Phone verification not working

[blackshady]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When attempting to create a verification flow for phone numbers using the self-service API, despite configuring the kratos.yml file to utilize an SMS gateway for verification, the API still returns email attributes in the UI node instead of phone number attributes. This occurs even after following the documentation and configuring the system to use SMS verification. As a result, the intended functionality of phone number verification is not achieved.

Reproducing the bug

1. Configure the kratos.yml file to use an SMS gateway for phone number verification.
2. Attempt to create a verification flow for phone numbers using the API endpoint {{kratos_URL}}/self-service/verification/api.
3. Observe that the UI node returns email attributes instead of phone number attributes.

Relevant log output

No response

Relevant configuration

Here is my `identity.schema.json` file
{
  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/phone-password/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "name": {
          "type": "object",
          "required": [
            "last",
            "first"
          ],
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string"
            },
            "last": {
              "title": "Last Name",
              "type": "string"
            }
          }
        },
        "phone": {
          "type": "string",
          "format": "tel",
          "title": "Phone number",
          "minLength": 3,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "sms"
            }
          }
        }
      },
      "required": ["phone"],
      "additionalProperties": false
    }
  }
}

Version

v1.1.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

No response

[MichaelMarner]

We have also run into this issue - it does not seem possible to create a verification flow for a phone number (our identity schema has both email and phone number traits).

Perhaps it's necessary to add a via=phone_number parameter or similar to the create verification flow API endpoint, which would allow apps to specify which trait to verify?

This is especially an issue because it is not possible to redirect to a verification flow from settings after setting the user's phone number for server-side rendered apps. From the docs:

Showing the verification form after a settings update is currently only supported on native or SPA clients.

https://www.ory.sh/docs/kratos/self-service/flows/user-settings#show-verification-form-after-updating-a-verifiable-address

[aeneasr]

Can you share what response you get and what response you would expect? Please base your work off of Ory Network, which is running the latest variant of Ory Kratos. We have recently made some improvements

[sayoun]

We had some difficulty to make the phone verification working for API flows, but it worked well in the end, even if the messages talks about "emails" and not "phone" it's still gets flagged as verified.

The main issue we had was this:

The setup is that we add a phone number trait to our identity through a settings flow, it will automatically trigger a verification flow, and the API response of the POST settings flow, contains this:

  "continue_with": [
    {
      "action": "show_verification_ui",
      "flow": {
        "id": "a59bf0f7-2825-4eba-ab2c-2d15fdec13b9",
        "verifiable_address": "<redacted>"
      }
    }
  ]

Now the fun part, if we submit the verification flow with the expected code using a POST on /self-service/verification it works fine 👍

But if we make a GET request on the same route /self-service/verification, for example to retrieve nodes information to display on the UI, then it will update the verification flow in the database and reset the active_method field from code to default and then raise an error if we try to submit the verification flow with this message Could not find a strategy to verify your account with. Did you fill out the form correctly?, and this is because of this line

	public.POST(RouteSubmitFlow, h.updateVerificationFlow)
	public.GET(RouteSubmitFlow, h.updateVerificationFlow)

the GET route calls the same handler as the POST route, so when you call it without any parameter the active_method is reset.

Maybe you dont have the same issue but hope this will help someone.

PS: I'm not sure about the purpose of this second GET route handler that uses the same handler as the POST route @aeneasr ?

[aeneasr]

I believe we have resolved issues around SMS verification, and your issue sounds like it‘s missing the method field in the request payload of the POST request. Please try this with the current master branch and if it turns out to still not work, comment here so we can reopen this issue