improve multi schema handling in different auth flows #765
Comments
|
Thank you for the write-up and sorry for the late response!
The problem here is that the user is allowed to pick the schema to their liking. Are they really an employee? Or do they just say they're one? When it comes to roles in a company (which the schema in this case would infer) it is very dangerous to leave that open. Generally though, I think it should be possible to set the schema for registration flows to something other than default. Would that maybe address your issue? Alternatively, we could probably offer an Admin API endpoint which initializes a new registration flow with the given schema ID. Then you would have a privileged backend service initializing the flow and setting the flow's schema ID to the value you want. |
|
I think it would make sense to modify the Admin API so that an authorised backend could choose a schema by supplying the |
|
Yup, that sounds the most reasonable to me as well! |
|
@aeneasr
Please correct me if I am wrong. By doing the above, we should technically be able to specify the schema for self-service registration flows right? If that is the case, then does this endpoint require modification? Since the above endpoint is public, I don't think it is secure to specify the schema ID as anyone can just change that and try to register using a different schema ID. Which is why, I think the following comment was made:
For example, I would like to implement a customer registration UI that automatically saves the customer information using the customer json schema instead of the default schema. |
|
I'd argue this should be "both". |
|
I also think there should be both because in our use case, we have two types of customers phone/password and email/password. We want to keep them separated as both have different roles to do. |
|
I am facing the same problem. Two different account types (so different schemas) - for simplicity, I would just call one of the account types a "business owner account" and the other "a customer account". Users are able to register as a regular customer or as a business owner. I was trying to find in the API spec if there is a way to initiate the registration flow with a non-default schema ID, but this doesn't seem to be possbile based on the information in this issue. Any advice? |
|
I am also trying to understand what is the best way to implement different roles, any idea or documentation? Also I need to populate the role into the claims to be used by other services like hasura |
|
Any updation in passing schemas id in registration flow instead of default schema . ? |
|
Yes, the design should be like this. When specifying identity schemas, one should be able to specify whether a schema can be used for registration (naming is just a suggestion): Then, during the init registration flow, it can be set as a query parameter: |
|
@aeneasr do you know if anyone is working on implementing this suggestion? |
|
Afaik not! |
|
@aeneasr Would you say this is something a first-time contributor can implement? I haven't touched the Kratos code base before, but will be willing to spend some time on this since it's important for the project I am working on |
|
Depends a bit on how well you know Go but if you do I think it should be doable. The most difficult part will be writing the tests most likely! |
|
Got it, I will give it a try, hope you don't mind me reaching out on Slack if I get stuck |
|
Of course :) |
|
Thanks for the reply @aeneasr |
|
@sijumoncy my understanding is that the suggestion from @aeneasr (I will let him correct me if I am wrong) will work the same way for both browser-based and API-based flows - a query parameter |
|
@nikist97 Did you end up starting on this? This is something that I would love to have working! |
|
@MJEND7 I have briefly looked through the code, but unfortunately didn't have the chance to actively work on it yet due to project re-prioritization. I was hoping to find the time to work on it this month, but if you have an urgent need feel free to pick it up instead of me |
|
Just providing a quick update here, I finally found some time to try to implement this feature and have an initial version; currently working on fixing existing tests and adding new ones @aeneasr hope you don't mind if I reach out here or on Slack in case I get stuck |
|
Unfortunately, this seems like a more complex feature than I originally expected since there's lots of logic in the code that assumes the default schema was used during registration. My suspicion is that the registration flow instance will need to be updated to store the chosen schema ID in order to be able to implement this (pending discussion with @aeneasr) |
|
Is there a document to read on what the schemas can be used for? Aside from the admin APIs, they don't seem to be used in any APIs? And what's the correlation with identifiers, can I have multiple identities that share the same email address, but use different schemas? |
|
Has progress been made by having different schemas work with login/registration flows? |
|
I'm also curious about progress on this issue. I'd love to see @aeneasr's approach implemented. |
|
What if, let's say I need two different registration (login) flows:
I.e. I allow the first case flows from internet with oathkeeper, while the second case flows are only allowed from internal network. |
|
Can I run a second instance of kratos with a different config (but the same db) as a workaround? |
|
@renom Yes you can run 2 Kratos point to same db. It might lead to complication in maintenance, but it works well. I used 2 Kratos instance, points to the same PostgreSQL database
These instances are containerised with Docker |
Is your feature request related to a problem? Please describe.
I came across an issue when spinning up kratos along with the oathkeeper proxy and selfservice-ui-node. I have defined multiple identity schemas in json inside the kratos config. One is for an “employee” user type and the second one for a “customer” user type. My issue is that I would like to be able to specify the schema when registering a new account from the selfservice endpoints or public API or anywhere else where I can create/edit a user.
The admin API seems to offer a
POST /identitieswhich allows you to sendschema_idin the request body which works, but there currently is no way to specify any credentials in this way (which makes sense and I think is already addressed in v0.5). Also when I create a new user via the selfservice-ui-node and check the created identity in the admin API withGET /identitiestheschema_idalways seems to be “default” since I cannot specify one in the selfservice flows. Only when using the previously mentioned admin API endpoint to create a user the schema is actually “employee” or “customer” instead of “default”.It would be awesome to have some way to distinguish between schemas and to use identity
schema_id's similar to how a "role" would work. Especially when having a SPA, it would be awesome to be able to restrict the UI according to theschema_idwhich is retrieved inside the response of theGET /session/whoamior in the JWT sub on the backend when using oathkeeper along with kratos. Additionally, I think it would be an improvement to actually set theschema_idinstead of "default" when creating a user with the current implementation through the selfservice registration flow.Describe the solution you'd like
Specify
schema_idin flows effecting identity creation/modification in some way to render proper traits/form inputs. Additionally, store the properschema_idinstead of "default", even when only 1 schema is specified in the config.Describe alternatives you've considered
None at the moment.
Additional context
This feature brings along some security concerns, since we wouldn't want to be able to let a user register with, let's say, an "admin" schema, without actually having the right to do so.
The text was updated successfully, but these errors were encountered: