Us vs Ory Kratos

[rishabhpoddar]

Questions

• Can you easily add a custom social provider?
• How well do they support various platforms and SDKs?
• How can we go about customising the UI? From colours to full customisation
• How do we do things like handle sign up success?
• Social account consolidation?
• Can sessions be used with httpOnly cookies?
• Setting up for the two use cases of multi tenancy?
• If one needs to do something like paginating across all users in the app in their API, how can they do that?
• If someone wants to tweak the sign up / sign in APIs, how can they do that?
• How would adding custom sign up fields work?
• How would adding custom sign up validators work?
• Describe the dev setup experience (how many steps and what are they + time overall)
• How do go about sending emails yourself if you want to?
• How to go about customising the email design and or the sender's domain?
• How to implement sign out functionality?
• How to implement revoking a user's session functionality?
• What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
• What are features that they provide that we don't?
• Will their solution work with serverless env like in nextjs or netlify?
• Email verification with Social providers, how does it work
• Changing Email for social provider, how it works
• if you want to add a password strength meter to registration, how does it work
• For social account consolidation, how does changing the email work.
• Multi tenancy, properly how it works, redirection works with the frontend
• RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.
• Documentation review
• Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
• what are the supported databases
• Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
• If a session expires is there a pop-up? does the user have to handle it?
• mobile implementation, IOS and Android
• Email is not verified but password reset is done, does that verify email?
• implementation with ssr
• Migration to and away
• API customisability
• sharing session across sub domains
• How to disallow sign up and only have sign in?
• Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.
• Does it provide Email OTP as a feature?
• Can a user be re-authenticated when visiting a protected route?

[rishabhpoddar]

See these questions answered for SuperTokens here: #28

Describe the dev setup experience (how many steps and what are they + time overall)

• Familiarise yourself with Kratos specific terminology and auth concepts:
  • Identity model
  • Their config.yml configs
  • OAuth concepts
  • About JWTs and JWKs
  • About configuring cookies and its various flags (sameSite, httpOnly, domain, path)
  • Jsonnets
  • Docker and docker compose
  • Understand their REST api structure and how to use them for your use case
    • The concept of a flow, node groups etc...
• Need to build your own frontend UI
• Use their rest API in your frontend and backend layer
• Need to setup kratos docker
• Need to setup MailSlurper for fake email sending

Documentation review

Decent, as long as you know what exactly you are looking for, and how Kratos works.

Can you easily add a custom social provider?

Yes, it does. You can configure the params for the generic open ID provider using their config.yml file. For extracting of payload from the provider, you need to give external Jsonnet file - this can be a bit of a learning curve + the code for this lies outside your main backend code base.

How well do they support various platforms and SDKs?

• It seems that the user has to largely interact with Kratos' API / config directly, as opposed to get nice SDK functions themselves.
• The backend SDKs provides a reverse proxy to Ory Kratos. So the user has to create a route (prefix of all routes that Ory's frontend queries), and that will reverse proxy to Ory kratos. This allows session cookies to be used.
• All operation one might want to do in the backend would require the use of Kratos' API directly
• For session management on the frontend, it seems that you would need to manually do a lot of operations:
  • If using react, you would need to create your own component for protecting website routes as opposed to using something out of the box.
• Overall, whilst they have all SDKs supported, one is expected to interact with their APIs directly.

How can we go about customising the UI? From colours to full customisation

• Kratos doesn't have any in built UI. They do have a repo with a sample ui here: https://github.com/ory/kratos-selfservice-ui-node. But it is not really easily customisable.
• They largely expect users to build their own UI and integrate it with their APIs.

How do we do things like handle sign up success?

• They have webhooks for this. One needs to define the API url etc in their config.yml file, and that will be called by Kratos.

Can sessions be used with httpOnly cookies?

• Yes. But you need to configure and manage these yourself.

Setting up for the two use cases of multi tenancy?

Kratos doesn't have multi tenancy (in terms of different user pools). They have a work around where you can manually create schemas in your db (as one user pool) and point one instance of kratos to that.

In terms of supporting multiple sub domains, that's a function of the UI and session management - something they leave to the end user.

If one needs to do something like paginating across all users in the app in their API, how can they do that?

They have APIs for pagination of users. You would need to query them manually.

If someone wants to tweak the sign up / sign in APIs, how can they do that?

• They have hooks like pre / post sign up / sign in.
• Since you write your own frontend, you can make it query your backend sign in API, do anything you want along with query Kratos API within that API.

How would adding custom sign up fields work?

