NFC, or Bluetooth low energy device (e.g. - [YubiKey](https://www.yubico.com)) to authenticate -- using an Operating System "platform module" (e.g. TouchID, FaceID, Windows - Hello Face, Android Biometric Authentication, ...) - -:::info - -WebAuthN is a Browser standard. It does not work on native mobile apps! - -::: - -Configuring WebAuthn correctly is imperative, because the authentication will -fail if something is not configured correctly. - -```yaml title="kratos.config.yml" -selfservice: - flows: - methods: - webauthn: - enabled: true - config: - rp: - # This MUST be your top-level-domain - id: example.org - # This MUST be the exact URL of the page which will prompt for WebAuthn! - # Only the scheme (https / http), host (auth.example.org), and port (4455) are relevant. The - # path is irrelevant - origin: http://auth.example.org:4455 - # A display name which will be shown to the user on her/his device. - display_name: Ory -``` - -Once the end-user triggers the WebAuthn process, the browser will show a -WebAuthn prompt: - -![WebAuthn Prompt](../images/webauthn/1.png) - -:::info - -Please be aware that implementing WebAuthN in your own UI can be challenging, -depending on which framework to use. Please check our -[reference implementations](./custom-ui.mdx) to see how we solved it for -different app types (web, single page app). - -::: - -### Writing E2E Tests - -You will need a browser to run E2E tests using WebAuthn. Take a look at our -[E2E test for WebAuthn](https://github.com/ory/kratos/blob/fc2cecfbeab811aa1a851f953b6bc2a4c119c412/test/e2e/cypress/integration/profiles/mfa/webauthn.spec.ts) -for [Cypress](https://www.cypress.io). You can find more information about the -approach for Cypress in -[cypress#6991](https://github.com/cypress-io/cypress/issues/6991#issuecomment-612888645). - -## Build Your Own UI - -The major benefit of Ory Kratos is that you can bring your own login, -registration, account recovery, ... user-interface. You can write that -user-interface in any language or framework! We have -[reference UI implementations](../concepts/ui-user-interface.mdx) available to -help you get started! diff --git a/docs/versioned_docs/version-v/guides/account-activation-email-verification.mdx b/docs/versioned_docs/version-v/guides/account-activation-email-verification.mdx deleted file mode 100644 index 7e99580415d..00000000000 --- a/docs/versioned_docs/version-v/guides/account-activation-email-verification.mdx +++ /dev/null @@ -1,82 +0,0 @@ ---- -id: account-activation-email-verification -title: Setting up Account Activation and E-Mail Verification ---- - -## Mail courier - -To send emails, you need to [setup the mail courier](../concepts/email-sms.md) - -To set up email verification, your -[Identity Schema](../concepts/identity-schema.mdx) must have an email in its -traits and add - -```json -{ - "ory.sh/kratos": { - "verification": { - "via": "email" - } - } -} -``` - -to it, for example: - -```diff -{ - "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "title": "E-Mail", - "minLength": 3, -+ "ory.sh/kratos": { -+ "verification": { -+ "via": "email" -+ } -+ } - } - } - } - } -} -``` - -Email verification currently supports sending out a recovery link to an email -address. For this to work, you must have the courier SMTP connection configured -in your Ory Kratos Config File (`kratos serve -c /home/kratos/.kratos.yml`): - -```diff - # Ory Kratos Config File -+courier: -+ smtp: -+ connection_uri: smtps://username:password@smtp-server:1234/ - # ... -``` - -You also need to enable verification: - -```diff - selfservice: - flows: - # login ... - # registration... - -+ verification: -+ enabled: true -+ ui_url: http://127.0.0.1:4455/verification - - # ... -``` - -That all that's needed! For more information on implementing the UI and details -about the payloads, head over to the -[Email and Phone Verification and Account Activation Documentation](../self-service/flows/verify-email-account-activation.mdx)! diff --git a/docs/versioned_docs/version-v/guides/account-recovery-password-reset.mdx b/docs/versioned_docs/version-v/guides/account-recovery-password-reset.mdx deleted file mode 100644 index 8d4a1458123..00000000000 --- a/docs/versioned_docs/version-v/guides/account-recovery-password-reset.mdx +++ /dev/null @@ -1,85 +0,0 @@ ---- -id: account-recovery-password-reset -title: Setting up Account Recovery and Password Reset ---- - -To set up account recovery, your -[Identity Schema](../concepts/identity-schema.mdx) must have an email in its -traits and add - -```json -{ - "ory.sh/kratos": { - "recovery": { - "via": "email" - } - } -} -``` - -to it, for example: - -```diff -{ - "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "title": "E-Mail", - "minLength": 3, -+ "ory.sh/kratos": { -+ "recovery": { -+ "via": "email" -+ } -+ } - } - } - } - } -} -``` - -Account recovery currently supports sending out a recovery link to an email -address. For this to work, you must have the courier SMTP connection configured -in your Ory Kratos Config File (`kratos serve -c /home/kratos/.kratos.yml`): - -```diff - # Ory Kratos Config File -+courier: -+ smtp: -+ connection_uri: smtps://username:password@smtp-server:1234/ - # ... -``` - -You also need to enable account recovery and have the `link` method enabled: - -```diff - selfservice: - methods: - link: - # Defaults to true, so left out. If you explicitly want to disable this method, - # set the value to `false`. - # - # enabled: true - - flows: - # login ... - # registration... - -+ recovery: -+ enabled: true -+ ui_url: http://127.0.0.1:4455/recovery - - # ... -``` - -That all that's needed! For more information on implementing the UI and details -about the payloads, head over to the -[Account Recovery Documentation](../self-service/flows/account-recovery.mdx)! diff --git a/docs/versioned_docs/version-v/guides/configuring-cookies.mdx b/docs/versioned_docs/version-v/guides/configuring-cookies.mdx deleted file mode 100644 index a74a20ad50c..00000000000 --- a/docs/versioned_docs/version-v/guides/configuring-cookies.mdx +++ /dev/null @@ -1,69 +0,0 @@ ---- -id: configuring-cookies -title: Configuring Cookies ---- - -When working with cookies, keep the following in mind: - -1. HTTP Cookies **are not port specific**. If a cookie is set on - `https://mydomain.com:1234` it is also valid for `https://mydomain.com:4321` - and `https://mydomain.com`. -2. Unless `--dev` is set, Ory Kratos' cookies are only sent over HTTPS. -3. Cookies in Ory Kratos are always `httpOnly`. -4. It is possible to set a cookie for `mydomain.com` when the original request - was made to `subdomain.mydomain.com`. It is however not possible to set a - cookie for `anotherdomain.com` when the original request was made to - `mydomain.com`. See also - [this answer on StackOverflow](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain). - -:::note - -Ory Kratos uses pass-by-value cookies whose values are encrypted using the -`secrets.default` / `secrets.cookie` secrets. If these secrets are changed -without doing proper [secret / key rotation](secret-key-rotation), all cookies -will be invalid which will cause users to be signed out, and other side effects. - -::: - -## Session Cookies - -CloudRun, Heroku, and other "serverless" solutions commonly expose services -directly to the public, and do not allow for fronting by a gateway or reverse -proxy. In those cases, your application architecture may separate services by -subdomain (e.g. `service1.myproduct.com`, `service2.myproduct.com`, -`service3.myproduct.com`, ...). - -If that is the case you can change the session -[cookie domain](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) and -path using the following configuration keys in your Ory Kratos configuration: - -```yaml title="path/to/kratos/config.yml -session: - cookie: - domain: myproduct.com -``` - -It is also possible to restrict the -[cookie path](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies): - -:::note - -It is very unlikely that you need to change this! - -::: - -```yaml title="path/to/kratos/config.yml -session: - cookie: - path: /some/sub-directory -``` - -You can also modify the new -[HTTP Cookie SameSite Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) -using: - -```yaml title="path/to/kratos/config.yml -session: - cookie: - same_site: Lax -``` diff --git a/docs/versioned_docs/version-v/guides/custom-ui.mdx b/docs/versioned_docs/version-v/guides/custom-ui.mdx deleted file mode 100644 index 1501d9676e0..00000000000 --- a/docs/versioned_docs/version-v/guides/custom-ui.mdx +++ /dev/null @@ -1,41 +0,0 @@ ---- -id: custom-ui -title: Build Your Own UI ---- - -Ory Kratos is an HTTP API server and does not include a traditional HTML user -interface (rendering forms such as "Login" or "Registration") in its code base. - -:::info - -Please read the [User Interface concepts](../concepts/ui-user-interface.mdx) -before starting this journey! It contains many code and API examples and is a -useful starting point for anyone implementing their own UI! - -::: - -We provide several reference UI implementations which you can use to get started -quickly, or as the basis for your own UI: - -- [React Native Reference Implementation](https://github.com/ory/kratos-selfservice-ui-react-native) -- [NodeJS Reference Implementation](https://github.com/ory/kratos-selfservice-ui-node) -- [React / SPA Reference Implementation](https://github.com/ory/react-nextjs-example) - -Let's take a look at some individual examples! - -## React Native - -You can implement your own login, registration, account recovery, ... user -interface for Ory Kratos in React Native. Check out our in-depth -[Add Authentication to your React Native App](https://www.ory.sh/login-react-native-authentication-example-api/) -guide! - -## ExpressJS - -For now, please head over to our -[NodeJS Reference Implementation](https://github.com/ory/kratos-selfservice-ui-node). - -## ReactJS - -For now, please head over to our -[React / SPA Reference Implementation](https://github.com/ory/react-nextjs-example). diff --git a/docs/versioned_docs/version-v/guides/docker.md b/docs/versioned_docs/version-v/guides/docker.md deleted file mode 100644 index bacfa43d32a..00000000000 --- a/docs/versioned_docs/version-v/guides/docker.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -id: docker -title: Docker Images ---- - -## Supported tags and respective `Dockerfile` links - -- [`latest`, `v0.4.3-alpha.1`, `v0.4.3`, `v0.4`, `v0`](https://github.com/ory/kratos/blob/v0.4.3-alpha.1/.docker/Dockerfile) -- [`latest-sqlite`, `v0.4.3-alpha.1-sqlite`, `v0.4.3-sqlite`, `v0.4-sqlite`, `v0-sqlite`](https://github.com/ory/kratos/blob/v0.4.3-alpha.1/.docker/Dockerfile-sqlite) - -## Image Variants - -The `Kratos` Docker images come in two different flavors, one with and one -without SQLite support. All Docker images with the postfix -`kratos:-sqlite` in the tag are compiled with embed SQLite support and -uses libmusl. All Docker images (`kratos:`) without the postfix -`-sqlite` are compiled without SQLite support and therefore also don't include -libmusl. - -If you don't make use of the embedded SQLite support we recommend to use the -Docker images without SQLite support as they are smaller in size, include fewer -libraries and therefore have a smaller attack surface. - -## How to use these images - -In order to make the provided Docker images as useful as possible they can be -configured through a set of supported Environment variables. In addition the -default configuration directory can be bound to a directory of choice to make it -simple to pass in your own configuration files. - -### Environment Variables - -#### `DSN` - -This environment variable allows you to specify the database source name. As the -`DSN` normally consists of the url to the database system and the credentials to -access the database it is recommended to specify the `DSN` using a Environment -variable. - -**Example:** - -`docker run -e DSN="memory" oryd/kratos:latest` - -#### `SECRETS_DEFAULT` - -This environment variable allows you to specify the secret used to sign and -verify signatures and encrypt things: - -**Example:** - -`docker run -e SECRETS_DEFAULT="CHANGE-ME" oryd/kratos:v0.4.3-alpha.1` - -### Volumes - -The provided Kratos Docker images currently do not include a default -configuration file, but make it easy to pass in your own configuration file(s) -by either binding a local directory or by creating your own custom Docker Image -and adding the configuration file(s) to the custom image. - -#### Binding host directory - -**Example:** In this example we start the standard Docker container with SQLite -support and use the quickstart email-password example configuration files by -bind mounting the local directory. This example assumes that you checked out the -Kratos Git repo and execute the Docker command in the Kratos Git repo directory: - -``` -docker run -it -e DSN="memory" \ - --mount type=bind,source="$(pwd)"/contrib/quickstart/kratos/email-password,target=/home/ory \ - oryd/kratos:latest-sqlite -``` - -In general we only recommend this approach for local development. - -#### Creating custom Docker image - -You can create your own, custom Kratos Docker images which embeds your -configuration files by simply using the official Kratos Docker images as the -Base Image and just adding your configuration file(s) as shown in the example -below: - -```dockerfile -FROM oryd/kratos:latest -COPY contrib/quickstart/kratos/email-password/kratos.yml /home/ory -``` - -**Note that in both cases**, you must supply the location of the configuration -file using the `--config` flag when running the container. - -`$ docker run --config /home/ory/kratos.yml` - -### Examples - -Below you find different examples how to use the official Kratos Docker images. diff --git a/docs/versioned_docs/version-v/guides/e2e-integration-tests.mdx b/docs/versioned_docs/version-v/guides/e2e-integration-tests.mdx deleted file mode 100644 index 901b803b25d..00000000000 --- a/docs/versioned_docs/version-v/guides/e2e-integration-tests.mdx +++ /dev/null @@ -1,45 +0,0 @@ ---- -id: e2e-integration-tests -title: Writing End-To-End and Integration Tests ---- - -We run integration tests for both the -[NodeJS](https://github.com/ory/kratos-selfservice-ui-node) and -[React Native](https://github.com/ory/kratos-selfservice-ui-react-native) -reference implementation using [Cypress](https://www.cypress.io). You can find -the set up and source code for these tests in -[./test/e2e/run.sh](https://github.com/ory/kratos/blob/master/test/e2e/run.sh). -In principle, we start Ory Kratos with some configuration and an in-memory -database in the background - -```shell script -$ DSN=memory hydra serve -c ./path/to/config/kratos.yml --dev > "kratos.e2e.log" 2>&1 & -``` - -as well as our application in the background as well. Then, we start the Cypress -test runner which executes the different e2e tests. This works really well to -test compliance and integration of Ory Kratos. - -If you run Ory Kratos and your app on separate domains or ports you might want -to add - -```json -{ - "chromeWebSecurity": false -} -``` - -to your `cypress.json` config file. - -## Testing React Native on Web with Cypress - -If you want to test React Native (rendered as a web application) in Cypress, you -need to disable security features preventing browser from executing self-service -API flows. To do this, set the environment variable -`DEV_DISABLE_API_FLOW_ENFORCEMENT=1`: - -```shell script -$ DSN=memory \ - DEV_DISABLE_API_FLOW_ENFORCEMENT=true - hydra serve -c ./path/to/config/kratos.yml --dev > "kratos.e2e.log" 2>&1 &) -``` diff --git a/docs/versioned_docs/version-v/guides/high-availability-ha.md b/docs/versioned_docs/version-v/guides/high-availability-ha.md deleted file mode 100644 index d58ae5d9ecd..00000000000 --- a/docs/versioned_docs/version-v/guides/high-availability-ha.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -id: high-availability-ha -title: High Availability ---- - -This document explains how to set up Ory Kratos in for High Availability. - -# Horizontal Scaling - -Ory Kratos scales effortlessly to thousands of pods without any additional work! - -# Mail courier - -Ory Kratos processes emails by storing them in an email queue on your database -and running a mail courier worker to handle this queue. To avoid processing the -same email multiple times, only one instance of this mail courier should be run -at one time. For simple single-instance Kratos deployments, the courier can -simply be run as a background worker, but for multi-instance Kratos deployments, -it needs to be run a distinct singleton foreground worker. For setup details, -refer to the [Out of Band Communication guide](../concepts/email-sms.md). - -Ory Kratos does not have any special requirements when it comes to High -Availability as it does not manage state itself but instead relies on the SQL -database for that. - -It is therefore possible to use Ory Kratos with Auto-Scaling Groups (e.g. in -Kubernetes) without any additional configuration. diff --git a/docs/versioned_docs/version-v/guides/hosting-own-have-i-been-pwned-api.mdx b/docs/versioned_docs/version-v/guides/hosting-own-have-i-been-pwned-api.mdx deleted file mode 100644 index 96c34ad670d..00000000000 --- a/docs/versioned_docs/version-v/guides/hosting-own-have-i-been-pwned-api.mdx +++ /dev/null @@ -1,70 +0,0 @@ ---- -id: hosting-own-have-i-been-pwned-api -title: Hosting own Have I Been Pwned API ---- - -Ory Kratos uses the Have I Been Pwned (HiBP) API, with the k-anonymity flag, to -check if the password the user registers with has been a part of one of the -breaches documented by the HiBP project. - -In some environments, due to various CISO policies, it might be difficult to -establish egress connectivity to non-approved hosts. If it happens that your -Kratos operates in such an environment and it cannot communicate with the HiBP -API at haveibeenpwned.com, but there is the requirement to check if passwords -have been leaked, you can host the HiBP API yourself and configure Kratos to use -your own instance. - -To do so, configure Kratos to use your API: - -```yaml title="path/to/kratos/config.yml -selfservice: - methods: - password: - config: - haveibeenpwned_host: api.private.host -``` - -An example of a minimal self-hosted, k-anonymity enabled HiBP API -[can be found in this repository](https://github.com/radekg/hibp). - -Alternatively, this feature can be disabled altogether. Note however that by -doing so you will significantly decrease the security of the service and not -follow [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html): - -> When processing requests to establish and change memorized secrets, verifiers -> SHALL compare the prospective secrets against a list that contains values -> known to be commonly-used, expected, or compromised. For example, the list MAY -> include, but is not limited to: -> -> 1. Passwords obtained from previous breach corpuses. -> 2. Dictionary words. -> 3. Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). -> 4. Context-specific words, such as the name of the service, the username, and -> derivatives thereof. -> -> If the chosen secret is found in the list, the CSP or verifier SHALL advise -> the subscriber that they need to select a different secret, SHALL provide the -> reason for rejection, and SHALL require the subscriber to choose a different -> value. - -Disabling the feature will effectively remove checks for the points 1.