Why can unsecured API calls be made?

[focus38]

Hi!
I'm studying the possibilities of the system.
Kratos launched using docker with postgresql.
With this command:
docker-compose -f quickstart.yml -f quickstart-standalone.yml -f quickstart-postgres.yml up --build --force-recreate

Ory Kratos service_version=v0.7.3-alpha.1

For test, I registered one user with email [email protected].

I can make the following API calls without any tokens. Why?

Request:
curl -X GET -H "Accept: application/json" "http://localhost:4434/identities"

Response

[
  {
    "id": "1d2f16c1-c152-4822-b4ae-018431c32b4d",
    "schema_id": "default",
    "schema_url": "http://127.0.0.1:4433/schemas/default",
    "state": "active",
    "state_changed_at": "2021-10-25T07:49:07.123936Z",
    "traits": {
      "name": {
        "last": "Mail",
        "first": "Admin"
      },
      "email": "[email protected]"
    },
    "verifiable_addresses": [
      {
        "id": "b03ed370-e541-4751-8d9c-4f7ba8e0fcda",
        "value": "[email protected]",
        "verified": true,
        "via": "email",
        "status": "completed",
        "verified_at": "2021-10-25T07:49:19.554157Z",
        "created_at": "2021-10-25T07:49:07.127426Z",
        "updated_at": "2021-10-25T07:49:07.127426Z"
      }
    ],
    "recovery_addresses": [
      {
        "id": "37acf221-0baa-4bf4-b415-e56744aa3bcc",
        "value": "[email protected]",
        "via": "email",
        "created_at": "2021-10-25T07:49:07.130598Z",
        "updated_at": "2021-10-25T07:49:07.130598Z"
      }
    ],
    "created_at": "2021-10-25T07:49:07.125169Z",
    "updated_at": "2021-10-25T07:49:07.125169Z"
  }
]

Request
curl -X GET -H "Accept: application/json" "http://localhost:4434/identities/1d2f16c1-c152-4822-b4ae-018431c32b4d"

Response

{
  "id": "1d2f16c1-c152-4822-b4ae-018431c32b4d",
  "credentials": {
    "password": {
      "type": "password",
      "identifiers": [
        "[email protected]"
      ],
      "created_at": "2021-10-25T07:49:07.13487Z",
      "updated_at": "2021-10-25T07:49:07.13487Z"
    }
  },
  "schema_id": "default",
  "schema_url": "http://127.0.0.1:4433/schemas/default",
  "state": "active",
  "state_changed_at": "2021-10-25T07:49:07.123936Z",
  "traits": {
    "name": {
      "last": "Mail",
      "first": "Admin"
    },
    "email": "[email protected]"
  },
  "verifiable_addresses": [
    {
      "id": "b03ed370-e541-4751-8d9c-4f7ba8e0fcda",
      "value": "[email protected]",
      "verified": true,
      "via": "email",
      "status": "completed",
      "verified_at": "2021-10-25T07:49:19.554157Z",
      "created_at": "2021-10-25T07:49:07.127426Z",
      "updated_at": "2021-10-25T07:49:07.127426Z"
    }
  ],
  "recovery_addresses": [
    {
      "id": "37acf221-0baa-4bf4-b415-e56744aa3bcc",
      "value": "[email protected]",
      "via": "email",
      "created_at": "2021-10-25T07:49:07.130598Z",
      "updated_at": "2021-10-25T07:49:07.130598Z"
    }
  ],
  "created_at": "2021-10-25T07:49:07.125169Z",
  "updated_at": "2021-10-25T07:49:07.125169Z"
}

[aeneasr]

Ory Kratos does not tell you how to protect the Admin API endpoint. You can do that any way you like - using proxies such as Ory Oathkeeper, Nginx, Kong, ...

It's up to you how you want to secure the Admin API. You can of course also chose not to expose the Admin API to the public internet, in which case, it might be easier to secure depending on your security context.