We want to migrate from our own Authorization Server (Cognito to be specific) to start using Ory Hydra in Ory Network. What are our options to do a seamless migration to Ory Network which does not require users to re-login? Are there any guides for such scenarios?

Hey 👋 are you using ory also for identities and their credentials or only OAuth? It sounds like your doing an Auth Code Grant flow?

Hey @fast-lunch-54279 👋 We have a legacy authentication implemented with Cognito. It support username + password, email / phone OTP and does extra magic on user-signup. We want to wrap this Authentication (without touching it much) with managed Ory Hydra using custom oAuth pages. The aim is to have PKCE oAuth support.

I see. Ory OAuth2/ hydra will need its own tokens and consent stored, and I don’t see how it could validate or migrate cognito tokens. So on the first request, it would attempt to re-login the user and ask for consent. Now, if the user is logged in via Cognito, it would assume the login part is skipped. (And the user would see a couple of redirects), and the consent grant you could skip in terms of UI with a custom consent node.

Hmm. So the idea is to utilize already existing Cognito tokens during the Custom oAuth Login page and maybe even skip the Consent page so the users will get Ory Hydra tokens after some redirects? This could be a little bit tricky since it will be a mobile application that stores the Cognito tokens, and we would need to transfer those tokens to custom oAuth page somehow, but seems doable and is an option I did not think about before...

yeah that's what i had in mind - but there may be more practical solutions out there, maybe @high-optician-2097 can comment when back in action 🙂

Thank you for the answer and your opinion. It was something I did not think about. Would be also nice to have some alternatives 🙏 BTW the Ory Network seems not very configurable regarding choosing what to use. E.g. we don't have option to just use Ory Hydra and not Identities etc. The UI can not be disabled fully as well. It is not a critical issue for us, however, just to make sure; this does not mean our use-case is very custom / we are misusing Ory Network, right? Does the use-case I've talked about; just using Ory Hydra with custom oAuth page to expose an already existing user pool (without Kratos, Identities) via oAuth seems reasonable/generic enough?

One way would be to validate both token types in your middleware for the time of the upgrade. Ory Oauth2 / Hydra itself can not be tricked into accepting/using Cognito tokens due to security reasons