-3. The -feature can be disabled by setting the following configuration values: - -```yaml title="path/to/kratos/config.yml -selfservice: - methods: - password: - config: - haveibeenpwned_enabled: false -``` - -:::note - -Ory Kratos `haveibeenpwned_host` setting does not allow configuring the -respective CA chain at the moment but it **does require a TLS connection**. -Therefore your private HiBP API must use one of the trusted CAs of the -underlying operating system. - -A solution might be to host the HiBP API using a certificate issued by Let's -Encrypt certificate or install the private CA certificate in the trusted CA -certificates of the system on which Kratos is running. diff --git a/docs/versioned_docs/version-v/guides/https-tls.mdx b/docs/versioned_docs/version-v/guides/https-tls.mdx deleted file mode 100644 index 1e4f4671764..00000000000 --- a/docs/versioned_docs/version-v/guides/https-tls.mdx +++ /dev/null @@ -1,37 +0,0 @@ ---- -id: https-tls -title: Setting up HTTPS (TLS) ---- - -If you want to run ORY Hydra using self-signed TLS certificates, you can do the -following: - -``` -$ openssl genrsa -out key.pem 4096 -$ openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365 - -$ SERVE_PUBLIC_TLS_CERT_BASE64=$(base64 -i cert.crt) -$ SERVE_PUBLIC_TLS_KEY_BASE64=$(base64 -i key.pem) -$ SERVE_ADMIN_TLS_CERT_BASE64=$(base64 -i cert.crt) -$ SERVE_ADMIN_TLS_KEY_BASE64=$(base64 -i key.pem) - -# or - -$ SERVE_PUBLIC_TLS_KEY_PATH=/path/to/key.pem -$ SERVE_PUBLIC_TLS_CERT_PATH=/path/to/cert.crt -$ SERVE_ADMIN_TLS_KEY_PATH=/path/to/key.pem -$ SERVE_ADMIN_TLS_CERT_PATH=/path/to/cert.crt -``` - -If you run Docker locally, you can then use - -``` -$ docker run ... \ - -e SERVE_PUBLIC_TLS_CERT_BASE64="$SERVE_PUBLIC_TLS_CERT_BASE64" \ - -e SERVE_PUBLIC_TLS_KEY_BASE64="$SERVE_PUBLIC_TLS_KEY_BASE64" \ - -e SERVE_ADMIN_TLS_CERT_BASE64="$SERVE_ADMIN_TLS_CERT_BASE64" \ - -e SERVE_ADMIN_TLS_KEY_BASE64="$SERVE_ADMIN_TLS_KEY_BASE64" \ - ... -``` - -or mount the files using `--mount` and linking to the files. diff --git a/docs/versioned_docs/version-v/guides/integration-with-other-systems-using-web-hooks.md b/docs/versioned_docs/version-v/guides/integration-with-other-systems-using-web-hooks.md deleted file mode 100644 index 829e6e5eb0e..00000000000 --- a/docs/versioned_docs/version-v/guides/integration-with-other-systems-using-web-hooks.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -id: integration-with-other-systems-using-web-hooks -title: Integration using Web-Hooks ---- - -Ory Kratos supports integration with other systems (e.g. ERP, Marketing, etc) -using Web-Hooks. - -### Mailchimp - -To send marketing email using [Mailchimp](https://mailchimp.com) upon -registration, add the following to your Ory Kratos config: - -```yaml title="path/to/my/kratos.config.yml" -selfservice: - flows: - registration: - after: - password: - hooks: - - hook: web_hook - config: - url: https://mandrillapp.com/api/1.0/messages/send - method: POST - body: /path/to/my/mandrillapp.jsonnet -``` - -And create a JsonNet file. Please be aware that Mailchimps' authentication -mechanism currently requires to save the Mailchimp key in the JsonNet. For other -systems you would be using the `web_hook`'s `auth` config. - -```jsonnet title="/path/to/my/mandrillapp.jsonnet" -function(ctx) { - key: "", - message: { - from_email: "hello@example.com", - subject: "Hello from Ory Kratos", - text: "Welcome to Ory Kratos", - to: [ - { - email: ctx.identity.verifiable_addresses[0].value, - type: "to" - } - ] - } -} -``` diff --git a/docs/versioned_docs/version-v/guides/login-session.mdx b/docs/versioned_docs/version-v/guides/login-session.mdx deleted file mode 100644 index 947b9322df1..00000000000 --- a/docs/versioned_docs/version-v/guides/login-session.mdx +++ /dev/null @@ -1,194 +0,0 @@ ---- -id: login-session -title: Configuring And Checking for Login Sessions ---- - -import CodeFromRemote from '@theme/CodeFromRemote' -import Tabs from '@theme/Tabs' -import TabItem from '@theme/TabItem' - -A login session is created when a user signs in. The session is stored as a -cookie or as a token, depending on the interaction type. - -## Login Session Configuration - -A session is valid for the session lifespan you specify in the Ory Kratos -config: - -```yaml title="path/to/kratos/config.yml -session: - lifespan: 720h # 30 days -``` - -Per default the session cookie has the `max-age` parameter set to the specified -session lifespan. You may disable this behavior by setting: - -```yaml title="path/to/kratos/config.yml -session: - cookie: - persistent: false -``` - -:::note - -The cookie `max-age` parameter behaves as follows: - -- The browser interprets the cookie to be removed when the session ends if - `max-age` is not set as part of the `Set-Cookie` header. A session ends if the - browser is terminated due to a reboot or when shutting down the browser. -- The browser keeps the cookie until `max-age` is reached otherwise. - -::: - -Once the lifespan is reached, the user needs to sign in again. - -## Checking for Login Sessions - -### Browser Client - -The easiest way to check if a user is signed in is to call the -`http(s):// - - -{' '} - - - - - - -If you have the session cookie available from another source you can also use -the `X-Session-Token` header: - -```js -app.get('/', function (req, res) { - // Cookies that have not been signed - const cookie = req.cookies['ory_kratos_session'] - - // Make a request and include the cookie in X-Session-Cookie - fetch( - 'https://playground.projects.oryapis.com/api/kratos/public/sessions/whoami', - { - headers: { 'X-Session-Cookie': cookie } - } - ) - .then((res) => res.json()) - .then((session) => console.log(session)) -}) -``` - -### API Client - -API clients receive and use Ory Kratos Session Tokens which can be checked by -calling the `/sessions/whoami` endpoint and including the Ory Kratos Session -Token as a bearer token in the HTTP Authorization Header: - -```shell script -$ sessionToken=oFZzgLpsacUpUy2cvQPtrGa2046WcXCR -$ curl -s -X POST -H "Accept: application/json" \ - -H "Authorization: Bearer $sessionToken" \ - # OR: \ - # -H "X-Session-Token: $sessionToken" \ - https://playground.projects.oryapis.com/api/kratos/public/sessions/whoami | jq - -{ - "id": "8f660ce3-69ec-4aeb-9fda-f9230dc3243f", - "active": true, - "expires_at": "2020-08-25T13:42:15.7411522Z", - "authenticated_at": "2020-08-24T13:42:15.7411522Z", - "issued_at": "2020-08-24T13:42:15.7412042Z", - "identity": { - "id": "bf32596a-f853-47c4-91e6-a3f41cf4949d", - "schema_id": "default", - "schema_url": "https://playground.projects.oryapis.com/api/kratos/public/schemas/default", - "traits": { - "email": "api@user.org", - "name": { - "last": "User", - "first": "API" - } - }, - "verifiable_addresses": [ - { - "id": "f877db6c-7dfb-45e3-bbeb-ac8349348128", - "value": "api@user.org", - "verified": false, - "via": "email", - "verified_at": null, - "expires_at": "2020-08-24T14:35:59.125873Z" - } - ], - "recovery_addresses": [ - { - "id": "065a908c-82be-4110-bf67-9910f36242b7", - "value": "api@user.org", - "via": "email" - } - ] - } -} -``` diff --git a/docs/versioned_docs/version-v/guides/multi-domain-cookies.mdx b/docs/versioned_docs/version-v/guides/multi-domain-cookies.mdx deleted file mode 100644 index 8ab71580624..00000000000 --- a/docs/versioned_docs/version-v/guides/multi-domain-cookies.mdx +++ /dev/null @@ -1,105 +0,0 @@ ---- -id: multi-domain-cookies -title: Advanced Base URL, CSRF & Session Cookie Settings ---- - -This document describes advanced strategies for multi-domain environments and -other scenarios. - -## Base URL - -The public base URL (`serve.public.base_url`) is used to compute redirect URLs, -form action URLs, and more. If you host Ory Kratos on more than one domain you -might want to enable the domain aliasing feature. This allows to register -additional base URLs. On incoming HTTP Requests, Ory Kratos checks the HTTP -`Host` Header and compares that to the list of domain aliases. - -```yaml title="path/to/kratos/config.yml -serve: - public: - base_url: https://this-is-the-default/base-url - domain_aliases: - - match_domain: www.another-domain.com - base_path: /kratos - scheme: https - - match_domain: that-domain.com - base_path: / - scheme: http -``` - -If a match is found, the value `serve.public.base_url` will be ignored and -instead the base URL is computed: - -``` -:// -``` - -Values ``, `` are set by the incoming HTTP request -and ``, ``, by the config: - -- Incoming request is to `https://www.another-domain.com:123/kratos/identities/` - so the result is `https://www.another-domain.com:123/kratos` -- Incoming request is to `http://www.another-domain.com/kratos/sessions/` so the - result is `http://www.another-domain.com/kratos` -- Incoming request is to `https://that-domain.com/identities/` so the result is - `https://that-domain.com/identities` - -## Cookies - -Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common -attack vectors and make the integration as easy as possible to use. Therefore it -is important to know that - -1. [HTTP Cookies ignore ports](https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific), - meaning the browser will send a cookie it received for - `http://my-domain.com:1234` to `http://my-domain.com:4321` as well. -2. [Subdomains can set HTTP Cookies for parent domains](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain), - meaning a HTTP Cookie specifying `domain=my-domain.com` will be allowed to - set even if the URL is `http://sub.my-domain.com` or - `http://sub.sub.my-domain.com`. - -You can adjust the session cookie's domain using: - -```yaml title="path/to/kratos/config.yml" -# Settings for both anti-CSRF and session cookies -cookies: - domain: www.cookies.com - path: /cookies - same_site: Lax - -session: - cookie: - # Overrides cookies.domain for session cookies - domain: my-domain.com - - # Overrides cookies.path for session cookies - path: / - - # Overrides cookies.samesite for session cookies - same_site: Strict - -serve: - public: - domain_aliases: - # When a request is coming from www.another-domain.com or that-domain.com, these these override: - # - # - session.cookie.domain and session.cookie.path for sessions - # - cookies.domain and cookies.path for anti-CSRF cookies - - - match_domain: www.another-domain.com - base_path: /kratos - - # The scheme has NO effect on the cookie `secure` flag! - # scheme: https - - - match_domain: that-domain.com - base_path: / - - # The scheme has NO effect on the cookie `secure` flag! - # scheme: http -``` - -What **is not** currently possible is to set up Ory Kratos in a way where you -get session cookies running on two separate top level domains (e.g. -`my-domain.com` and `another-domain.com`). This is tracked as -[kratos#662](https://github.com/ory/kratos/issues/662). diff --git a/docs/versioned_docs/version-v/guides/multi-tenancy-multitenant.md b/docs/versioned_docs/version-v/guides/multi-tenancy-multitenant.md deleted file mode 100644 index f5d7c2c0710..00000000000 --- a/docs/versioned_docs/version-v/guides/multi-tenancy-multitenant.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -id: multi-tenancy-multitenant -title: Multitenancy ---- - -Ory Kratos does not implement multi-tenancy in its application logic, but it is -possible to implement multi-tenancy with Ory Kratos! - -The recommended approach is to run one or more (depending on your scale) SQL -databases and create one database schema per tenant in these database instances. -So one PostgreSQL database instance could, for example, host 15000 tenants who -each have access to one schema. - -Ory Kratos itself should run as one instance per tenant with a configuration -tailored for that specific tenant. The minimum required change is using -different secrets and the tenant's DSN -(`postgresql://user:pass@.../tenant-123`). Because Ory Kratos is very -lightweight, the deployment overhead becomes negligible. - -While deployment complexity increases - but is addressable with e.g. -Kubernetes - this approach has several advantages: - -- Absolute isolation of tenants which implies: better security, better privacy, - more control. -- Easy sharding and partitioning because database schemas isolate tenants. -- No complexity in Ory Kratos' business logic and security defenses. diff --git a/docs/versioned_docs/version-v/guides/production.md b/docs/versioned_docs/version-v/guides/production.md deleted file mode 100644 index d37a0668003..00000000000 --- a/docs/versioned_docs/version-v/guides/production.