How to handle 'guest' identities?

I’m trying to figure out how to handle guest identities using Krakos.

By ‘guest identity’, I mean a unique, unshared identity, to allow users to use a service before committing to creating an account.

There are two use cases for this kind of flow:

  1. frictionless trial with upgrade to account, keeping data
  2. Guest checkout with the option to create an account afterwards

The way I’m imagining handling this with Kratos is using a custom server registration API that returns/stores an autogenerated identifier/password in the session. At this point, only the session owner can choose to upgrade the account (or an admin, in the case of customer support).

Using a custom server-side registration API means having to handle CSRF manually. Is there a better way to handle this?

I guess you would create a temporary profile, for example in the user’s cookie, and when the user signs up pre-populate the registration fields with the fields you already have. ORY Kratos does not really have a concept of an anonymous user. You could also use the Admin API to create a profile without any credentials but there is currently not a way to append credentials to it.

I’ll definitely be storing something like that locally, though most likely with local storage, rather than a cookie.

I want to keep a central database of login identities , I don’t want to have an external guest identity store, because that will make it more difficult to cleanly handle authorization.

I’m going to create an API endpoint to perform the user registration for me, and guest identities will have three fields: ‘username’ (identifier, most likely a uuid), ‘password’ (large and autogenerated), and ‘lookup_key’ (a user readable phrase, inspired by https://xkcd.com/936/ ) that can be used by an admin to retrieve the account in a support request.

1 Like