Version: v0.4

User Profile Management

Before you start

Please read through the User Settings Documentation first.

The profile strategy allows a user to change their identity traits ("profile").

The updated traits must be valid against the Identity JSON Schema defined for its Identity Traits. If one or more fields do not validate (e.g. "Not an email"), the profile will not be updated.

ORY Kratos will prompt the user to re-authenticate if a privileged trait (e.g. email used to log in) is changed, similar to the GitHub sudo mode.

You can configure how long a session is "privileged" by setting:

path/to/kratos/config.yml
selfservice:
flows:
settings:
# Sessions older than a minute requires the user to sign in again before
# the password is changed.
privileged_session_max_age: 1m

This strategy does not implement any other flow.

Browser Clients

Redirecting the browser to the Self-Service Settings Endpoint initiates the flow.

The Settings Request Response Payload always includes a profile method:

$ curl http://<kratos-admin>/self-service/browser/flows/requests/settings?request=9c6473d4-9ffd-44cd-9794-adb82cbe4009
{
"id": "9c6473d4-9ffd-44cd-9794-adb82cbe4009",
"expires_at": "2020-05-02T16:06:08.131598Z",
"issued_at": "2020-05-02T15:06:08.131599Z",
"request_url": "http://127.0.0.1:4433/self-service/browser/flows/settings",
"active": "profile",
"methods": {
"profile": {
"method": "profile",
"config": {
"action": "http://127.0.0.1:4455/.ory/kratos/public/self-service/browser/flows/settings/strategies/profile?request=9c6473d4-9ffd-44cd-9794-adb82cbe4009",
"method": "POST",
"fields": [
{
"name": "csrf_token",
"type": "hidden",
"required": true,
"value": "HfvOBEv/D6PbXc89hsoEd0UMfZXKsvQXJzmXZJnq6BsBAwm8zbMKQF4LLZwRL67hPDlViB/qcJtu6yf+klIBeg=="
},
{
"name": "traits.email",
"type": "text",
"required": false,
"value": "xx0bdh@l7zkk8"
},
{
"name": "traits.website",
"type": "text",
"required": false,
"value": "http://github.com/aeneasr"
}
]
}
}
},
"identity": {
"id": "93548b1b-c8dc-4d3e-b19f-cfc6d812a8d0",
"schema_id": "default",
"traits": {
"email": "xx0bdh@l7zkk8",
"website": "http://github.com/aeneasr"
}
},
"update_successful": false
}

If the form validation fails, an error will be included:

$ curl http://<kratos-admin>/self-service/browser/flows/requests/settings?request=9c6473d4-9ffd-44cd-9794-adb82cbe4009
{
id: '9c6473d4-9ffd-44cd-9794-adb82cbe4009',
// expires_at, ...
active: 'profile', // <- this is now set!
methods: {
profile: {
method: 'profile',
config: {
// action, ...
fields: [
// csrf_token, ...
{
name: 'traits.website',
type: 'text',
required: false,
value: 'http://s',
messages: [
{
/* id, type */
text: 'length must be >= 10, but got 8'
}
]
}
]
}
}
},
// identity, ...
update_successful: false
}

A successful flow will be marked with:

$ curl http://<kratos-admin>/self-service/browser/flows/requests/settings?request=9c6473d4-9ffd-44cd-9794-adb82cbe4009
{
id: '9c6473d4-9ffd-44cd-9794-adb82cbe4009',
// expires_at, active, methods, ...
update_successful: true
}

API Clients

API-based login and registration using this strategy will be addressed in a future release of ORY Kratos.

Security

Account Enumeration Defenses (work in progress)

This feature is a work in progress and is tracked as kratos#133.

Account Takeover Defenses

The Settings flow implements account takeover defenses as it is not possible to change the password without knowing the existing password. A good example of this flow is the GitHub sudo mode.

Last updated on by aeneasr