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -id: production -title: Going to Production ---- - -:::warning - -This document is still in development. - -::: - -## Database - -Ory Kratos requires a production-grade database such as PostgreSQL, MySQL, -CockroachDB. Do not use SQLite in production! - -## Security - -When preparing for production it is paramount to omit the `--dev` flag from -`kratos serve`. - -### Admin API - -Never expose the Ory Kratos Admin API to the internet unsecured. Always require -authorization. A good practice is to not expose the Admin API at all to the -public internet and use a Zero Trust Networking Architecture within your -intranet. - -## Scaling - -There are no additional requirements for scaling Ory Kratos, just spin up -another container! diff --git a/docs/versioned_docs/version-v/guides/retrieve-social-sign-in-access-refresh-id-token.md b/docs/versioned_docs/version-v/guides/retrieve-social-sign-in-access-refresh-id-token.md deleted file mode 100644 index 1297202660e..00000000000 --- a/docs/versioned_docs/version-v/guides/retrieve-social-sign-in-access-refresh-id-token.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -id: retrieve-social-sign-in-access-refresh-id-token -title: Get Access, Refresh, ID Tokens from Social Sign In Providers ---- - -This document describes how to retrieve OpenID Connect / OAuth 2.0 Access, -Refresh, and ID Tokens from Social Sign In at the `GET /identities` API. This -guide assumes that you have the `oidc` method enabled. - -:::note - -Please be aware that these tokens are only set when an identity sign ups with, -or links a new Social Sign In provider. They are not updated when an identity -signs in! - -::: - -```shell script -$ curl --request GET -sL \ - --header "Content-Type: application/json" \ - http://127.0.0.1:4434/identities/3ade335e-62e6-4abb-b190-6efd48e077fc?include_credential=oidc - -{ - "id": "714a9ddc-9fde-42ad-be42-784dfeadd098", - "credentials": { - "oidc": { - "type": "oidc", - "identifiers": [ - "google:some-user" - "github:another-user" - ], - "config": { - "providers": [ - { - "subject": "some-user", - "provider": "google", - "initial_access_token": "********************", - "initial_refresh_token": "********************", - "initial_id_token": "********************", - }, - { - "subject": "another-user", - "provider": "github", - "initial_access_token": "********************", - "initial_refresh_token": "********************", - "initial_id_token": "********************", - } - ] - }, - "created_at": "2021-10-08T12:17:18.834351+02:00", - "updated_at": "2021-10-08T12:17:18.834351+02:00" - } - }, - "schema_id": "default", - "schema_url": "http://localhost:61342/schemas/default", - "state": "active", - "state_changed_at": "2021-10-08T12:17:18.83324+02:00", - "traits": { - "subject": "foo.oidc@bar.com" - }, - "verifiable_addresses": [ - { - "id": "88da96df-0457-4d69-832d-5e70ef25055c", - "value": "foo.oidc@bar.com", - "verified": false, - "via": "", - "status": "", - "verified_at": null, - "created_at": "2021-10-08T12:17:18.83324+02:00", - "updated_at": "2021-10-08T12:17:18.834202+02:00" - } - ], - "created_at": "2021-10-08T12:17:18.834043+02:00", - "updated_at": "2021-10-08T12:17:18.834043+02:00" -} -``` - -## Encryption - -By default Access Token and Refresh Token are plaintext recorded -[Noop Cipher](setting-up-noop-cipher-parameters.mdx) - -For a tighter security aspect you could choose following cipher: - -- AES by following this [setup](setting-up-aes-cipher-parameters.mdx) -- XChaCha20 Poly1305 by following this - [setup](setting-up-xchacha-cipher-parameters.mdx) diff --git a/docs/versioned_docs/version-v/guides/secret-key-rotation.mdx b/docs/versioned_docs/version-v/guides/secret-key-rotation.mdx deleted file mode 100644 index fbaf512d495..00000000000 --- a/docs/versioned_docs/version-v/guides/secret-key-rotation.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -id: secret-key-rotation -title: Secret and Key Rotation ---- - -Ory Kratos needs secrets that are used for encrypting, decrypting, generating -and validating signatures, and other cryptographic tasks. - -These secrets must have high entropy (>= 256 bit). It is also a good idea to -rotate the keys every now and then. Assuming you have the following secrets -configured - -```yaml title="path/to/kratos/config.yml -secrets: - default: - - old-default-secret - cookie: - - old-cookie-secret - cipher: - - old-32-long-secret-key -``` - -and want to rotate these secrets, you would add the new secrets to the top of -the list and keep the old secrets around. This allows the system to verify and -decrypt things that have been signed/encrypted with the old secret, while -generating new signatures and encrypting new things using the new secret: - -```yaml title="path/to/kratos/config.yml -secrets: - default: - - new-default-secret - - old-default-secret - cookie: - - new-cookie-secret - - old-cookie-secret - cipher: - - new-secret-key - - old-secret-key -``` - -The cipher secrets are use for now to encrypt and decrypt tokens from oidc -authentication method. diff --git a/docs/versioned_docs/version-v/guides/security-questions.mdx b/docs/versioned_docs/version-v/guides/security-questions.mdx deleted file mode 100644 index 47fd702bf3d..00000000000 --- a/docs/versioned_docs/version-v/guides/security-questions.mdx +++ /dev/null @@ -1,53 +0,0 @@ ---- -id: security-questions-best-practice -title: Choosing Security Questions ---- - -Security questions are currently not supported for this flow, but might be added -in a future version of Ory Kratos. - -This section contains an overview of picking the right security questions. -Another good resource is -[Choosing and Using Security Questions Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html). - -> One option is to allow the user to self-construct their own questions. The -> problem with this though is that you end up with either painfully obvious -> questions: -> -> - **What colour is the sky?** -> - **How do you spell “password”?** -> -> Questions which can put people in an uncomfortable position when a human uses -> the secret question for verification (such as in a call centre): -> -> **Who did I sleep with at the Christmas party?