-
|
Hi, I have planed to migrating from a self-developed Identity Provider (IdP) to Ory Kratos. In our legacy setup, we used logic to inject a dynamic sub ( Is there any solution to maintain this ability when use Kratos? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hello @tongium Ory Hydra supports public and pairwise subject strategies, and you can override the obfuscated sub value per login by setting The So if you migrate your IdP to Ory Kratos but keep Ory Hydra and your custom login app, you can continue injecting a per‑client dynamic sub exactly as before. Let me know if that helps :) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the answer. Could you confirm my understanding? I should implement my custom login app to perform login flow at Kratos (for verify identity) then perform login accept at Hydra (for custom token claims). Do not use ’oauth2_provider‘ configuration at Kratos. I have read this https://www.ory.com/docs/hydra/guides/claims-at-refresh but can not override subject token because it design for generic and subject should not change when refresh, right? |
Beta Was this translation helpful? Give feedback.
Hello @tongium
Ory Kratos is the identity/ login server; Ory Hydra is still the OAuth2/OIDC provider. In that setup, nothing changes about how you control sub for OAuth2 clients.
Ory Hydra supports public and pairwise subject strategies, and you can override the obfuscated sub value per login by setting
force_subject_identifierwhen you accept the login request in your login app. See: [Subject anonymization][Hydra accept login]The
acceptOAuth2LoginRequestpayload still hasforce_subject_identifierexactly for this use case; you can compute it dynamically based on the OAuth2 client and the authenticated Kratos identity. See: [Hydra accept login]So if you migrate your IdP to Ory Kratos bu…