Setting up Account Recovery and Password Reset
To set up account recovery, your Identity Schema must have an email in its traits and add
{
"ory.sh/kratos": {
"recovery": {
"via": "email"
}
}
}
to it, for example:
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
+ "ory.sh/kratos": {
+ "recovery": {
+ "via": "email"
+ }
+ }
}
}
}
}
}
Account recovery supports sending out a recovery link to an email address. For this to work, you must have the courier SMTP
connection configured in your Ory Kratos Config File (kratos serve -c /home/kratos/.kratos.yml
):
# Ory Kratos Config File
+courier:
+ smtp:
+ connection_uri: smtps://username:password@smtp-server:1234/
# ...
You also need to enable account recovery and have the link
method enabled:
selfservice:
methods:
link:
# Defaults to true, so left out. If you explicitly want to disable this method,
# set the value to `false`.
#
# enabled: true
config:
# If the link should point to a domain (and path) that differs from the configured public base URL,
# set this value to the base URL you want:
base_url: https://my-example-domain.com
flows:
# login ...
# registration...
+ recovery:
+ enabled: true
+ ui_url: http://127.0.0.1:4455/recovery
# ...
That all that's needed! For more information on implementing the UI and details about the payloads, head over to the Account Recovery Documentation!
Invalidate Other Sessions
To invalidate all other sessions upon successful account recovery, add the revoke_active_sessions
hook to:
selfservice:
flows:
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
+ after:
+ hooks:
+ - hook: revoke_active_sessions