** -> -> When it comes to secret questions, people need to be saved from themselves! In -> other words, the site itself should define the secret question, or rather -> define a series of secret questions from which the user can choose. And not -> just choose one either; ideally, the user should define two or more secret -> questions at the time of account registration which can then be used as a -> second channel of identity verification. Having multiple questions adds a -> higher degree of confidence to the verification process plus gives you -> opportunity to add randomness (not always show the same question) plus -> provides a bit of redundancy should someone legitimate forget an answer. -> -> So what makes a good secret question? There are a few different factors: -> -> - It should be concise – the question is to the point and unambiguous -> - The answer is specific – you don’t want a question which could be answered -> in different ways by the same person -> - The possible answers must be diverse – a question about someone’s favourite -> colour would result in a small subset of possible answers -> - Answer discovery should be hard – if you can readily find the answer for -> anyone (think high-profile people) then it’s no good -> - The answer must be constant over time – asking for someone’s favourite movie -> may result in a different answer a year from now -> -> [Source](https://www.troyhunt.com/everything-you-ever-wanted-to-know/) - -Here are some good examples: - -- What was the first concert you ever went to and where? (e.g. "Pink Floyd at - Gotham City Stadium") -- ... diff --git a/docs/versioned_docs/version-v/guides/setting-up-aes-cipher-parameters.mdx b/docs/versioned_docs/version-v/guides/setting-up-aes-cipher-parameters.mdx deleted file mode 100644 index 900309f0455..00000000000 --- a/docs/versioned_docs/version-v/guides/setting-up-aes-cipher-parameters.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -id: setting-up-aes-cipher-parameters -title: Setting up AES Cipher algorithm ---- - -Ory Kratos supports encryption and decryption only for oidc token for now. This -section explain how to use and configure Kratos for using AES Cipher algorithm. - -The algorithm and secrets key must be set in the configuration. These -[secrets key rotation](secret-key-rotation) must be set and be a string of 32 -characters long. - -```yaml title="path/to/kratos/config.yml -secrets: - cipher: - - 32-LONG-SECRET-NOT-SECURE-AT-ALL -ciphers: - algorithm: aes -``` diff --git a/docs/versioned_docs/version-v/guides/setting-up-cors.mdx b/docs/versioned_docs/version-v/guides/setting-up-cors.mdx deleted file mode 100644 index 3bc2da3d75e..00000000000 --- a/docs/versioned_docs/version-v/guides/setting-up-cors.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -id: setting-up-cors -title: Setting up Cross-origin resource sharing (CORS) ---- - -Ory Kratos' Public API supports CORS out of the box. A reference for this -configuration can be found in the -[Configuration Reference](../reference/configuration.md). - -For CORS to work properly, we encourage to set the following values: - -```yaml -serve: - public: - cors: - enabled: true - allowed_origins: - - https://example.org - - https://*.example.org - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - allowed_headers: - - Authorization - - Cookie - - Content-Type - exposed_headers: - - Content-Type - - Set-Cookie -``` diff --git a/docs/versioned_docs/version-v/guides/setting-up-noop-cipher-parameters.mdx b/docs/versioned_docs/version-v/guides/setting-up-noop-cipher-parameters.mdx deleted file mode 100644 index 2809ba1c3ce..00000000000 --- a/docs/versioned_docs/version-v/guides/setting-up-noop-cipher-parameters.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -id: setting-up-noop-cipher-parameters -title: Setting up Noop Cipher algorithm ---- - -Ory Kratos supports encryption and decryption only for oidc token for now. Noop -is the default algorithm. - -This cipher does not use any type of algorithm and thus the secrets do not need -to be set - -``` -ciphers: - algorithm: noop -``` diff --git a/docs/versioned_docs/version-v/guides/setting-up-password-hashing-parameters.md b/docs/versioned_docs/version-v/guides/setting-up-password-hashing-parameters.md deleted file mode 100644 index a92b2bd7e52..00000000000 --- a/docs/versioned_docs/version-v/guides/setting-up-password-hashing-parameters.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -id: setting-up-password-hashing-parameters -title: Setting up Argon2 Password Hashing Parameters ---- - -Currently, Ory Kratos supports password hashing using Argon2 in the Argon2id -variant. It is important to set up it's parameters to ensure a stable and -reliable operation of Ory Kratos. In essence, you want to fulfill the following -constrains: - -1. Duration: the execution time of one hashing operation - this translates to - the response time of Ory Kratos on login and registration. -2. Memory: the amount of available memory on the server -3. Space: the amount of space for persistent storage - -We recommend choosing a duration of 0.5s to 1s and as much memory as possible. -To determine the exact recommended values following security best practices, run -the CLI helper included in Ory Kratos: - -``` -$ kratos hashers argon2 calibrate 1s -``` - -It will output the exact values to use in the -[configuration](../reference/configuration.md). - -Head to -[our blogpost](https://www.ory.sh/choose-recommended-argon2-parameters-password-hashing/) -about Argon2 parameters to learn how this command and password checking in Ory -Kratos works. - -If you encounter any problems like timeouts or out-of-memory errors, consolidate -our -[troubleshooting guide](../debug/performance-out-of-memory-password-hashing-argon2.md). diff --git a/docs/versioned_docs/version-v/guides/setting-up-xchacha-cipher-parameters.mdx b/docs/versioned_docs/version-v/guides/setting-up-xchacha-cipher-parameters.mdx deleted file mode 100644 index 71c4b6ff87c..00000000000 --- a/docs/versioned_docs/version-v/guides/setting-up-xchacha-cipher-parameters.mdx +++ /dev/null @@ -1,20 +0,0 @@ ---- -id: setting-up-xchacha-cipher-parameters -title: Setting up XChaCha20 Poly1305 Cipher algorithm ---- - -Ory Kratos supports encryption and decryption only for oidc token for now. This -section explain how to use and configure Kratos for using XChaCha20 Poly1305 -Cipher algorithm. - -The algorithm and secrets key must be set in the configuration. These -[secrets key rotation](secret-key-rotation) must be set and be a string of 32 -characters long. - -```yaml title="path/to/kratos/config.yml -secrets: - cipher: - - 32-LONG-SECRET-NOT-SECURE-AT-ALL -ciphers: - algorithm: xchacha20-poly1305 -``` diff --git a/docs/versioned_docs/version-v/guides/sign-in-with-github-google-facebook-linkedin.mdx b/docs/versioned_docs/version-v/guides/sign-in-with-github-google-facebook-linkedin.mdx deleted file mode 100644 index cc5491ef1ec..00000000000 --- a/docs/versioned_docs/version-v/guides/sign-in-with-github-google-facebook-linkedin.mdx +++ /dev/null @@ -1,1149 +0,0 @@ ---- -id: sign-in-with-github-google-facebook-linkedin -title: Sign in with GitHub, GitLab, Google, Facebook, LinkedIn, Microsoft ... ---- - -In this document we will take a look at setting up "Social Sign In" with -different providers using Ory Kratos. - -Run the [Quickstart](../quickstart.mdx) with Docker Compose: - -```shell script -# This assumes that you have Ory Kratos checked out locally and -# that your current directory ("pwd") is the folder where Ory Kratos -# is. - -$ make quickstart -``` - -:::info - -It is very important to add the "session" hook to the after oidc registration -hooks. Otherwise your users need to use the login flow again to be able to get a -session. - -```yaml title="path/to/my/kratos/config.