Allow to check whether a username/password would be accepted by Ory without actually registering a user

finsterwalder commented 1 year ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] This issue affects my Ory Network project.
[X] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We want to give users that sign up for a new account a green or red signal, whether their provided email and password are acceptable, before they actually submit their credentials. This gives them a better user experience with early feedback.

Many signup forms show you the rules your password needs to follow and show you a green sign, once you obey to all the provided rules. Since Ory does not simply follow some simple rules (at least a char and a number etc.), it's hard to implement something similar. So right now we have to create the account and then report the error back to the user after he submitted the signup form. Instead we would like to give the user a feedback once he stoped typing for a little while.

Describe your ideal solution

An API that accepts a Username and a Password and gives back a yes/no answer, whether the given credentials would be accepted for a new account.

Workarounds or alternatives

Try to create the account without checking beforehand

Version

current REST API

Additional Context

Old issue in Kratos: https://github.com/ory/kratos/issues/136

zepatrik commented 1 year ago

Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (and likely very weak) memorized secrets [Blacklists].

from https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers

aeneasr commented 1 year ago

That makes sense to me!

kmherrmann commented 1 year ago

Could also be very helpful for dry run imports (on the admin API).

--

Klaus Herrmann | Product Management | @.*** | +49-1522-9409636

github-actions[bot] commented 2 weeks ago

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

open a PR referencing and resolving the issue;
leave a comment on it and discuss ideas on how you could contribute towards resolving it;
leave a comment and describe in detail why this issue is critical for your use case;
open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

ory / network