Performing an administrative login

[mfzl]

We are evaluating Kratos to migrate our existing user base and one of the things that we face for seamless integration with existing flows is that we don't see a way to administratively login a user.

Our use case is that over the years we have custom flows for different kind of applications that we want to migrate to a set of standard flows. But for a gradual and seamless migration to happen we need to support the legacy flows. One of the possible ways of doing this is through administratively login the user.

One possible option we imagine is through an admin API that issues a token to a subject without providing credentials. From then we could use that to identify the user or do any transformations / swapping for the legacy tokens externally.

Is this something that can be accepted or aligns with Kratos.

[Benehiko]

Hi @mfzl

I believe this has already been discussed here #201

The short answer: it is not supported.

[mfzl]

Thanks for that. Ultimately it might require to have same kind of API for the impersonation to happen but our use-case is a bit more different.

We already identify the user through other legacy mechanisms (a user that also exists in Kratos identities) and we need to issue a Kratos token to the user without requiring user to input password. For example mapping a legacy token to a Kratos token so that rest of the pipeline doesn't have to support the legacy token.

[Benehiko]

No this is not possible, the only way you can solve this is by asking the user to re-authenticate their acc. But since your users are in a legacy system I would think that you would need to re-create these users in Kratos. Basically the process would be:

1. Create User using Admin API (using their current emails)
2. Send out an email with a recovery flow
3. New user is created and session is now managed by Kratos.

Please see https://www.ory.sh/kratos/docs/admin/managing-users-identities#invite-a-user