Version: v0.4

Hooks

Hooks execute logic after a flow (login, registration, settings, ...):

  • After login: is executed after a login was successful.
  • After registration: is executed when a registration was successful:
    • Before persisting: runs before the identity is saved in the database.
    • After persisting: runs after the identity was saved in the database.
  • After settings: is executed when a settings was successful:
    • Before persisting: runs before the identity is saved in the database.
    • After persisting: runs after the identity was saved in the database.

Login

After

path/to/my/kratos.config.yml
selfservice:
flows:
login:
after:
password:
- hook: revoke_active_sessions

revoke_active_sessions

The revoke_active_sessions will delete all active sessions for that user on successful login:

path/to/my/kratos.config.yml
selfservice:
flows:
login:
after:
<strategy>:
- hook: revoke_active_sessions
# can not be configured

Registration

Hooks running after successful user registration are defined per Self-Service Registration Strategy in ORY Kratos' configuration file.

After

path/to/my/kratos.config.yml
selfservice:
flows:
registration:
after:
oidc:
- hook: session
password:
- hook: session

session

Adding the session hook signs the user immediately in once the account has been created. It runs after the identity has been saved to the database.

info

Using this job as part of your post-registration workflow makes your system vulnerable to Account Enumeration Attacks because a threat agent can distinguish between existing and non-existing accounts by checking if Set-Cookie was sent as part of the registration response.

It sends a Set-Cookie header which contains the session cookie. To use it, you must first define one or more (for secret rotation) secrets. You can either choose to use the "default" secrets or the more specific "cookie" secrets. The other required config is setting the hook in after work flows:

path/to/my/kratos.config.yml
secrets:
cookie:
- something-super-secret # The first entry will be used to sign and verify session cookies
# All other entries will be used to verify session cookies that were signed before "something-super-secret" became
# the current signing secret.
- old-session-secret
- older-session-secret
- ancient-session-secret
selfservice:
flows:
registration:
after:
<strategy>:
- hook: session
# can not be configured

Settings

Hooks running after successfully updating user settings and are defined per Self-Service Settings Strategy in ORY Kratos' configuration file.

After

path/to/my/kratos.config.yml
selfservice:
flows:
settings:
after:

No hooks are available for this flow at the moment.

Last updated on by aeneasr