Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!
The issue is with kratos registration API with password flow. When kratos is running behind nginx ingress upon registration of an user it returns 502 Bad Gateway but in kratos logs I can see the user was registered successfully. Also I can use that user to login.
ignore_network_errors: true does not work as expected.
When we deploy kratos, by default haveibeenpwned_enabled: true is enabled and ignore_network_errors is set to true. So if kratos isn't able to reach haveibeenpwned api or an SSL error is thrown, kratos will ignore the error and user will be able to register successfully but it doesn't send user any response, and if the kratos was running behind proxy, that proxy will return 502 Bad Gateway or if you've directly made request to kratos POD/SVC it would just break the connection and user would see EMPTY reply from the server Even though the user was registered successfully.
Reproducing the bug
Deploy kratos using default config where
ignore_network_errors: true and haveibeenpwned_enabled: true
And depending on your deployment just stop the external request from the deployment to haveibeenpwned host. if running locally maybe an entry in /etc/hosts file.
And then try to register a new user.
This bug is in all versions, I haven't checked beta though.
### Relevant configuration
_No response_
### Version
all versions
### On which operating system are you observing this issue?
Other
### In which environment are you deploying?
Kubernetes with Helm
### Additional Context
_No response_
Preflight checklist
Describe the bug
The issue is with kratos registration API with password flow. When kratos is running behind nginx ingress upon registration of an user it returns
502 Bad Gateway
but in kratos logs I can see the user was registered successfully. Also I can use that user to login.ignore_network_errors: true
does not work as expected. When we deploy kratos, by defaulthaveibeenpwned_enabled: true
is enabled andignore_network_errors
is set totrue
. So if kratos isn't able to reach haveibeenpwned api or an SSL error is thrown, kratos will ignore the error and user will be able to register successfully but it doesn't send user any response, and if the kratos was running behind proxy, that proxy will return502 Bad Gateway
or if you've directly made request to kratos POD/SVC it would just break the connection and user would seeEMPTY reply from the server
Even though the user was registered successfully.Reproducing the bug
Deploy
kratos
using default config whereignore_network_errors: true
andhaveibeenpwned_enabled: true
And depending on your deployment just stop the external request from the deployment to haveibeenpwned host. if running locally maybe an entry in
/etc/hosts
file. And then try to register a new user.This bug is in all versions, I haven't checked beta though.
Relevant log output