search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.14k stars 955 forks source link

Support OTP login with SMS #3779

Open marcus-sa opened 7 months ago

marcus-sa commented 7 months ago

Preflight checklist

Ory Network Project

https://youthful-meninsky-8q4djabyct.projects.oryapis.com

Describe the bug

I'm trying to setup a passwordless phone registration flow. I've followed the docs and no matter what I do I get this error: credentials.code.via has unknown value "sms" when trying to send a SMS code. This is my identity schema:

{
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "phone": {
          "type": "string",
          "format": "tel",
          "title": "Phone number",
          "minLength": 3,
          "ory.sh/kratos": {
            "credentials": {
              "code": {
                "identifier": true,
                "via": "sms"
              }
            },
            "verification": {
              "via": "sms"
            }
          }
        }
      },
      "required": [
        "phone"
      ],
      "additionalProperties": false
    }
  }
}

I've tried all sorts of combinations, but nothing works. Here's my identity config:

cookies:
  domain: youthful-meninsky-8q4djabyct.projects.oryapis.com
  path: /
  same_site: Lax
courier:
  channels:
    - id: sms
      request_config:
        auth:
          config:
            password: xxx
            user: xxx
          type: basic_auth
        body: https://storage.googleapis.com/bac-gcs-production/68dbe76c2f176b9bb0e10953d13c9d3fbf8c2baf240ee10304a9e84b78ade91c89bf7b110c88e9f06f682ff46ee9e7d70289a0a095597d8723ffbccc97838392.jsonnet
        headers:
          Content-Type: application/x-www-form-urlencoded
        method: POST
        url: xxx
      type: http
  smtp:
    from_name: Zap via Ory
  templates:
    login_code:
      valid:
        email:
          body: {}
        sms:
          body:
            plaintext: xxx
    recovery:
      invalid:
        email:
          body: {}
      valid:
        email:
          body: {}
    recovery_code:
      invalid:
        email:
          body: {}
      valid:
        email:
          body: {}
    registration_code:
      valid:
        email:
          body: {}
    verification:
      invalid:
        email:
          body: {}
      valid:
        email:
          body: {}
    verification_code:
      invalid:
        email:
          body: {}
      valid:
        email:
          body: {}
        sms:
          body:
            plaintext: xxx
feature_flags:
  cacheable_sessions: false
  use_continue_with_transitions: false
identity:
  default_schema_id: xxx
  schemas: []
oauth2_provider:
  override_return_to: true
organizations: []
preview:
  default_read_consistency_level: strong
selfservice:
  allowed_return_urls:
    - https://youthful-meninsky-8q4djabyct.projects.oryapis.com
    - /ui/consent
    - /ui/error
    - /ui/login
    - /ui/logout
    - /ui/recovery
    - /ui/registration
    - /ui/sessions
    - /ui/settings
    - /ui/verification
    - /ui/welcome
  default_browser_return_url: /ui/welcome
  flows:
    error:
      ui_url: /ui/error
    login:
      after:
        code:
          hooks: []
        hooks: []
        lookup_secret:
          hooks: []
        oidc:
          hooks: []
        password:
          hooks: []
        totp:
          hooks: []
        webauthn:
          hooks: []
      before:
        hooks: []
      lifespan: 30m0s
      ui_url: /ui/login
    logout:
      after: {}
    recovery:
      after:
        hooks: []
      before:
        hooks: []
      enabled: true
      lifespan: 30m0s
      notify_unknown_recipients: false
      ui_url: /ui/recovery
      use: code
    registration:
      after:
        code:
          hooks: []
        hooks: []
        oidc:
          hooks:
            - hook: session
        password:
          hooks:
            - hook: session
        webauthn:
          hooks:
            - hook: session
      before:
        hooks: []
      enabled: true
      lifespan: 30m0s
      login_hints: true
      ui_url: /ui/registration
    settings:
      after:
        hooks: []
        lookup_secret:
          hooks: []
        oidc:
          hooks: []
        password:
          hooks: []
        profile:
          hooks: []
        totp:
          hooks: []
        webauthn:
          hooks: []
      before:
        hooks: []
      lifespan: 30m0s
      privileged_session_max_age: 5m0s
      required_aal: highest_available
      ui_url: /ui/settings
    verification:
      after:
        hooks: []
      before:
        hooks: []
      enabled: true
      lifespan: 30m0s
      notify_unknown_recipients: false
      ui_url: /ui/verification
      use: code
  methods:
    code:
      config:
        lifespan: 15m0s
      enabled: true
      mfa_enabled: false
      passwordless_enabled: true
    link:
      config:
        base_url: ''
        lifespan: 15m0s
      enabled: true
    lookup_secret:
      enabled: true
    oidc:
      config:
        providers: []
      enabled: true
    password:
      config:
        haveibeenpwned_enabled: true
        identifier_similarity_check_enabled: true
        ignore_network_errors: true
        max_breaches: 1
        min_password_length: 8
      enabled: false
    profile:
      enabled: true
    totp:
      config:
        issuer: Zap
      enabled: true
    webauthn:
      config:
        passwordless: true
        rp:
          display_name: Zap
          id: youthful-meninsky-8q4djabyct.projects.oryapis.com
          origins:
            - https://youthful-meninsky-8q4djabyct.projects.oryapis.com
      enabled: true
serve:
  admin:
    base_url: https://youthful-meninsky-8q4djabyct.projects.oryapis.com/
    request_log:
      disable_for_health: true
  public:
    base_url: https://youthful-meninsky-8q4djabyct.projects.oryapis.com/
    cors:
      enabled: false
    request_log:
      disable_for_health: true
session:
  cookie:
    domain: youthful-meninsky-8q4djabyct.projects.oryapis.com
    name: xxx
    path: /
    persistent: true
    same_site: Strict
  lifespan: 72h0m0s
  whoami:
    required_aal: highest_available
    tokenizer:
      templates: {}