• You have to make your own UI
• TODO: How do we store custom form fields? Do we need to store them in our own db or does kratos help with that?

How would adding custom sign up validators work?

• On the frontend, you can have your own logic - since you make the frontend
• On the backend, you would need to implement your own backend API for sign up (calling Kratos's create identity API). In that function, you can have your own logic for field verification

How to implement sign out functionality?

• Delete the JWT access token from the cookie / localstorage
• There is browser based logout, but it's vulnerable to CSRF attacks..
• API based logout is there too, but it needs to be manually called from your backend API

What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?

• Yes because you make your own UI

What are features that they provide that we don't?

• 2fa
• phone based login
• access control
• admin dashboard (not open source)
• Make your app an OAuth provider

Will their solution work with serverless env like in nextjs or netlify?

• Yes. However, verification of a session requires the fetchinf of the jwks.json from Kratos, and that is something that needs to be managed by the dev themselves.. (to solve the cold start problem)

if you want to add a password strength meter to registration, how does it work

• You build your own UI, do this is possible

Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)

• Validators is something that you have to manage yourself.

what are the supported databases

• PostgreSQL, MySQL, CockroachDB

Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?

• They have a JS function that does this check (by calling their API). But nothing specific to react. Also, this JS function is specific to their example UI repo.. so if you choose to implement sessions in a slightly different way, you would need to do this yourself.

If a session expires is there a pop-up? does the user have to handle it?

• Need to be handled by the dev themselves.

mobile implementation, IOS and Android

• UI is to be created by yourself
• Session management also needs to be done by yourself.

implementation with ssr

• This is largely a function of UI and sessions. Both of these are pretty much to be done by the dev.
• However, the user has to be careful to call Kratos' public APIs whcih are exposed via the admin port, otherwise they will get CSRF token missing error.

API customisability

• The frontend could query your own backend APIs which could do anything you like them to do.

sharing session across sub domains

• They do have a guide on this in their docs, but it's to do with allowing the frontend app to query Kratos directly.
• It doesn't seem like they talk about multiple sub domains (user facing) talking to your API - since that is to do with session management which is a responsibility of the end user.

How to disallow sign up and only have sign in?

• Since the UI is controlled by the dev entirely, they can simply not have a sign up button anywhere.
• Disabling Kratos' sign up public API may be possible, but TODO

Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.

Provider doesn't have a frontend.

Does it provide Email OTP as a feature?

• Email OTP is a feature offered for 2fa

Can a user be re-authenticated when visiting a protected route?

• Provider doesn't have a frontend, its up to the user to create this feature

[rishabhpoddar]

https://drive.google.com/file/d/13II9NWmxxh-kBKqPeE9eZCRDi9oIM2nR/view?usp=sharing

[rishabhpoddar]

Experience with Ory

From a technical point of view:

• Getting started was super easy. Reaching a point where I had a sign in UI and could protect a web page in a next.js app took less than 10 mins!
• Modifying the login page to add social providers was easy too.
• Implementing the sign out button was easy too, but not as easy as the getting started guide - their docs had very little about the signing out but some blog had some info. It required more coding to do this compared to other auth providers.
• Doing session verification in the backend API seems difficult. Nothing clear about this in their docs. Have asked on their community forum, but for something as essential as this, it was surprisingly difficult. Seems like I have to take the session token and query Kratos on each API - I can make my own middleware for this, but it is manual work.
• Their data model seems fairly complex and has a steep learning curve. This is a good and a bad thing.
• Whilst adding extra forms in the sign up field was simple, adding custom validation to them seems to require building my own UI. It’s not clear how to have these validations on the backend. It seems that we need to write our own API on the backend which will do the validation checks and call the sign up API from kratos.
• It’s nice that they have a settings page for a user using which they can change their email or password post login.
• Their account recovery flow is handy as well.
• It’s nice that they have easy ways to disable sign ups and only allow users to be invited to the app.
• Seems like any sort of backend customisation requires the dev to build the API themselves and then call Krato’s APIs via http. This seems like a lot of work, furthermore, it lacks granularity of control. For example, what if you want to run an operation after sign in, but before a new session token is created? Furthermore, I’m not sure how this reverse proxy will work for non NextJS apps. I see there is a proxy CLI tool, but that again requires me to run the CLI? Not sure.
• No account linking, no plan on supporting that either.

[rishabhpoddar]

https://supertokens.slack.com/archives/DGWQ7RWBV/p1655273998071419

[rishabhpoddar]

https://docs.google.com/document/d/1FuX_Aq7rK5tDTlBkGOoQlSpWA9aaIwUUdSmbtSKboD0/edit