Is there a way to not call every single time the /whoami Kratos API? Is there a way to use the cookie session only?

[frederikhors]

I'm curious if there is a way to avoid calling the /whoami API for every single request every time.

Let's say that I am authenticated (I have the cookie, secure, strict, HTTP only etc) and that I am doing routine operations, NOT SERIOUS and NON IRREVOCABLE operations.

There is a way to have the session in the cookie itself: userID, any tenantID and any scopes; without asking this to Kratos every time?

If the cookie is encrypted I can use a method when starting the app to get the key from Kratos to decrypt the cookie (getKratosCookiePublicKey()).

And if I have to do IRREVERSIBLE operations then I can only contact Kratos in that case before proceeding.

Alternatively, I could timeout the calls to Kratos, like every 10, 30, 60 minutes.

What do you think?

Am I exaggerating in evaluating Kratos' /whoami API calls for EVERY SINGLE CALL to my private API as the devil??

[vinckr]

You can probably solve this in your application logic, check for sessions with /whoami when you see fit, and omit the check otherwise.

But usually calling /sessions/whoami will be the straightforward way.

What was the original motivation to have less calls to /whoami?

[frederikhors]

Slowness...

Can I read the session content without calling whoami? Is there any way to save data in the session cookie?

[thomasboni]

I don't think so. In my understanding of Kratos behavior (I'm pretty new using it), the session token is not only signed but also encrypted, so you can't directly read content from your services. Excepted if you store the secret encryption key of Kratos in each of your service, but it seems to be an awful practice.

Regarding your use case, I think you need a behavior similar to a JWT token. It's not encrypted, but signed by the identity server. Thanks to this, all your services (and basically everyone) is able to read data inside authentication token of your user without reaching any API. The authenticity of data can be verified using the public key of identity server to check signature.

As far as I know, Kratos doesn't provide this kind of token. I think you must call /whoami each time you need to verify and get data of authenticated user.

[Benehiko]

Hi @frederikhors

@thomasboni is correct, you can also check out this related discussion here #1479