Planning for identity schema migration

I’ve worked with custom built identity systems before, and one of the eventual pain points is always the migration of user accounts from one identity model to another. This happens, for example, when you support user accounts and later you add the support for business accounts (e.g. email-based vs role-based).

I know that Kratos supports different identity schemas, but I’m unable to figure out if it supports migrating a user from one identity schema to another, or whether I’ll have to plan a system that can manage the migration process (creating a duplicate identity under the new schema, and then re-mapping user data from one identity to the other).

Ideally, I’d be able to treat the Kratos Id as a unique account identifier, and then migrate just the idenitity schema, which would remove the entire state machine of account transitions. In that way, Kratos would be my ‘account’, whether it was user or some other role.

Failing that, I will want to create an account abstraction in my data model, and de-couple the Kratos identity from the account in question.

So… does Kratos support migrating the identity schema? I would make sure that the fields are compatible before migration (e.g. both schemas would have the email and username field, where users have the email as identifier and username as a field, and a ‘company account’ would have the username as identifier and email as a field.)

It doesn’t right now, but one of the ideas we had was to leverage JsonNet to make migrations possible. JsonNet can be linted, formatted, is typed, and can be tested. We could probably add something that would make translation from schemaA to schemaB possible when a JsonNet for that operation is found. What do you think?

That’s actually pretty ingenious. I’ll definitely try that out if you make it available.

You could write this on your own at the moment - just get the identity using the Kratos CLI as JSON. Then write the JsonNet transformator so that the output is written to another file, then update the identity using the Kratos CLI!

The automation we would build in would just make this a bit less manual.