kratos Add "after identifer input" hooks

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

It'd be useful to have an extra hook for login, recovery and verification flows. Currently it's impossible to interrupt a flow if the decision has to be made based on the identity data but before code is sent.

Describe your ideal solution

Add extra hook type for login, recovery and verification flows, that will be triggered after first input of identifier. The template data of a jsonnet file will provide identity property.

Workarounds or alternatives

-

Version

1.3.0

Additional Context

No response

Nov 25 '24 09:11 renom

You can use interrupting web hooks for this, if I‘m not mistaken. Please feel free to reopen if I am indeed wrong here

Feb 11 '25 21:02 aeneasr

The described behavior is tested, so I can't (setting up a hook that's run after an identifier is provided but before a code is sent). I have no permissions to reopen the issue btw.

Feb 12 '25 06:02 renom

Is this only for the code method? Or are there other use cases?

Feb 13 '25 16:02 aeneasr

I can't remember different use cases tbh. My use case is interrupting the flow before SMS is sent (based on the identity data). The point is a multi-step flow. I.e. first you input the identifier, then do something else (input a code from SMS), then the flow completes.

Feb 13 '25 17:02 renom

What exactly do you want to govern? Do you want to show the user some warning or do you want to use a different SMS gatewa or something else?

Feb 13 '25 17:02 aeneasr

Something like access control. Disallowing logging in with SMS for specific users.

Feb 13 '25 18:02 renom

I believe you can achieve this today with the following steps:

Implement a custom target for the SMS webhook where you don’t send out emails for specific users
Use a flow interrupting webhook which uses the same logic to show the user an error

Feb 13 '25 18:02 aeneasr

Yes, but it'll be triggered after an unnecessary SMS was sent (which costs some money).

Feb 13 '25 18:02 renom