ory
Ory CLI: Authentication in Automated Workflows
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
We want to use the CLI in automated workflows (e.g. in CI/CD and automated end-to-end tests) to manage test projects. To do so, we need a way to do non-interactive auth.
Describe your ideal solution
Option A Command Line Arguments for username and password for "ory auth"
Option B Environment Variables for username, password and project are detected and used automatically by the CLI
Option C Similar to B), but using Environment Variables for Personal Access Token and project
Workarounds or alternatives
N/A
Version
Cloud
Additional Context
No response
+1 for this
As a work around, you can generate the .ory-cloud.json file using the interactive auth flow then store that and use (i.e. mount it into the Docker container like I'm doing)
Configuring the client via environment variables or a PWA would be ideal though (option b or c in @kmherrmann's post)
Here's an example bash script that authenticates using the API and generates a config file. The resulting config file can be mounted to a container running ory cli, for example. This is definitely not suitable for production and needs cleaning up if part of a build pipeline.
#!/usr/bin/env bash
set -o nounset
set -o errexit
kratos_initiate_api_auth_flow() {
local kratos_base_url="${1}"
local action_url=$(curl -s -X GET \
-H "Accept: application/json" \
"${kratos_base_url}/self-service/login/api" | jq -r '.ui.action')
echo -n "${action_url}"
}
kratos_post_flow_payload() {
local action_url="${1}"
local payload="${2}"
local session=$(curl -s -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d "${payload}" \
"${action_url}" | jq)
echo -n "${session}"
}
kratos_create_session() {
local kratos_base_url="${1}"
local kratos_user="${2}"
local kratos_password="${3}"
local action_url=$(kratos_initiate_api_auth_flow "${kratos_base_url}")
local payload="{\"identifier\": \"${kratos_user}\", \"password\": \"${kratos_password}\", \"method\": \"password\"}"
local session=$(kratos_post_flow_payload "${action_url}" "${payload}")
echo -n "${session}"
}
kratos_whoami() {
local kratos_base_url="${1}"
local kratos_session_token="${2}"
local identity=$(curl -s -H "Authorization: Bearer ${kratos_session_token}" \
"${kratos_base_url}/sessions/whoami" | jq)
echo -n "${identity}"
}
create_ory_cli_config() {
local session="${1}"
local kratos_session_token=$(echo -n "${session}" | jq -r '.session_token')
local kratos_session_id=$(echo -n "${session}" | jq -r '.session.id')
local kratos_session_email=$(echo -n "${session}" | jq -r '.session.identity.traits.email')
echo -n "{\"session_token\": \"${kratos_session_token}\", \"session_identity_traits\": {\"ID\": \"${kratos_session_id}\", \"email\": \"${kratos_session_email}\"}}"
}
kratos_base_url="${1}"
kratos_user="${2}"
kratos_password="${3}"
session=$(kratos_create_session "${kratos_base_url}" "${kratos_user}" "${kratos_password}")
if [[ $(echo -n "${session}" | jq -r '.ui.messages') = "null" ]]
then
echo -n $(create_ory_cli_config "${session}") > "${HOME}/.ory-cloud.json"
else
local compacted_messages=$(echo -n "${messages}" | jq 'map(select(.type=="error")) | map(.text)' | jq -c -r '.[]')
echo "Failed to create a session. The following error messages were reported:"
while IFS= read -r error; do
echo "${error}" > /dev/stderr
done <<< "${compacted_messages}"
exit 1
fi
Awesome, thank you!
We will be fixing this by using OAuth2 for the CLI. There is already some progress on this, but it takes a bit of time to finish it completely.
