kratos icon indicating copy to clipboard operation
kratos copied to clipboard
verified publisher icon ory

Add support for transient properties

Open dadrus opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe.

The domain addressed by Kratos is identity management. Identity Management as "feature set" alone is however not enough and there are other domains involved to have all facets of an Identity Management System covered. Things like the management of privacy policies and/or terms and conditions documents (and the corresponding versions) as well as the management of the corresponding consents given by the users are required, but FMPOV clearly outside of scope for Kratos. As of today the integration of such systems with Kratos require the definition of corresponding properties as traits in the identity schema so that one can hook into a specific flow, e.g. registration, via web hooks and pass down the information to the corresponding system. This approach has a huge drawback - such properties are not managed by Kratos, but are required to be used in each and every request e.g. to update the identity object.

Describe the solution you'd like

To overcome the above said limitations and to enable better integration with other systems, there is a need for "transient" properties. That is properties, which are not stored by Kratos, but are just used for passing them down to other systems via web hooks. One approach would be to extend the web hook implementation to support passing the body object of the request to the jsonet template. This way the front end application for Kratos could include whatever is required into the rendered form and the web hook could make use of it upon submission to Kratos, without Kratos even knowing about these additional properties. Care must however be taken as some such requests (e.g. registration and login) have also the password send in the body. These shall not be exposed to the jsonet template.

Describe alternatives you've considered

Another approach could be to allow patching of identities in Kratos. So the properties required by other systems would not be required to be passed around in requests related to identity object updates. It has however the downside, that Kratos would still know about these and still not be responsible for managing these.

What do you think? If you agree with extending the web hooks implementation, as written above, I'll volunteer for the corresponding PR :)

dadrus avatar Sep 22 '21 10:09 dadrus

I agree something should be done about this. I do not mind the alternative though, storing those additional properties in Kratos as traits. The only issues I see is that:

  • Currently hooks cannot modify which traits are stored. https://github.com/ory/kratos/issues/2042
  • All traits can be further changed by end-users. We need internal traits or something. https://github.com/ory/kratos/issues/117

mitar avatar Dec 08 '21 00:12 mitar

I already had a chat about it with @aeneasr and started a branch to implement the idea described above. There is however a dependency to ory-x, on which I started working as well. Because of some time constraints, it was however not yet possible for me to finalize it on time.

dadrus avatar Dec 13 '21 12:12 dadrus

See #3102 fyi @CaptainStandby

aeneasr avatar Feb 14 '23 10:02 aeneasr