rishabhpoddar
commented
3 years ago See these questions answered for SuperTokens here: https://github.com/supertokens/docs/issues/28
Describe the dev setup experience (how many steps and what are they + time overall)
- Familiarise yourself with Kratos specific terminology and auth concepts:
- Identity model
- Their config.yml configs
- OAuth concepts
- About JWTs and JWKs
- About configuring cookies and its various flags (sameSite, httpOnly, domain, path)
- Jsonnets
- Docker and docker compose
- Understand their REST api structure and how to use them for your use case
- The concept of a flow, node groups etc...
- Need to build your own frontend UI
- Use their rest API in your frontend and backend layer
- Need to setup kratos docker
- Need to setup MailSlurper for fake email sending
Documentation review
Decent, as long as you know what exactly you are looking for, and how Kratos works.
Can you easily add a custom social provider?
Yes, it does. You can configure the params for the generic open ID provider using their config.yml file. For extracting of payload from the provider, you need to give external Jsonnet file - this can be a bit of a learning curve + the code for this lies outside your main backend code base.
How well do they support various platforms and SDKs?
- It seems that the user has to largely interact with Kratos' API / config directly, as opposed to get nice SDK functions themselves.
- The backend SDKs provides a reverse proxy to Ory Kratos. So the user has to create a route (prefix of all routes that Ory's frontend queries), and that will reverse proxy to Ory kratos. This allows session cookies to be used.
- All operation one might want to do in the backend would require the use of Kratos' API directly
- For session management on the frontend, it seems that you would need to manually do a lot of operations:
- If using react, you would need to create your own component for protecting website routes as opposed to using something out of the box.
- Overall, whilst they have all SDKs supported, one is expected to interact with their APIs directly.
How can we go about customising the UI? From colours to full customisation
- Kratos doesn't have any in built UI. They do have a repo with a sample ui here: https://github.com/ory/kratos-selfservice-ui-node. But it is not really easily customisable.
- They largely expect users to build their own UI and integrate it with their APIs.
How do we do things like handle sign up success?
- They have webhooks for this. One needs to define the API url etc in their config.yml file, and that will be called by Kratos.
Can sessions be used with httpOnly cookies?
- Yes. But you need to configure and manage these yourself.
Setting up for the two use cases of multi tenancy?
Kratos doesn't have multi tenancy (in terms of different user pools). They have a work around where you can manually create schemas in your db (as one user pool) and point one instance of kratos to that.
In terms of supporting multiple sub domains, that's a function of the UI and session management - something they leave to the end user.
If one needs to do something like paginating across all users in the app in their API, how can they do that?
They have APIs for pagination of users. You would need to query them manually.
If someone wants to tweak the sign up / sign in APIs, how can they do that?
- They have hooks like pre / post sign up / sign in.
- Since you write your own frontend, you can make it query your backend sign in API, do anything you want along with query Kratos API within that API.
How would adding custom sign up fields work?
- You have to make your own UI
- TODO: How do we store custom form fields? Do we need to store them in our own db or does kratos help with that?
How would adding custom sign up validators work?
- On the frontend, you can have your own logic - since you make the frontend
- On the backend, you would need to implement your own backend API for sign up (calling Kratos's create identity API). In that function, you can have your own logic for field verification
How to implement sign out functionality?
- Delete the JWT access token from the cookie / localstorage
- There is browser based logout, but it's vulnerable to CSRF attacks..
- API based logout is there too, but it needs to be manually called from your backend API
What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
- Yes because you make your own UI
What are features that they provide that we don't?
- 2fa
- phone based login
- access control
- admin dashboard (not open source)
- Make your app an OAuth provider
Will their solution work with serverless env like in nextjs or netlify?
- Yes. However, verification of a session requires the fetchinf of the jwks.json from Kratos, and that is something that needs to be managed by the dev themselves.. (to solve the cold start problem)
if you want to add a password strength meter to registration, how does it work
- You build your own UI, do this is possible
Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
- Validators is something that you have to manage yourself.
what are the supported databases
- PostgreSQL, MySQL, CockroachDB
Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
- They have a JS function that does this check (by calling their API). But nothing specific to react. Also, this JS function is specific to their example UI repo.. so if you choose to implement sessions in a slightly different way, you would need to do this yourself.
If a session expires is there a pop-up? does the user have to handle it?
- Need to be handled by the dev themselves.
mobile implementation, IOS and Android
- UI is to be created by yourself
- Session management also needs to be done by yourself.
implementation with ssr
- This is largely a function of UI and sessions. Both of these are pretty much to be done by the dev.
- However, the user has to be careful to call Kratos' public APIs whcih are exposed via the admin port, otherwise they will get CSRF token missing error.
API customisability
- The frontend could query your own backend APIs which could do anything you like them to do.
sharing session across sub domains
- They do have a guide on this in their docs, but it's to do with allowing the frontend app to query Kratos directly.
- It doesn't seem like they talk about multiple sub domains (user facing) talking to your API - since that is to do with session management which is a responsibility of the end user.
How to disallow sign up and only have sign in?
- Since the UI is controlled by the dev entirely, they can simply not have a sign up button anywhere.
- Disabling Kratos' sign up public API may be possible, but TODO
Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.
Provider doesn't have a frontend.
Does it provide Email OTP as a feature?
- Email OTP is a feature offered for 2fa
Can a user be re-authenticated when visiting a protected route?
- Provider doesn't have a frontend, its up to the user to create this feature
Questions