Add a way to merge identity credentials.

[David-Wobrock]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Kratos does not allow automatic account linking when doing social sign-in. This is great for security reasons.
So, for instance, when an account for [email protected] exists in Kratos, and I connect through Google SSO, a new identity with [email protected] will be created if this Google account has never been used.

In our case, we want to allow our users to prove that they own the existing account by typing their password.
If they can prove this, we want to merge both identities together. More precisely, we want the Google SSO credentials to be linked to the existing identity - so that next time the user connects, they are connected with the existing identity.

Describe your ideal solution

One possible solution would be to provide an admin API endpoint in Kratos, that allows merging two identites.
We could identify the current identity through the Kratos cookie, and the target identity by passing their UUID in the URL.
The end result would be that the current identity has been deleted, and the credentials associated to it are now linked to the target identity.

This will allow having one transaction to encapsulate the logic.
The problem with the workaround is that it is subject to race conditions, if the target identity is updated at the same time by two or more requests I believe.

Workarounds or alternatives

The workaround we plan to use for now is:

1. Fetch the credentials from identity A => using https://www.ory.sh/docs/kratos/reference/api#operation/adminGetIdentity
2. Import the credentials from A into identity B => using https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections
3. Delete identity A => using https://www.ory.sh/docs/kratos/reference/api#operation/adminDeleteIdentity

Version

0.10.1

Additional Context

Discussed in the Ory Slack with Thomas => https://ory-community.slack.com/archives/C012RJ2MQ1H/p1662728891106129

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[David-Wobrock]

Not cool GitHub actions 😛
There is an open PR: #3222 🚀