The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
After the users complete the recovery flow their email address is still marked as unverified in identity_verifiable_addresses, which would prevent them from logging in when the require_verified_address hook is enabled.
Kratos currently has logic to prevent recovery code flows from marking the address as verified only if the flow are admin-initiated. See below link.
I think this could probably be removed entirely, or at least made configurable. Presuming that the recovery link and code were sent to the user via email out of band from Kratos, then the email address can be considered verified once the recovery flow has been completed.
By the way this logic is the only place the RecoveryCodeTypeSelfService/RecoveryCodeTypeAdmin enum values are checked in the codebase so if this logic is removed then recording those may also be redundant.
Reproducing the bug
Create and complete an admin initiated recovery code flow, then observe that verified is false in identity_recovery_addresses.
Relevant log output
No response
Relevant configuration
No response
Version
v1.2.0-distroless
On which operating system are you observing this issue?
winterec
commented
2 months ago
Preflight checklist
Ory Network Project
No response
Describe the bug
I'm implementing an invitation flow by creating identities and then sending an admin initiated recovery link with the code method, as described here: https://www.ory.sh/docs/kratos/manage-identities/invite-users
After the users complete the recovery flow their email address is still marked as unverified in
identity_verifiable_addresses, which would prevent them from logging in when therequire_verified_addresshook is enabled.Kratos currently has logic to prevent recovery code flows from marking the address as verified only if the flow are admin-initiated. See below link.
https://github.com/ory/kratos/blame/122b63d68a3ff2ad78107300869c5a6d2aa43354/selfservice/strategy/code/strategy_recovery.go#L283
I think this could probably be removed entirely, or at least made configurable. Presuming that the recovery link and code were sent to the user via email out of band from Kratos, then the email address can be considered verified once the recovery flow has been completed.
By the way this logic is the only place the RecoveryCodeTypeSelfService/RecoveryCodeTypeAdmin enum values are checked in the codebase so if this logic is removed then recording those may also be redundant.
Reproducing the bug
Create and complete an admin initiated recovery code flow, then observe that verified is false in identity_recovery_addresses.
Relevant log output
No response
Relevant configuration
No response
Version
v1.2.0-distroless
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response