Skip to main content
Version: v0.4

Self-Service Flows

ORY Kratos implements flows that users perform themselves as opposed to administrative intervention. Facebook and Google both provide self-service registration and profile management features as you are able to make changes to your profile and sign up yourself.

Most believe that user management systems are easy to implement because picking the right password hashing algorithm and sending an account verification code is a solvable challenge. The real complexity however hides in the details and attack vectors of self-service flows. Most data leaks happen because someone is able to exploit

  • registration: with attack vectors such as account enumeration (), ...;
  • login: phishing, account enumeration, leaked password databases, brute-force, ...;
  • user settings: account enumeration, account takeover, ...;
  • account recovery: social engineering attacks, account takeover, spoofing, and so on.

ORY Kratos applies best practices established by experts (National Institute of Sciences NIST, Internet Engineering Task Force IETF, Microsoft Research, Google Research, Troy Hunt, ...) and implements the following flows:

Some flows break down into strategies which implement some of the flow's business logic:

Some flows additionally implement the ability to run hooks which allow users to be immediately signed in after registration, notify another system on successful registration (e.g. Mailchimp), and so on.

Network Flows for Browsers#

All Self-Service Flows such as User Login, User Registration, Profile Management use the same template:

  1. The Browser makes an HTTP request to the flow's initialization endpoint (e.g. /auth/browser/login);
  2. The initialization endpoint processes data and associates it with a request ID and redirects the browser to the flow's configured UI URL (e.g. selfservice.flows.login.ui_url), appending the request ID as the request URL Query Parameter;
  3. The endpoint responsible for the UI URL uses the request URL Query Parameter (e.g. http://my-app/auth/login?request=abcde) to fetch the data previously associated with the Request ID from either ORY Kratos's Public or Admin API.
  4. The UI endpoint renders the fetched data in any way it sees it fit. The flow is typically completed by the browser making another request to one of ORY Kratos' endpoints, which is usually described in the fetched request data.