kratos
kratos copied to clipboard
ory
Add a way to merge identity credentials.
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
Kratos does not allow automatic account linking when doing social sign-in. This is great for security reasons. So, for instance, when an account for [email protected] exists in Kratos, and I connect through Google SSO, a new identity with [email protected] will be created if this Google account has never been used.
In our case, we want to allow our users to prove that they own the existing account by typing their password. If they can prove this, we want to merge both identities together. More precisely, we want the Google SSO credentials to be linked to the existing identity - so that next time the user connects, they are connected with the existing identity.
Describe your ideal solution
One possible solution would be to provide an admin API endpoint in Kratos, that allows merging two identites. We could identify the current identity through the Kratos cookie, and the target identity by passing their UUID in the URL. The end result would be that the current identity has been deleted, and the credentials associated to it are now linked to the target identity.
This will allow having one transaction to encapsulate the logic. The problem with the workaround is that it is subject to race conditions, if the target identity is updated at the same time by two or more requests I believe.
Workarounds or alternatives
The workaround we plan to use for now is:
- Fetch the credentials from identity A => using https://www.ory.sh/docs/kratos/reference/api#operation/adminGetIdentity
- Import the credentials from A into identity B => using https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections
- Delete identity A => using https://www.ory.sh/docs/kratos/reference/api#operation/adminDeleteIdentity
Version
0.10.1
Additional Context
Discussed in the Ory Slack with Thomas => https://ory-community.slack.com/archives/C012RJ2MQ1H/p1662728891106129
