Import identities
Ory allows you to import identities from any other system. To import identities, you use the same endpoint as for
creating identities. The main difference between creating and importing identities is that
when you import identities, you must provide the credentials
field.
Importing verified addresses
Use the verifiable_addresses
field to import a verified address like an email address.
You must ensure that address verification is enabled and that the verifiable_address
is present in the identity's traits. If the
identity traits do not have the address set as the "verified address" type, the imported values will be deleted on the next
identity update.
An exemplary payload for importing an identity with a verified address:
{
"schema_id": "preset://email",
"traits": {
"email": "docs-verify@example.org"
},
"verifiable_addresses": [
{
"value": "docs-verify@example.org",
"verified": true,
"via": "email",
"status": "completed"
}
]
}
Test the above example with a cURL command:
- The Ory Network
- Self-Hosted Ory Kratos
curl --request POST -sL \
--header "Authorization: Bearer ory_pat_xRKLsFEOUFQFVBjd6o3FQDifaLYhabGd" \
--header "Content-Type: application/json" \
--data '{
"schema_id": "preset://email",
"traits": {
"email": "docs-verify@example.org"
},
"verifiable_addresses": [
{
"value": "docs-verify@example.org",
"verified": true,
"via": "email",
"status": "completed"
}
]
}' https://playground.projects.oryapis.com/admin/identities
Run Ory Kratos easily on your local machine or server with the Ory Account Experience and default configuration in Docker:
git clone --depth 1 --branch master https://github.com/ory/kratos.git
cd kratos
git checkout master
git pull -ff
docker-compose -f quickstart.yml \
-f contrib/quickstart/kratos/cloud/quickstart.yml up
Ory Kratos will then be avaiable at 127.0.0.1:4433
(public port) and 127.0.0.1:4434
(admin port).
And use it to create an identity:
curl --request POST -sL \
--header "Content-Type: application/json" \
--data '{
"schema_id": "preset://email",
"traits": {
"email": "docs-verify@example.org"
},
"verifiable_addresses": [
{
"value": "docs-verify@example.org",
"verified": true,
"via": "email",
"status": "completed"
}
]
}' http://127.0.0.1:4434/identities
The API then responds with the created identity:
{
"id": "880052ae-d32c-4b56-b82d-0dc711080910",
"schema_id": "preset://email",
"schema_url": "http://localhost:4455/schemas/cHJlc2V0Oi8vZW1haWw",
"state": "active",
"state_changed_at": "2022-02-24T15:33:17.845589803Z",
"traits": {
"email": "docs-verify@example.org"
},
"verifiable_addresses": [
{
"id": "c3f67b59-ab58-410b-971a-06b80f38468a",
"value": "docs-verify@example.org",
"verified": true,
"via": "email",
"status": "completed",
"created_at": "2022-02-24T15:33:17.848941Z",
"updated_at": "2022-02-24T15:33:17.848941Z"
}
],
"recovery_addresses": [
{
"id": "819b53bf-79e3-452e-8a9b-0323ec9d193c",
"value": "docs-verify@example.org",
"via": "email",
"created_at": "2022-02-24T15:33:17.849758Z",
"updated_at": "2022-02-24T15:33:17.849758Z"
}
],
"created_at": "2022-02-24T15:33:17.848475Z",
"updated_at": "2022-02-24T15:33:17.848475Z"
}
Importing recovery addresses
It is possible to import a list of recovery_addresses
- similar to verifiable_addresses
. It is better to let the identity
schema handle setting the appropriate fields since there is no status to set for this address type.
We don't recommend setting these fields as they will be overwritten by other self-service flows. For more information on account recovery read the account recovery documentation.
Importing credentials
Ory supports importing credentials for identities including passwords and social sign-in connections.
Clear text password
To import a clear text password, provide the password in the JSON payload.
Password imports don't use any password validation. Users have to update their password according to the policy themselves using self-service flows.
