|
| 1 | +--- |
| 2 | +id: identity-schema-selection |
| 3 | +title: Identity schema selection |
| 4 | +--- |
| 5 | + |
| 6 | +```mdx-code-block |
| 7 | +import Tabs from "@theme/Tabs" |
| 8 | +import TabItem from "@theme/TabItem" |
| 9 | +``` |
| 10 | + |
| 11 | +# Identity schema selection for self-service registration and login flows |
| 12 | + |
| 13 | +Ory Kratos now supports selecting an identity schema during registration and login self-service flows by specifying a query |
| 14 | +parameter. This gives administrators more control over which schemas are used and allows multi-tenant or multi-profile setups with |
| 15 | +distinct identity models. |
| 16 | + |
| 17 | +## Overview |
| 18 | + |
| 19 | +- Users or integrators can choose which schema to use by appending the `identity_schema` query parameter when initiating |
| 20 | + registration or login flows. |
| 21 | +- Only schemas explicitly marked as selectable via `selfservice_selectable: true` in the configuration will be accepted. |
| 22 | +- If no schema is selected, the default schema is used (this is the existing behavior). |
| 23 | + |
| 24 | +## How to use |
| 25 | + |
| 26 | +### Registration example |
| 27 | + |
| 28 | +Browser flow: |
| 29 | + |
| 30 | +``` |
| 31 | +GET /self-service/registration/browser?identity_schema=schema-a |
| 32 | +``` |
| 33 | + |
| 34 | +API flow: |
| 35 | + |
| 36 | +``` |
| 37 | +GET /self-service/registration/api?identity_schema=schema-a |
| 38 | +``` |
| 39 | + |
| 40 | +### Login Example |
| 41 | + |
| 42 | +Browser flow: |
| 43 | + |
| 44 | +``` |
| 45 | +GET /self-service/login/browser?identity_schema=schema-a |
| 46 | +``` |
| 47 | + |
| 48 | +API flow: |
| 49 | + |
| 50 | +``` |
| 51 | +GET /self-service/login/api?identity_schema=schema-a |
| 52 | +``` |
| 53 | + |
| 54 | +## Configuration |
| 55 | + |
| 56 | +You must define which schemas are available for self-service selection by using the `selfservice_selectable` flag in your identity |
| 57 | +schema configuration. |
| 58 | + |
| 59 | +### Example configuration |
| 60 | + |
| 61 | +```yaml |
| 62 | +identity: |
| 63 | + default_schema_id: default |
| 64 | + schemas: |
| 65 | + - id: default |
| 66 | + url: file://./schemas/default.schema.json |
| 67 | + selfservice_selectable: true |
| 68 | + |
| 69 | + - id: schema-a |
| 70 | + url: file://./schemas/schema-a.schema.json |
| 71 | + selfservice_selectable: true |
| 72 | + |
| 73 | + - id: schema-internal |
| 74 | + url: file://./schemas/internal.schema.json |
| 75 | + selfservice_selectable: false # This one cannot be selected by end users |
| 76 | +``` |
| 77 | +
|
| 78 | +Only schemas where `selfservice_selectable: true` will be selectable via the `identity_schema` parameter. |
| 79 | + |
| 80 | +## Behavior Summary |
| 81 | + |
| 82 | +- If a schema is listed and marked as selectable, it can be used in registration/login. |
| 83 | +- If a schema is not listed or not marked as selectable, it cannot be used via query param. |
| 84 | +- If no `identity_schema` is passed, the default schema (`default_schema_id`) is used. |
| 85 | + |
| 86 | +## Migration notes |
| 87 | + |
| 88 | +- This feature is non-breaking. Existing flows using the default schema are unaffected. |
| 89 | +- You only need to update configuration if you want to expose multiple schemas for selection. |
| 90 | +- Schemas used internally can remain non-selectable, for example for admin or machine users. |
0 commit comments