Question about login webhook behavior and identity metadata persistence when using Kratos self host (1.3.10 I'm using a login post-hook webhook that responds with identity.metadata_public changes, but I'm seeing what may be an inconsistent behavior (Or is this expected behaviour) ✅ During login flow: The webhook response shows the metadata is applied (visible in login response), i.e. after posting to self-service/login?flow=XXX

{
    "id": "1e4ec88b-0ec5-4e15-a9dd-348b8a638866",
// Snip for brevity
    "identity": {
        "id": "bf29640c-7a44-4421-940c-e10f041e05bd",
        "schema_id": "default",
        "schema_url": "<https://accounts.testing.local/auth-local/schemas/ZGVmYXVsdA>",
        "state": "active",
        "state_changed_at": "2025-05-23T06:46:43.07378Z",
        "traits": {
            "name": {
                "last": "McKee",
                "first": "AJ"
            },
            "email": "aj.mckee@testing.local"
        },
        "metadata_public": {
            "foo": "bar" // This is in the login response
        }
    },
// Snip for brevity
}

❌ After login: sessions/whoami, the response doesn't include the metadata changes that are applied during the login. My webhook config:

after:
    password:
      hooks:
        - hook: web_hook
          config:
            url: <http://host.docker.internal:8080/api/v1/webhook>
            method: POST
            can_interrupt: true
            response:
              parse: true
              ignore: false

Webhook response:

{
  "identity": {
    "metadata_public": {
      "foo": "bar"
    }
  }
}

Questions: 1. Is this the expected behavior for login post-hooks? 2. Should login webhooks be able to persist metadata_public changes to the database? 3. If not, what's the recommended approach for dynamic metadata that needs to be available in sessions/whoami? Currently, it seems like the webhook only modifies the session identity in-memory during the login flow, but sessions/whoami fetches fresh identity data from the database.

Login webhooks are not able to modify the identity's data, as the updated identity is not persisted into the database. The fact that it's available in the response is actually a bug. Dynamic data related to the identity should rather be stored in your own backend, tied to the identity ID.

@bland-eye-99092 Thanks. It is a little confusing as the notion of web hook post login is quite a good use case for the dynamic population of metadata_public based on some ad-hoc condition/situation that may exist in an organisation. While I agree the data should be tied to the identity via your own service, I can see situations especially during transition to kratos where this is a useful feature to have. The documentation is really not clear on this at all and is explicit in saying you can supplement identity.metadata. (ref: https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#update-identity-metadata) But thanks for looking into this and clarifying it.

Agreed, feel free to open an issue in ory/kratos on GitHub. And contributions here are welcome (after some discussions on implementation). I believe the reason this is not yet there is, that logins should be fast, and writes to the database can be slow (depending on the system). And more conceptually, "login" should be a readonly operation. But overall this is not a hard limitation, AFAIK.