Ory CLI: Authentication in Automated Workflows

[kmherrmann]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We want to use the CLI in automated workflows (e.g. in CI/CD and automated end-to-end tests) to manage test projects. To do so, we need a way to do non-interactive auth.

Describe your ideal solution

Option A
Command Line Arguments for username and password for "ory auth"

Option B
Environment Variables for username, password and project are detected and used automatically by the CLI

Option C
Similar to B), but using Environment Variables for Personal Access Token and project

Workarounds or alternatives

N/A

Version

Cloud

Additional Context

No response

[Rodeoclash]

+1 for this

As a work around, you can generate the .ory-cloud.json file using the interactive auth flow then store that and use (i.e. mount it into the Docker container like I'm doing)

Configuring the client via environment variables or a PWA would be ideal though (option b or c in @kmherrmann's post)

[wtcross]

Here's an example bash script that authenticates using the API and generates a config file. The resulting config file can be mounted to a container running ory cli, for example. This is definitely not suitable for production and needs cleaning up if part of a build pipeline.

#!/usr/bin/env bash
set -o nounset
set -o errexit

kratos_initiate_api_auth_flow() {
  local kratos_base_url="${1}"

  local action_url=$(curl -s -X GET \
      -H "Accept: application/json" \
      "${kratos_base_url}/self-service/login/api" | jq -r '.ui.action')

  echo -n "${action_url}"
}

kratos_post_flow_payload() {
  local action_url="${1}"
  local payload="${2}"

  local session=$(curl -s -X POST \
      -H  "Accept: application/json" \
      -H "Content-Type: application/json" \
      -d "${payload}" \
      "${action_url}" | jq)

  echo -n "${session}"
}

kratos_create_session() {
  local kratos_base_url="${1}"
  local kratos_user="${2}"
  local kratos_password="${3}"

  local action_url=$(kratos_initiate_api_auth_flow "${kratos_base_url}")
  local payload="{\"identifier\": \"${kratos_user}\", \"password\": \"${kratos_password}\", \"method\": \"password\"}"

  local session=$(kratos_post_flow_payload "${action_url}" "${payload}")

  echo -n "${session}"
}

kratos_whoami() {
  local kratos_base_url="${1}"
  local kratos_session_token="${2}"

  local identity=$(curl -s -H "Authorization: Bearer ${kratos_session_token}" \
  "${kratos_base_url}/sessions/whoami" | jq)

  echo -n "${identity}"
}

create_ory_cli_config() {
  local session="${1}"

  local kratos_session_token=$(echo -n "${session}" | jq -r '.session_token')
  local kratos_session_id=$(echo -n "${session}" | jq -r '.session.id')
  local kratos_session_email=$(echo -n "${session}" | jq -r '.session.identity.traits.email')

  echo -n "{\"session_token\": \"${kratos_session_token}\", \"session_identity_traits\": {\"ID\": \"${kratos_session_id}\", \"email\": \"${kratos_session_email}\"}}"
}

kratos_base_url="${1}"
kratos_user="${2}"
kratos_password="${3}"

session=$(kratos_create_session "${kratos_base_url}" "${kratos_user}" "${kratos_password}")

if [[ $(echo -n "${session}" | jq -r '.ui.messages') = "null" ]]
then
  echo -n $(create_ory_cli_config "${session}") > "${HOME}/.ory-cloud.json"
else
  local compacted_messages=$(echo -n "${messages}" | jq 'map(select(.type=="error")) | map(.text)' | jq -c -r '.[]')
  echo "Failed to create a session. The following error messages were reported:"
  while IFS= read -r error; do
    echo "${error}" > /dev/stderr
  done <<< "${compacted_messages}"
  exit 1
fi

[aeneasr]

Awesome, thank you!

We will be fixing this by using OAuth2 for the CLI. There is already some progress on this, but it takes a bit of time to finish it completely.