ORY Kratos implements flows that users perform themselves as opposed to administrative intervention. Facebook and Google both provide self-service registration and profile management features as you are able to make changes to your profile and sign up yourself.
Most believe that user management systems are easy to implement because picking the right password hashing algorithm and sending an account verification code is a solvable challenge. The real complexity however hides in the details and attack vectors of self-service flows. Most data leaks happen because someone is able to exploit
- registration: with attack vectors such as account enumeration (), ...;
- login: phishing, account enumeration, leaked password databases, brute-force, ...;
- user settings: account enumeration, account takeover, ...;
- account recovery: social engineering attacks, account takeover, spoofing, and so on.
ORY Kratos applies best practices established by experts (National Institute of Sciences NIST, Internet Engineering Task Force IETF, Microsoft Research, Google Research, Troy Hunt, ...) and implements the following flows:
- Login and Registration
- User Settings
- Account Recovery
- Address Verification
- User-Facing Error
- 2FA / MFA
Some flows break down into strategies which implement some of the flow's business logic:
passwordstrategy implement the login and registration flow (with email/username and password), account recovery flow ("reset your password"), and user settings flow ("change your password").
oidc(OpenID Connect, OAuth2, Social Sign In) strategy implements login and registration flow ("Sign in with ..."), and user settings flow ("un/link another social account").
profilestrategy implements the settings flow ("update your profile", "change your first/last name, ...").
Some flows additionally implement the ability to run hooks which allow users to be immediately signed in after registration, notify another system on successful registration (e.g. Mailchimp), and so on.
- The Browser makes an HTTP request to the flow's initialization endpoint (e.g.
- The initialization endpoint processes data and associates it with a request
ID and redirects the browser to the flow's configured UI URL (e.g.
selfservice.flows.login.ui_url), appending the request ID as the
requestURL Query Parameter;
- The endpoint responsible for the UI URL uses the
requestURL Query Parameter (e.g.
http://my-app/auth/login?request=abcde) to fetch the data previously associated with the Request ID from either ORY Kratos's Public or Admin API.
- The UI endpoint renders the fetched data in any way it sees it fit. The flow is typically completed by the browser making another request to one of ORY Kratos' endpoints, which is usually described in the fetched request data.