Send invite links directly via email

[aeneasr]

Is your feature request related to a problem? Please describe.

It is currently not possible to send invite links directly to the user via email. Instead, the admin creates the link and somehow (email, sms, whatsapp) sends it to the user.

Describe the solution you'd like

It should be possible to make it easier for the administrator to send the link via email directly.

[oliverpool]

Do you have any recommendation how to implement this?

Should a new endpoint be added?

Or simply a new optional SendEmailTo parameter to the link.CreateRecoveryLink struct. If not empty, an email will be sent to this address with the recovery link?

[aeneasr]

I think something along those lines would be acceptable! One question though is if the admin can choose the email, or if the recovery email in the DB is used instead 🤔

[oliverpool]

I would let the admin choose the email.

If the admin knows the UUID, then it is trivial for him to get the email.

And I think there is no guarantee that the user has an email associated (logging with username for instance?)

[aeneasr]

That’s true - another concern though is that the admin „fatfingers“ the email which could send the recovery to the wrong person. Ot, a social engineering attack tricking service desk into sending someone else the recovery link?

[oliverpool]

service desk

Since Kratos is without UI, I think this is out of the scope of Kratos.

For instance as an admin, I except to be able to change the email of a user (if this user lost access to its email address), which could also lead to a "fatfinger" or social engineering attack.

Anyway it would be much better than the current solution (retrieve the link and send it with my private e-mail), which may leak the recovery link in undesirable places (my "sent" folder for instance).

[aeneasr]

It’s not out of scope in my opinion. Ory Kratos‘ job is to offer reliable and secure methods to manage and secure identities.

We could have two functional endpoints or methods. One initiates sending the link to the user’s recovery address and the other allows overriding the email. We could also distinguish this using the POST body (e.g. email is not set -> use recovery address; email is set -> use override).

What do you think?

[oliverpool]

One initiates sending the link to the user’s recovery address

I guess that the self-service endpoint already covers this usecase, no? https://www.ory.sh/kratos/docs/next/self-service/flows/account-recovery

[aeneasr]

Yes, but sometimes you might not have this feature enabled for self-service

[oliverpool]

Ok, fair enough.

I would be willing to take a look at adding the SendEmailTo optional field in the current endpoint.

Do you have any specific guidance on the implementation?

[aeneasr]

Not off the top of my head - if you need some code pointers happy to provide them!

[lbanders]

Any news on this?

I had the impression, once I created the user through the admin API I would then have Kratos send out an email when I started the recovery through the admin API - ie the create link would send the recovery link, provided an email was added of course instead of simply returning the link.

Maybe it could be an option on the create link admin endpoint?

[kszafran]

In my opinion it could also be an option when an identity is created through the admin API.

[kszafran]

In our case administrators create new accounts. This is implemented with the Admin API. Currently we just start the recovery flow in the backend to send "invite" emails to new users. The problem is that we can't have two different email templates for recovery and for invites.

[benwerner01]

The problem is that we can't have two different email templates for recovery and for invites.

@kszafran as a potential workaround, instead of starting the recovery flow could you use the admin API to generate the recover link?

This would let you email the link to the user in a custom template for invitations, without affecting the default recovery flow email template.

[kszafran]

The problem is that we can't have two different email templates for recovery and for invites.

@kszafran as a potential workaround, instead of starting the recovery flow could you use the admin API to generate the recover link?

This would let you email the link to the user in a custom template for invitations, without affecting the default recovery flow email template.

Well, yes, that's an option. But then you have to implement the email sending code yourself. I decided I prefer to rely on the implementation offered by Kratos.

[RubenWerdmuller]

@aeneasr any news on this front? 😄

[dhia-gharsallaoui]

Hello :wave: Any news about this?