{
"schema_id": "preset://email",
"traits": {
"email": "docs-cleartext@example.org"
},
"credentials": {
"password": {
"config": {
"password": "the-password"
}
}
}
}
The password the-password
will then be hashed according to the configured password hashing algorithm and stored in the database.
The identity will be able to sign in using docs-cleartext@example.org
and the-password
as credentials.
Hashed passwords
To import a hashed password, provide the hashed password in the JSON payload.
{
"schema_id": "preset://email",
"traits": {
"email": "docs-hash@example.org"
},
"credentials": {
"password": {
"config": {
"hashed_password": "$2a$10$ZsCsoVQ3xfBG/K2z2XpBf.tm90GZmtOqtqWcB5.pYd5Eq8y7RlDyq"
}
}
}
}
- BCrypt
- Argon2
- MD5
- SSHA, SSHA256, SSHA512
- PBKDF2
- SCrypt
- Firebase SCrypt
Ory Identities can hash passwords by BCrypt and can compare stored BCrypt hash and migrate if configured hasher
(hashers.algorithm
) isn't BCrypt.
BCrypt format is described here.
Ory Identities can hash passwords by Argon2 and can compare stored Argon2 hash and migrate if configured hasher
(hashers.algorithm
) isn't Argon2.
Format
$argon2id$v=<version>$m=<memory>,t=<iterations>,p=<parallelism>$<hash>
Parameters
version
(number
): The current version.memory
(number
): Amount of memory to use.iterations
(number
): Number of iterations to perform.parallelism
(number
): Degree of parallelism.hash
(string
): The computed derived key by the Argon2 algorithm encoded to Base64.
Example
$argon2id$v=19$m=32,t=2,p=4$cm94YnRVOW5jZzFzcVE4bQ$MNzk5BtR2vUhrp6qQEjRNw
Ory Identities doesn't hash passwords by MD5 but can compare stored MD5 hashes and migrate to configured hasher
(hashers.algorithm
). You can configure MD5 hashes to use a plain format (for hashes without salt) or a salted format (for hashes
with salt).
Plain format (hashes without salt)
$md5$<hash>
Parameters
hash
(string
): The computed hash by the MD5 algorithm encoded to Base64.
Example
$md5$CY9rzUYh03PK3k6DJie09g==
Salted format (hashes with salt)
This format allows administrators to import passwords that use salting to calculate the MD5 hash. Ory doesn't prepend or append
the salt to the user's password. To determine the way the system performs salting, use the salting-format
parameter.
$md5$pf=<salting-format>$<salt>$<hash>
Read this section to learn more about configuring the salting-format
parameter.
Parameters
salting-format
(string
): Format string specifies how salting should be done. Must be encoded to Base64.salt
(string
): A sequence of bits, known as a cryptographic salt encoded to Base64.hash
(string
): The computed hash by the MD5 algorithm encoded to Base64.
Example
$md5$pf=e1NBTFR9e1BBU1NXT1JEfQ==$MTIz$q+RdKCgc+ipCAcm5ChQwlQ==
Salting format parameter
Below are formatting specifiers that can be used in the salting-format
.
{SALT}
: Salt value from the previous section.{PASSWORD}
: User's password in clear text.
Example
Assuming that User's password is ory123
and salt is c2FsdDEyMw==
(in clear text: salt123) and the clear text form of
salting-format
parameter as follows:
{SALT}--{PASSWORD}
In that case result of the salting
process would be:
salt123--ory123
Ory Identities doesn't hash passwords by salted SHA but can compare stored salted SHA hashes and migrate to configured hasher
(hashers.algorithm
). SSHA does not take in any parameters for verification.
Examples
{SSHA}JFZFs0oHzxbMwkSJmYVeI8MnTDy/276a
{SSHA256}czO44OTV17PcF1cRxWrLZLy9xHd7CWyVYplr1rOhuMlx/7IK
{SSHA512}xPUl/px+1cG55rUH4rzcwxdOIPSB2TingLpiJJumN2xyDWN4Ix1WQG3ihnvHaWUE8MYNkvMi5rf0C9NYixHsE6Yh59M=
Ory Identities doesn't hash passwords by PBKDF2 but can compare stored PBKDF2 hash and migrate to configured hasher
(hashers.algorithm
).
