Q: Is it possible to pass multiple system.secret values through the ENV, or do you have to use a config file for that?
A: Yes, you can set them as environmental variable, you just have to separate them using a
,. More info on these conventions in the documentation: Setting configuration values via environmental variables.
Q: We want to seperate our customers and employees, so we store them in different databases. But we would like to have them use the same login dialog for our portal. How can I achieve that with Ory Kratos?
A: You can deploy Ory Kratos two times, and use the same login UI pointing to two different Kratos login endpoints -
/login/employee, either by having two different login routes, or by adding some logic to your login UI that reroutes customers to
/login/customer and employees to
/login/employee. So you define the same login or registration UI URLs in both of the Kratos configurations. You may need to tell your login/registration UI which Kratos it is supposed to talk to. The instances are cheap to deploy and the databases are completely isolated from each other. For example something like
Q: Is the code audited by an independent entity and is there a bug bounty program?
A: We will do that when the APIs and core are stable. A bug bounty program is in the making but not done yet. If you are a security researcher and interested in working on Kratos, please reach out to firstname.lastname@example.org.
Q: What is the correct flow to sanitize the username and make sure it satisfies a specific regex (e.g. only alphanumeric characters)?
Q: I am currently trying to get the Kratos registration flow working on a react app that I am creating. I am having CORS issues with the completeSelfServiceRegistrationFlowWithPasswordMethod call when using the @oryd/kratos-client JS package.
A: You are using AJAX to submit the form. This is not supported right now. You need to submit a regular HTML form. Do not use AJAX. Do not use fetch. Let the user click the submit button and do not do anything. AJAX will be better supported starting Kratos v0.6.
Q: Is the ability to freeze certain identity fields after registration anywhere on the roadmap? Also I want read-only or hidden user-specific data. Can I use traits for that? Example: Some of our identity trait fields may be the subject to identity validation (know your customer). Once they are validated we do not allow the identity to be edited by the end-user.
A: Currently traits are visible to the user and also editable by them. It makes sense to have read-only and/or hidden traits for users, but we can not give an exact timing when this will be available. There is an open issue for this feature:Issue.
Q: Are there plans to provide hooks on registration/login/logouts/identity updates?
Q: How can I verify beforehand if a username is available during registration?
A: You can not right now. It would allow account enumeration attacks. See also the section in the documentation.
Q: Do have plans to support user migration scenarios similar to auth0 automatic migrations? E.g. configure a callback to the legacy system when you cannot find the corresponding user, and store the identity on successful legacy system response.
A: No plans yet, but migration is an important piece of the puzzle. We will focus on importing existing users first. An alternative to callback and custom code is fronting the legacy system with Ory Hydra (OAuth2/OIDC Server) and then using that as an upstream in Ory Kratos.
Q: Do you have protection or plans for brute force attacks i.e. repetitive login attempts? Leaked database scans?
A: See the following document: Ory Kratos Security Measures
Q: How do I append a random suffix e.g. a number to OIDC usernames if the username returned by a provider is already taken.
Q: I want to implement a single-page-app (SPA). Is this possible with Ory Kratos?
A: Yes, definitely. We do not have an example-app (yet). Also, you might not get around some page-reloads as you definitely should, as it is not possible to use the API flows in the browser. This is important to prevent CSRF attacks. So hopefully you are not too strict with your SPA. A sample app is being worked on here: Implement React SPA sample app.