Clients generated from OpenAPI specification cannot handle Passkey authentication method

[Saancreed]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

OpenAPI spec for Kratos does not include passkey as a valid option for authentication method enum, here: https://github.com/ory/kratos/blob/b0111d4bd561d0f0e2f5883f30fac36fcf7135d5/spec/api.json#L1960-L1974

This causes some clients generated with openapi-generator that explicitly try to match enum values against all known valid values (e.g. csharp generator with generichost library option, as seen here: https://github.com/leancodepl/dotnet-kratos-client/blob/bbaa34a1e7cd355b0c0c34eaa875096dbd529df2/src/LeanCode.Kratos.Client/Model/KratosSessionAuthenticationMethod.cs#L123-L153) to fail at deserializing sessions which were authenticated using passkeys, and therefore failing to authenticate users using this method.

Reproducing the bug

1. Generate a client from OpenAPI specification that handles enums by matching them against all known valid values.
   • One such client is https://www.nuget.org/packages/LeanCode.Kratos.Client that we're currently using, which was generated by me and where we noticed this problem.
2. Obtain a session that includes

  "authentication_methods": [
    {
      "method": "passkey",
      "aal": "aal1",
      "completed_at": "…"
    }
  ],

3. Try to call /sessions/whoami endpoint using that session's token/cookie with generated client and have it deserialize the response.

Relevant log output

No response

Relevant configuration

selfservice:
  methods:
    passkey:
      enabled: true
      config:
        rp:
          display_name: "${authority_name}"
          id: "${domain}"
          origins:
            - "https://${domain}"
%{ for origin in passkey_origins ~}
            - "${origin}"
%{ endfor ~}

Version

1.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

Technically the Kratos version I'm running is v1.2.0 with a custom patch on top of it that enables passkeys for API clients/flows as well. However, it shouldn't matter because the problem was found with a browser client anyway.

The client was actually generated from https://github.com/ory/sdk/blob/master/spec/kratos/v1.2.0.json although it seems like files in both repos have this issue. But I imagine the fix needs to happen here before being propagated to sdk repo so this is where I chose to report this.