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - flows: - registration: - after: - oidc: - hooks: - - hook: session -``` - -::: - -## Discord - -To set up "Sign in with Discord" you must create a -[Discord OAuth2 Application](https://discord.com/developers/docs/topics/oauth2). - -Set the "Redirect URI" to: - -``` -https://playground.projects.oryapis.com/api/kratos/public/self-service/methods/oidc/callback/discord -``` - -The pattern of this URL is: - -``` -http(s)://:/self-service/methods/oidc/callback/ -``` - -The provider ID must point to the provider's ID set in the Ory Kratos -configuration file (explained in further detail at -[OpenID Connect and OAuth2 Credentials](../concepts/credentials/openid-connect-oidc-oauth2.mdx)). - -:::note - -Discord does not implement OpenID Connect. Therefore, Ory Kratos makes a request -to -[Discord's User API](https://discord.com/developers/docs/resources/user#get-current-user) -and adds that data to `std.extVar('claims')`. However, not all fields are -supported. Check the list of supported fields -[in Kratos' source code](https://github.com/ory/kratos/blob/v0.5.1-alpha.1/selfservice/strategy/oidc/provider_discord.go#L81-L91). - -The `identify` scope will add following fields: - -```text -iss # always https://discord.com/api/v6/oauth2/ -sub # numeric discord user id -name # username + # + discriminator -nickname # username -preferred_username # username -picture # avatar url -locale # user locale -``` - -Additionally, the `email` scope will add: - -```text -email # user email -email_verified # whether email is verified -``` - -::: - -```json title="contrib/quickstart/kratos/email-password/oidc.discord.jsonnet" -local claims = { - email_verified: false -} + std.extVar('claims'); - -{ - identity: { - traits: { - // Allowing unverified email addresses enables account - // enumeration attacks, especially if the value is used for - // e.g. verification or as a password login identifier. - // - // Therefore we only return the email if it (a) exists and (b) is marked verified - // by Discord. - [if "email" in claims && claims.email_verified then "email" else null]: claims.email, - }, - }, -} -``` - -Now, enable the Discord provider in the Ory Kratos config located at -`/contrib/quickstart/kratos/email-password/kratos.yml`. - -```yaml title="contrib/quickstart/kratos/email-password/kratos.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - oidc: - enabled: true - config: - providers: - - id: discord # this is `` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET! - provider: discord - client_id: .... # Replace this with the OAuth2 Client ID provided by Discord - client_secret: .... # Replace this with the OAuth2 Client Secret provided by Discord - mapper_url: file:///etc/config/kratos/oidc.discord.jsonnet - scope: - - identify - - email -``` - -Discord is now an option to log in via Kratos. - -## Slack - -To set up "Sign in with Slack" you must create a -[Slack OAuth Application](https://api.slack.com/apps). - -Set the "Redirect URI" to: - -``` -https://playground.projects.oryapis.com/api/kratos/public/self-service/methods/oidc/callback/slack -``` - -The pattern of this URL is: - -``` -http(s)://:/self-service/methods/oidc/callback/ -``` - -The provider ID must point to the provider's ID set in the Ory Kratos -configuration file (explained in further detail at -[OpenID Connect and OAuth2 Credentials](../concepts/credentials/openid-connect-oidc-oauth2.mdx)). - -:::note - -Slack does not implement OpenID Connect. Therefore, Ory Kratos makes a request -to [Slack's Oauth2 API](https://api.slack.com/methods/users.identity) and adds -that data to `std.extVar('claims')`. However, not all fields are supported. -Check the list of supported fields -[in Kratos' source code](https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/provider_slack.go). - -The `identity.basic` scope will add following fields: - -```text -iss # always https://slack.com/oauth/ -sub # alphanumeric slack user id -name # username -nickname # username -preferred_username # username -team # team id slack user belongs to -``` - -Additionally, the `identity.email` scope will add: - -```text -email # user email -email_verified # always true -``` - -Additionally, the `identity.avatar` scope will add: - -```text -picture # user avatar (512x512px) -``` - -::: - -```json title="contrib/quickstart/kratos/email-password/oidc.discord.jsonnet" -local claims = { - email_verified: true -} + std.extVar('claims'); - -{ - identity: { - traits: { - // Allowing unverified email addresses enables account - // enumeration attacks, especially if the value is used for - // e.g. verification or as a password login identifier. - // - // It is assumed that Slack requires an email to be verified before accessible via OAuth (because they don't provide a email_verified field). - email: claims.email - }, - }, -} -``` - -Now, enable the Slack provider in the Ory Kratos config located at -`/contrib/quickstart/kratos/email-password/kratos.yml`. - -```yaml title="contrib/quickstart/kratos/email-password/kratos.yml" -# $ kratos -c path/to/my/kratos/config.yml serve -selfservice: - methods: - oidc: - enabled: true - config: - providers: - - id: slack # this is `` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET! - provider: slack - client_id: .... # Replace this with the OAuth2 Client ID provided by Slack - client_secret: .... # Replace this with the OAuth2 Client Secret provided by Slack - mapper_url: file:///etc/config/kratos/oidc.slack.jsonnet - scope: - - identity.basic - - identity.email -``` - -Slack is now an option to log in via Kratos. - -## GitHub - -