https://www.ory.sh/ logo
b

best-shampoo-20854

11/23/2021, 6:44 PM
is there any recommendations against manipulating the kratos database directly? i.e. setting a bunch of triggers to keep identities in sync with some legacy system while migration is undergoing
m

melodic-easter-54717

11/24/2021, 8:32 AM
You could probably utilize hooks in Kratos instead of database triggers and then deal with accessing database if need be in the hook itself
m

magnificent-energy-493

11/24/2021, 10:11 AM
It is possible to do this Yan, but you have to take extra caution ( messing with the database directly can be destructive). Fazals recommendation to use Hooks instead sounds a bit safer!
b

best-shampoo-20854

11/25/2021, 12:41 PM
but you can't sync credentials using hooks, right?
I am fortunate enough that my current system uses bcrypt in a way that seems to be compatible with kratos
m

melodic-easter-54717

11/25/2021, 1:28 PM
Yeah, there's no way to do a seamless migration without database access AFAIK. What I suggested is to use hooks instead of triggers and then access the database within the hook itself. That way you don't have to have triggers in database, minimizing modifications to database.
💡 1
There's this which would solve the issue with migrating credentials https://github.com/ory/kratos/issues/605
b

best-shampoo-20854

11/27/2021, 5:43 PM
minimizing modifications to database
I'm afraid that's exactly what I had in mind 😅 Lets say a user resets the password from the kratos self service. I would like to push the new hash back to the "legacy" table, so the "legacy" APIs would still be able to authenticate the way they're used to.
I could theoretically use the identity import API and write a SQL query to move the credentials in one go but then I would have to shut down the "legacy" system abruptly, or even worse, write code for it! (so it talks to kratos instead of hitting the db)
m

melodic-easter-54717

12/14/2021, 6:54 AM
There is an after recovery hook. You could probably use that. Again you would need to get the hash from the DB. As a general guideline I'd probably depend on one system for authentication so that migration is only needed one way. From legacy -> new. Unless you can't bring changes to legacy code base.
b

best-shampoo-20854

12/15/2021, 12:52 PM
tbh the legacy stack uses express with passport-local so it would not be terribly difficult to update that codebase
2 Views