Configuring some hooks via env vars does not work

[DeppLearning]

Describe the bug

Some selfservice hooks do not work as expected. I'm using docker-compose

Reproducing the bug

1. in a docker-compose file, set: SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[require_verified_address,revoke_active_sessions]. I tried without the brackets and various other notations (various combinations of quotes/no-quotes and brackets/no-brackets). Those tend to make it worse.
2. start kratos service
3. observe crashing kratos and error msg

Server logs

The configuration contains values or keys which are invalid:
selfservice.flows.login.after: map[password:map[default_browser_return_url:http://127.0.0.1:4455 hooks:require_verified_address,revoke_active_sessions]]
                               ^-- doesn't validate with "#/definitions/selfServiceAfterLogin"

The configuration contains values or keys which are invalid:
selfservice.flows.login.after.password: map[default_browser_return_url:http://127.0.0.1:4455 hooks:require_verified_address,revoke_active_sessions]
                                        ^-- doesn't validate with "#/definitions/selfServiceAfterPasswordLoginMethod"

The configuration contains values or keys which are invalid:
selfservice.flows.login.after.password.hooks: require_verified_address,revoke_active_sessions
                                              ^-- expected array, but got string

{"audience":"application","error":{"message":"I[#/selfservice/flows/login/after] S[#/properties/selfservice/properties/flows/properties/login/properties/after/$ref] doesn't validate with \"#/definitions/selfServiceAfterLogin\"\n  I[#/selfservice/flows/login/after/password] S[#/definitions/selfServiceAfterLogin/properties/password/$ref] doesn't validate with \"#/definitions/selfServiceAfterPasswordLoginMethod\"\n    I[#/selfservice/flows/login/after/password/hooks] S[#/definitions/selfServiceAfterPasswordLoginMethod/properties/hooks/type] expected array, but got string"},"level":"fatal","msg":"Unable to instantiate configuration.","service_name":"Ory Kratos","service_version":"v0.7.6-alpha.1","time":"2021-09-27T22:37:34Z"}

Server configuration

Expected behavior

I expected kratos to start normally and accept the hook

Environment

• Environment: Docker, ...

Additional context

This might be a duplicate of #1535 . I am using quite a number of kratos env vars for configuration, this is the only var I cannot currently set without a config file though.

[zepatrik]

This is indeed related to #1535. Was it not possible to use the raw JSON representation for the whole array?

[DeppLearning]

Not entirely sure what you mean. I tried different ones including

"[item_1,item_2]"

'["item_1", "item_2"]'

`["item_1", "item_2"]`

[item_1,item_2]

item_1,item_2
item_1, item_2

I even tried if there is a SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD (without hooks) where I could input a json like this

["hooks": [item_1, item_2], "return_url": "..."]

is there something else I could try?

[zepatrik]

According to the config schema, selfservice.flows.login.after.password.hooks is an array of objects. So the correct JSON representation would be

[
  {"hook": "require_verified_address"},
  {"hook": "revoke_active_sessions"}
]

because a hook can also have a config, e.g.

kratos/driver/config/.schema/config.schema.json

Lines 156 to 219 in dd6a06f

	"selfServiceWebHook": {
	"type": "object",
	"properties": {
	"hook": {
	"const": "web_hook"
	},
	"config": {
	"type": "object",
	"title": "Web-Hook Configuration",
	"description": "Define what the hook should do",
	"properties": {
	"url": {
	"type": "string",
	"description": "The URL the Web-Hook should call",
	"format": "uri"
	},
	"method": {
	"type": "string",
	"description": "The HTTP method to use (GET, POST, etc)."
	},
	"body": {
	"type": "string",
	"oneOf": [
	{
	"format": "uri",
	"pattern": "^(http|https|file|base64)://",
	"description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads",
	"examples": [
	"file:///path/to/body.jsonnet",
	"file://./body.jsonnet",
	"base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=",
	"https://oryapis.com/default_body.jsonnet"
	]
	},
	{
	"description": "DEPRECATED: please use a URI instead (i.e. prefix your filepath with 'file://')",
	"not": {
	"pattern": "^(http|https|file|base64)://"
	}
	}
	]
	},
	"auth": {
	"type": "object",
	"title": "Auth mechanisms",
	"description": "Define which auth mechanism the Web-Hook should use",
	"oneOf": [
	{
	"$ref": "#/definitions/webHookAuthApiKeyProperties"
	},
	{
	"$ref": "#/definitions/webHookAuthBasicAuthProperties"
	}
	]
	},
	"additionalProperties": false
	},
	"additionalProperties": false,
	"required": [
	"url",
	"method"
	]
	}
	},

[DeppLearning]

Thanks a lot for your help. I tried these alternatives in my docker compose file:

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[{"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}]

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS='[{"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}]'

- SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS={"hook":"require_verified_address"},{"hook":"revoke_active_sessions"}

 - SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS=[{\"hook\":\"require_verified_address\"},{\"hook\":\"revoke_active_sessions\"}]
 
 - SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS={\"hook\":\"require_verified_address\"},{\"hook\":\"revoke_active_sessions\"}

same error message as before though. Btw, I don't really need the revoke_active_sessions hook for now, so if a valid setup exists with only one hook, that gets around the array problem, that would help a lot too :)

[zepatrik]

The only workaround will be to use a config file then...

[OskarsPakers]

Just for the reference, the correct answer is:

SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS_0_HOOK=require_verified_address
SELFSERVICE_FLOWS_LOGIN_AFTER_PASSWORD_HOOKS_1_HOOK=revoke_active_sessions