search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.22k stars 960 forks source link

Phone verification not working #3799

Open blackshady opened 7 months ago

blackshady commented 7 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

When attempting to create a verification flow for phone numbers using the self-service API, despite configuring the kratos.yml file to utilize an SMS gateway for verification, the API still returns email attributes in the UI node instead of phone number attributes. This occurs even after following the documentation and configuring the system to use SMS verification. As a result, the intended functionality of phone number verification is not achieved.

Reproducing the bug

  1. Configure the kratos.yml file to use an SMS gateway for phone number verification.
  2. Attempt to create a verification flow for phone numbers using the API endpoint {{kratos_URL}}/self-service/verification/api.
  3. Observe that the UI node returns email attributes instead of phone number attributes.

Relevant log output

No response

Relevant configuration

Here is my `identity.schema.json` file
{
  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/phone-password/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "name": {
          "type": "object",
          "required": [
            "last",
            "first"
          ],
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string"
            },
            "last": {
              "title": "Last Name",
              "type": "string"
            }
          }
        },
        "phone": {
          "type": "string",
          "format": "tel",
          "title": "Phone number",
          "minLength": 3,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "sms"
            }
          }
        }
      },
      "required": ["phone"],
      "additionalProperties": false
    }
  }
}

Version

v1.1.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

No response

MichaelMarner commented 7 months ago

We have also run into this issue - it does not seem possible to create a verification flow for a phone number (our identity schema has both email and phone number traits).

Perhaps it's necessary to add a via=phone_number parameter or similar to the create verification flow API endpoint, which would allow apps to specify which trait to verify?

This is especially an issue because it is not possible to redirect to a verification flow from settings after setting the user's phone number for server-side rendered apps. From the docs:

Showing the verification form after a settings update is currently only supported on native or SPA clients.

https://www.ory.sh/docs/kratos/self-service/flows/user-settings#show-verification-form-after-updating-a-verifiable-address

aeneasr commented 1 month ago

Can you share what response you get and what response you would expect? Please base your work off of Ory Network, which is running the latest variant of Ory Kratos. We have recently made some improvements

sayoun commented 1 day ago

We had some difficulty to make the phone verification working for API flows, but it worked well in the end, even if the messages talks about "emails" and not "phone" it's still gets flagged as verified.

The main issue we had was this:

The setup is that we add a phone number trait to our identity through a settings flow, it will automatically trigger a verification flow, and the API response of the POST settings flow, contains this:

  "continue_with": [
    {
      "action": "show_verification_ui",
      "flow": {
        "id": "a59bf0f7-2825-4eba-ab2c-2d15fdec13b9",
        "verifiable_address": "<redacted>"
      }
    }
  ]

Now the fun part, if we submit the verification flow with the expected code using a POST on /self-service/verification it works fine :+1:

But if we make a GET request on the same route /self-service/verification, for example to retrieve nodes information to display on the UI, then it will update the verification flow in the database and reset the active_method field from code to default and then raise an error if we try to submit the verification flow with this message Could not find a strategy to verify your account with. Did you fill out the form correctly?, and this is because of this line 

    public.POST(RouteSubmitFlow, h.updateVerificationFlow)
    public.GET(RouteSubmitFlow, h.updateVerificationFlow)

the GET route calls the same handler as the POST route, so when you call it without any parameter the active_method is reset.

Maybe you dont have the same issue but hope this will help someone.

PS: I'm not sure about the purpose of this second GET route handler that uses the same handler as the POST route @aeneasr ?