Reproducing the bug

https://youthful-meninsky-8q4djabyct.projects.oryapis.com/ui/registration

Use the identity schema and identity config above.

Relevant log output

No response

Relevant configuration

No response

Version

Cloud

On which operating system are you observing this issue?

None

In which environment are you deploying?

Ory Network

Additional Context

No response

OlegOLK commented 7 months ago

Up for that, had the same issue with cloud Ory.

jonas-jonas commented 7 months ago

Which docs are you referring to?

Plain registration and login doesn't work yet, you'll still need an email address. You can, however, verify the phone number and use it for MFA.

marcus-sa commented 7 months ago

Which docs are you referring to?

Plain registration and login doesn't work yet, you'll still need an email address. You can, however, verify the phone number and use it for MFA.

I find it very confusing that you can enable passwordless login, but you cannot login with a SMS code.

marcus-sa commented 7 months ago

Which docs are you referring to? Plain registration and login doesn't work yet, you'll still need an email address. You can, however, verify the phone number and use it for MFA.

I find it very confusing that you can enable passwordless login, but you cannot login with a SMS code.

I've spent countless hours trying to setup Kratos, so if the problem is that it's not supported, then I'll unfortunately have to use another IAM instead, unless you can give me an ETA for when it'll be supported.

marcus-sa commented 7 months ago

Which docs are you referring to?

Plain registration and login doesn't work yet, you'll still need an email address. You can, however, verify the phone number and use it for MFA.

According to the identity schema editor this is valid (and it's also not stated anywhere in the docs that it's not supported):

"code": {
  "identifier": true,
  "via": "sms"
}
OlegOLK commented 7 months ago

Hi @jonas-jonas , is there a way to do Auth without Email? Only phone number? Because on UI schema allow to set code:via = sms but when we are doing Sign Up - we got this strange error that value is not supported 'credentials.code.via has unknown value "sms"'

marcus-sa commented 7 months ago

@jonas-jonas sorry for spamming you, but I'm blocked until I know if it's something you're gonna support in the near future.

jonas-jonas commented 7 months ago

We're looking into it at the moment, but don't have a concrete timeline yet.

aeneasr commented 7 months ago

Hey, sorry to hear that you're blocked. I think Jonas was pretty clear when he said that that OTP login with SMS is not (yet) supported. We don't have a timeline for this feature at the moment as we don't have enough commercial demand for it.

lanphan commented 7 months ago

@aeneasr

AFAIK, SMS is not supported for "code" strategy, but it's already implemented for "password" strategy, is it correct? It means that, we can use Ory Kratos for a scenario to allow user to use phone number as a identifier, and use SMS to verify, then allow user to set password?