Email verification before registration is finalized?

[usatony]

Is it possible to make an identity registration flow do an email address verification before the registration completes (like by suspending creation of the identity or creation of the session until after the email address is verified)?

I'm brand new to Kratos, and maybe I'm missing something, but I am having trouble believing that natively doing verification before registration is finalized is impossible. Most other identity management systems have this option.

So much can go wrong by creating the identity and issuing the session before the email address is verified (for example, what if the user has to recover access to their identity but they mistyped their email address at the time of registration). And I really don't want to force the user to have to log in after registration in order to guarantee the verification before they are issued a session.

Thanks!

[kian99]

I was also looking into this recently. There are instructions for this at https://www.ory.com/docs/kratos/hooks/configure-hooks#available-actions, see the require_verified_address action.

#3320 has an example config and highlights an issue I'm facing where upon registration with a password, the user is logged without being prompted for a verification code but subsequent login attempts require the code. I haven't found a workaround except to remove hook: session from the registration flow, but that forces the user to login again immediately after registration.

[usatony]

I'm in the same position, and forcing a new login is unacceptable to me because of the harm it does to the user experience (most people will find it annoying, wondering why they have to enter information again that they literally entered seconds ago).

My solution has been just like yours: to just set the registration flow to just issue the session and then run a verification flow. If that verification flow is interrupted, they'll have to verify their email address upon their next login to start a session. And if they only set an email address and password, and their email address is wrong, I guess they lose and their account is locked out forever.

This is not a perfect solution, but I think it's the best we can do with Kratos without deviating far from Kratos's native functioning or forking Kratos, neither of which I am interested in doing as to avoid breaking my already fragile UI when Kratos updates in the future.

I just hope the devs add support for the same "require verification" hook as is supported for login flows.