Clients generated from OpenAPI specification cannot handle Passkey authentication method

[Saancreed]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

OpenAPI spec for Kratos does not include passkey as a valid option for authentication method enum, here:

kratos/spec/api.json

Lines 1960 to 1974 in b0111d4

	"method": {
	"enum": [
	"link_recovery",
	"code_recovery",
	"password",
	"code",
	"totp",
	"oidc",
	"webauthn",
	"lookup_secret",
	"v0.6_legacy_session"
	],
	"title": "The method used",
	"type": "string"
	},

This causes some clients generated with openapi-generator that explicitly try to match enum values against all known valid values (e.g. csharp generator with generichost library option, as seen here: https:/leancodepl/dotnet-kratos-client/blob/bbaa34a1e7cd355b0c0c34eaa875096dbd529df2/src/LeanCode.Kratos.Client/Model/KratosSessionAuthenticationMethod.cs#L123-L153) to fail at deserializing sessions which were authenticated using passkeys, and therefore failing to authenticate users using this method.

Reproducing the bug

1. Generate a client from OpenAPI specification that handles enums by matching them against all known valid values.
   • One such client is https://www.nuget.org/packages/LeanCode.Kratos.Client that we're currently using, which was generated by me and where we noticed this problem.
2. Obtain a session that includes

  "authentication_methods": [
    {
      "method": "passkey",
      "aal": "aal1",
      "completed_at": "…"
    }
  ],

3. Try to call /sessions/whoami endpoint using that session's token/cookie with generated client and have it deserialize the response.

Relevant log output

No response

Relevant configuration

selfservice:
  methods:
    passkey:
      enabled: true
      config:
        rp:
          display_name: "${authority_name}"
          id: "${domain}"
          origins:
            - "https://${domain}"
%{ for origin in passkey_origins ~}
            - "${origin}"
%{ endfor ~}

Version

1.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

Technically the Kratos version I'm running is v1.2.0 with a custom patch on top of it that enables passkeys for API clients/flows as well. However, it shouldn't matter because the problem was found with a browser client anyway.

The client was actually generated from https:/ory/sdk/blob/master/spec/kratos/v1.2.0.json although it seems like files in both repos have this issue. But I imagine the fix needs to happen here before being propagated to sdk repo so this is where I chose to report this.