How to manage users in Identity Platform

The Identity Platform can be run in identity provider mode, meaning you can manage your users directly rather than relying on third party identity providers, such as Google, Okta or Microsoft Entra ID.

Kratos is the main component of the Identity Platform responsible for identity and user management.

This guide explains common user management tasks that you can carry out in the built-in identity provider. Users and user accounts are often referred to as identities, we’ll use these terms interchangeably.

Account management

Create admin accounts

Admin accounts can be created by simply running a juju action in Charmed Kratos:

juju run kratos/0 create-admin-account email=<admin-email> password=<pwd> username=<username>

It is then advised to reset the newly created account’s password by running the reset-password action.

Create users

Regular users can be created in the Admin UI component. Note that this component is not deployed as part of the Identity Platform. In order to add it to your deployment, run:

juju deploy identity-platform-admin-ui --channel edge --trust

juju integrate identity-platform-admin-ui:ingress traefik-k8s
juju integrate identity-platform-admin-ui:kratos-info kratos
juju integrate identity-platform-admin-ui:hydra-endpoint-info hydra
juju integrate identity-platform-admin-ui:oauth hydra
juju integrate identity-platform-admin-ui openfga-k8s
juju integrate identity-platform-admin-ui:receive-ca-cert self-signed-certificates

Once the application is active, you can use the Admin UI user management page to create new accounts and change their permissions.

Get user details

You can fetch user details, such as identity traits (username, surname, phone number…) by running get-identity action in Kratos.

It can be done using the identity id:

juju run kratos/0 get-identity identity-id={identity_id}

Or email:

juju run kratos/0 get-identity email={email}

Update users

Identities can be updated in Admin UI.

Identity schemas

Account properties, such as surname or phone number, must match the identity traits defined in identity schemas. If you want to include additional properties or mark any of them as mandatory, you can configure identity_schemas in Charmed Kratos or Admin UI.

Note that email address is the account identifier by default.

Reset password

Charmed Kratos offers a juju action to reset password of an identity by its email or id. The password can be set to a specified value by passing password-secret-id as an action parameter.

To create a juju secret holding the password and grant it to kratos, run:

juju add-secret <secret-name> password=<new-password>
secret:cql684nmp25c75sflot0
juju grant-secret <secret-name> kratos

Then, run the action using identity id:

juju run kratos/0 reset-password identity-id={identity_id} password-secret-id=secret:cql684nmp25c75sflot0

Or email:

juju run kratos/0 reset-password email={email} password-secret-id=secret:cql684nmp25c75sflot0

If password-secret-id parameter is not provided, the action will return a self-service recovery code and link to reset the password.

Reset multi-factor authentication

Administrators can reset an identity’s second authentication factor using either the identity id or email. The type of credentials to be removed must be specified, supported values are totp and lookup_secret (commonly known as backup codes):

juju run kratos/0 reset-identity-mfa identity-id={identity_id} mfa-type={totp|lookup_secret}

Note that unless you disabled the enforce_mfa config option, the user will be asked to add a time-based one-time password (TOTP) multi-factor authentication on the next login.

See more: Enforce multi-factor authentication

Invalidate sessions

The following action can be used to invalidate all identity sessions using either its id:

juju run kratos/0 invalidate-identity-sessions identity-id={identity_id}

Or email:

juju run kratos/0 invalidate-identity-sessions email={email}

Delete users

You can delete existing users by their id:

juju run kratos/0 delete-identity identity-id={identity_id}

Or email:

juju run kratos/0 delete-identity email={email}

Self-service flows

The Identity Platform implements flows that users can perform on their own instead of waiting for an administrative intervention. See the self-service flows reference for more details.


Last updated 2 months ago.