This document walks you through the administrative identity management in ORY Kratos. You should already be familiar with the Identity Data Model before reading this guide.
There are three principal flows supported for creating identities as an administrator:
- Inviting users - e.g. inviting a new employee to your organization IT.
- Importing existing users - e.g. when migrating from another system to ORY Kratos.
- Creating machine users - e.g. creating Service Accounts.
Similar to other guides, we assume that ORY Kratos runs on 127.0.0.1:4433 (public endpoint) and 127.0.0.1:4434 (admin endpoint) in this guide, which is the default when running the quickstart.
The goal of this flow is to create an identity and provide the end-user with a way of signing into the identity (account) and setting their password (or any other type of credential) for future logins. To achieve this, first create the identity and set its traits and schema:
Keep in mind that you can change the
schema_id to reflect the schema you want
to use for this user. Similarly, the trait key/values depend on your schema as
well. The command shown does not create a password for the identity or any other
type of credential. Instead, we will use another REST call to create a recovery
link (here "invite link" is probably more appropriate, but the flow uses an
account recovery link).
To create the account recovery link, use:
The response contains a
recovery_link value which is the link the user should
use to set up his or her credentials (e.g. connect to a Social Sign In Provider,
set up a password, ...). The user has only a limited amount of time to do so -
the amount of time is specified in the ORY Kratos config:
If the user fails to set up his / her credentials in time, another recovery link needs to be issued and the user needs to re-do the flow.
It is currently not possible to send the recovery link directly to a user's email, this feature is tracked as #595.
This feature is not implemented yet.
To enable recovery flows, make the following adjustments to your ORY Kratos configuration:
To specify that an identity's trait is a recovery email, use the following Identity JSON Schema:
For more detailed information and general guidelines on these flows, take a look at the Account Recovery and Password Reset section.