Format
$pbkdf2-<algorithm>$i=<iteration>,l=<length>$<salt>$<hash>
Parameters
digest
(string
): The HMAC digest algorithm applied to derive a key of the input password.iterations
(number
): The number of iterations desired. The higher the number of iterations, the more secure the derived key will be, but will take a longer amount of time to complete.length
(number
): Length in octets of derived key.salt
(string
): A sequence of bits, known as a cryptographic salt encoded to Base64.hash
(string
): The computed derived key by the PBKDF2 algorithm encoded to Base64.
Example
$pbkdf2-sha256$i=100000,l=32$1jP+5Zxpxgtee/iPxGgOz0RfE9/KJuDElP1ley4VxXc$QJxzfvdbHYBpydCbHoFg3GJEqMFULwskiuqiJctoYpI
Ory Identities doesn't hash passwords by SCrypt but can compare stored SCrypt hashes and migrate to configured hasher
(hashers.algorithm
).
Format
$scrypt$ln=<cost>,r=<block>,p=<parrelization>$<salt>$<hash>
Parameters
cost
(number
): CPU/memory cost (has to be power of 2 and >1)block
(number
): block size parameter (must satisfy r * p < 2³⁰)parallelization
(number
): parallelization parameter (must satisfy r * p < 2³⁰)salt
(string
): A sequence of bits, known as a cryptographic salt encoded to Base64.hash
(string
): The computed derived key by the SCrypt algorithm encoded to Base64.
Example
$scrypt$ln=16384,r=8,p=1$ZtQva9xCHzlSELH/mA7Kj5KjH2tCrkbwYzdxknkL0QQ=$pnTcXKaWVT+FwFDdk3vO1K0J7ZgOxdSU1tCJNYmn8zI=
Ory Identities doesn't hash passwords by Firebase SCrypt but can compare stored Firebase SCrypt hashes and migrate to configured
hasher (hashers.algorithm
).
Format
$firescrypt$ln=<mem_cost>,r=<rounds>,p=<parallelization>$<salt>$<hash>$<salt_separator>$<signer_key>
Parameters
mem_cost
(number
): CPU/memory cost as given byrounds
(number
): rounds firebase hash config parameter (must satisfy r * p < 2³⁰)parallelization
(number
): parallelization parameter (must satisfy r * p < 2³⁰)salt
(string
): A sequence of bits, known as a cryptographic salt encoded to Base64.hash
(string
): The computed derived key by the SCrypt algorithm encoded to Base64.salt_separator
(string
): Firebase hash config parameter encoded to Base64.signer_key
(string
): Firebase hash config parameter encoded to Base64.
Example
$firescrypt$ln=14,r=8,p=1$sPtDhWcd1MfdAw==$xbSou7FOl6mChCyzpCPIQ7tku7nsQMTFtyOZSXXd7tjBa4NtimOx7v42Gv2SfzPQu1oxM2/k4SsbOu73wlKe1A==$Bw==$YE0dO4bwD4JnJafh6lZZfkp1MtKzuKAXQcDCJNJNyeCHairWHKENOkbh3dzwaCdizzOspwr/FITUVlnOAwPKyw==
Social sign-in connections
When importing social sign-in connections, the provider
field is the social sign-in provider ID you set in your social sign-in
configuration. The subject
ID must be the ID of the user on the given platform. Usually, this is the sub
claim of the OpenID
Connect ID Token provider such as Google.
{
"schema_id": "preset://email",
"traits": {
"email": "docs-oidc@example.org"
},
"credentials": {
"oidc": {
"config": {
"providers": [
{
"provider": "github",
"subject": "12345"
},
{
"provider": "google",
"subject": "12345"
}
]
}
}
}
}