search

ory / kratos

Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!
https://www.ory.sh/kratos/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.05k stars 950 forks source link

Configuring some hooks via env vars does not work #1792

Closed DeppLearning closed 2 years ago

DeppLearning commented 2 years ago

Describe the bug

Some selfservice hooks do not work as expected. I'm using docker-compose

Reproducing the bug

  1. in a docker-compose file, set: SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[require_verified_address,revoke_active_sessions]. I tried without the brackets and various other notations (various combinations of quotes/no-quotes and brackets/no-brackets). Those tend to make it worse.
  2. start kratos service
  3. observe crashing kratos and error msg

Server logs

The configuration contains values or keys which are invalid:
selfservice.flows.login.after: map[password:map[default_browser_return_url:http://127.0.0.1:4455 hooks:require_verified_address,revoke_active_sessions]]
                               ^-- doesn't validate with "#/definitions/selfServiceAfterLogin"

The configuration contains values or keys which are invalid:
selfservice.flows.login.after.password: map[default_browser_return_url:http://127.0.0.1:4455 hooks:require_verified_address,revoke_active_sessions]
                                        ^-- doesn't validate with "#/definitions/selfServiceAfterPasswordLoginMethod"

The configuration contains values or keys which are invalid:
selfservice.flows.login.after.password.hooks: require_verified_address,revoke_active_sessions
                                              ^-- expected array, but got string

{"audience":"application","error":{"message":"I[#/selfservice/flows/login/after] S[#/properties/selfservice/properties/flows/properties/login/properties/after/$ref] doesn't validate with \"#/definitions/selfServiceAfterLogin\"\n  I[#/selfservice/flows/login/after/password] S[#/definitions/selfServiceAfterLogin/properties/password/$ref] doesn't validate with \"#/definitions/selfServiceAfterPasswordLoginMethod\"\n    I[#/selfservice/flows/login/after/password/hooks] S[#/definitions/selfServiceAfterPasswordLoginMethod/properties/hooks/type] expected array, but got string"},"level":"fatal","msg":"Unable to instantiate configuration.","service_name":"Ory Kratos","service_version":"v0.7.6-alpha.1","time":"2021-09-27T22:37:34Z"}

Server configuration

Expected behavior

I expected kratos to start normally and accept the hook

Environment

Additional context

This might be a duplicate of https://github.com/ory/kratos/issues/1535 . I am using quite a number of kratos env vars for configuration, this is the only var I cannot currently set without a config file though.

zepatrik commented 2 years ago

This is indeed related to #1535. Was it not possible to use the raw JSON representation for the whole array?

DeppLearning commented 2 years ago

Not entirely sure what you mean. I tried different ones including

"[item_1,item_2]"

'["item_1", "item_2"]'

`["item_1", "item_2"]`

[item_1,item_2]

item_1,item_2
item_1, item_2

I even tried if there is a SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD (without hooks) where I could input a json like this 

["hooks": [item_1, item_2], "return_url": "..."]

is there something else I could try?

zepatrik commented 2 years ago

According to the config schema, selfservice.flows.login.after.password.hooks is an array of objects. So the correct JSON representation would be

[
  {"hook": "require_verified_address"},
  {"hook": "revoke_active_sessions"}
]

because a hook can also have a config, e.g. https://github.com/ory/kratos/blob/dd6a06f0ae4644f835c470f56798daaee10ac9f5/driver/config/.schema/config.schema.json#L156-L219

DeppLearning commented 2 years ago

Thanks a lot for your help. I tried these alternatives in my docker compose file:

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[{"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}]

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS='[{"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}]'

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS={"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}

 - SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[{\"hook\":\"require_verified_address\"},{\"hook\":\"revoke_active_sessions\"}]

 - SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS={\"hook\":\"require_verified_address\"},{\"hook\":\"revoke_active_sessions\"}

same error message as before though. Btw, I don't really need the revoke_active_sessions hook for now, so if a valid setup exists with only one hook, that gets around the array problem, that would help a lot too :)

zepatrik commented 2 years ago

The only workaround will be to use a config file then...

OskarsPakers commented 4 months ago

Just for the reference, the correct answer is:

SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS_0_HOOK=require_verified_address
SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS_1_HOOK=revoke_active_sessions