Retrieve subset of identities through admin API

[Benehiko]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Ory has a list identities API which retrieves a list of identities with the option of filtering by a credential type (username, email), but does not allow filtering by ids in a batch. https://www.ory.sh/docs/kratos/reference/api#tag/identity/operation/listIdentities

For example, the Ids of the identities are already known, but their traits aren't.

/admin/identities?id=0bf938ff-a742-4db0-92ed-53bcb9efdd1,0bf938ff-a742-4db0-92ed-53bcb9efdd2,0bf938ff-a742-4db0-92ed-53bcb9efdd3,0bf938ff-a742-4db0-92ed-53bcb9efdd4

Describe your ideal solution

Have a way to specify ids in the API to retrieve a subset of identities.

Workarounds or alternatives

As a workaround, maybe you could poll Ory every couple of hours for the list of identities and store them in-memory for the application to consume.

Another option is to have a webhook call my backend with the created identity on registration and then on settings update again with the updated info. In this case I duplicate the data and keep it in-sync using webhooks.

Version

latest

Additional Context

Asked in slack https://ory-community.slack.com/archives/C02MR4DEEGH/p1687335681747989

[Oscmage]

Feel free to contact me if something is unclear.

[aeneasr]

The easiest workaround for now is to probably execute the API requests of the IDs you want in parallel against Ory's APIs. There's a limit on how many requests you can do, but it's a possibility if you're looking to fetch 10-100 identities (but not 1000s). Generally, it's not advisable to add layers of caching to your auth* infrastructure, as that can be the cause of serious security implications!

[Oscmage]

Agreed. In this scenario it is just about listing information such as displayname and email and not really doing anything with it though.

Calling Ory for 50 users or whatever individually is not great for the stability/reliability of our backend services. We don't need all of the data either. Neither does it seem like a good thing for Ory services to be hammered (which I am sure Ory can handle) but anyway. The optimal approach here as I see it is to have the possibility to filter in the list identity endpoint.

[PhilippSchoenauer]

Having the same problem. Right now we use the suggested answer from @aeneasr and make parallel requests with the eventual consistency parameter, but it feels a little bit dirty 😄