feat: allow using external_id as the subject in OAuth2 login flows

### Preflight checklist

- [x] I could not find a solution in the existing issues, docs, nor discussions.
- [x] I agree to follow this project's [Code of Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md).
- [x] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md).
- [ ] I have joined the [Ory Community Slack](https://slack.ory.sh).
- [ ] I am signed up to the [Ory Security Patch Newsletter](https://www.ory.sh/l/sign-up-newsletter).

### Ory Network Project

_No response_

### Describe your problem

With the recent introduction of the `external_id` field in Kratos identities, there is a strong use case for using this ID as the `sub` (subject) claim when Kratos acts as an identity provider for Ory Hydra.

Currently, Kratos always passes the internal UUID. For organizations migrating legacy systems or integrating with third-party services that rely on specific string-based identifiers, being able to map `external_id` to the OIDC `sub` claim is essential.

### Describe your ideal solution

### Proposed Changes
- **Configuration:** Added oauth2_provider.use_external_id (boolean, default: false).
- **Hydra Integration:** Updated the AcceptLoginRequest logic to check this configuration. If enabled and the identity has an external_id, it is used as the subject for Hydra.
- **Hooks:** Updated PostLoginHook to pass the ExternalID from the identity to the Hydra service wrapper.

### Technical Breakdown
- Modified `driver/config` to support the new toggle.
- Updated `embedx/config.schema.json` for validation.
- Updated `hydra/hydra.go` to handle the conditional subject logic.
- Updated `selfservice/flow/login/hook.go` to extract ExternalID from the identity during the login flow.

### Workarounds or alternatives

An alternative is to bypass the native Kratos-Hydra integration by not configuring `oauth2_provider.url` in Kratos. In this scenario, a custom middleware or backend would manage the login completion, fetch the Kratos Identity, and manually call Hydra's `acceptLoginRequest` with the `external_id` as the subject.

While the workaround works, it requires developers to write and maintain "glue code" for a common use case. Supporting this natively in Kratos simplifies the architecture for anyone using the `external_id` feature and ensures a more robust, standard-compliant integration.

### Version

v25.4.0

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: allow using external_id as the subject in OAuth2 login flows #4528

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Proposed Changes

Technical Breakdown

Workarounds or alternatives

Version

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feat: allow using external_id as the subject in OAuth2 login flows #4528

Description

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Proposed Changes

Technical Breakdown

Workarounds or alternatives

Version

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions