Is credentials patching supported?

[icamys]

Hi Ory team! Thank you for this fantastic product.

I was looking for a way to reset the identity passwords via the admin endpoints. The documentation says that it is not possible to change the credentials using a PATCH operation.

However, I was able to reset the password in a local deployment using the following call:

curl --location --request PATCH 'http://127.0.0.1:4434/admin/identities/566668ef-b52d-47d4-9ef8-efa0508538dd' \
	--header 'Content-Type: application/json' \
	-d '[ {  "op": "replace", "path": "/credentials/password/config/hashed_password", "value": "random-value" } ]'

The result was setting random-value to the hashed password field, which technically resets the password and helps me to achieve the goal.

I'm wondering whether this is intended behavior or not, because if not, relying on it could cause trouble in the future.

Thank you!

[MarkusThielker]

Hey, if this API call should be able to edit the user credential is something the Ory team has to answer.
However, what exactly are you trying to achive with this?

[icamys]

Hi Markus!

what exactly are you trying to achive with this?

Consider a case when I, as the IDP admin, discovered that a specific user's credentials had been compromised. In this case, I would like to reset the password immediately, notify the user, and initiate the password recovery flow.

Currently, the password reset can be initiated only by the identity owner, but I was checking if it is possible to initiate it on the admin side.

Does it make sense?

[MarkusThielker]

That definitely makes sense, I hadn't thought of this situation before :)

[vinckr]

Hello,
@icamys you can technically use it to update credentials as well at the moment, if you know them. But this will most likely be fixed at some point, so you should not rely on it.

I think the more solid way to do it is to do getIdentity, make the change on the full identity, and then use the intended endpoint for credentials change updateIdentity to delete/scramble the password. Im sure you considered it but don't use random-value in production but an actual random value.

In this case, I would like to reset the password immediately, notify the user, and initiate the password recovery flow.

It sounds to me like a valid use case - Is this something you currently do a lot in your system or just planning for the future?

[icamys]

Thank you for the answer.

Is this something you currently do a lot in your system or just planning for the future?

Just planning for the future.

I think the more solid way to do it is to do getIdentity, make the change on the full identity, and then use the intended endpoint for credentials change updateIdentity to delete/scramble the password.

I checked the documentation for the updateIdentity method, and it looks a bit confusing to me, as the second part contradicts the first part:

The full identity payload (except credentials) is expected. 
It is possible to update the identity's credentials as well.

Are there any documented examples of how to do the credentials update? Are all credentials updated, supported, or just the password?

[vinckr]

I checked the documentation for the updateIdentity method, and it looks a bit confusing to me, as the second part contradicts the first part

Where do you see the contradiction?

1. You need the full identity payload to use this endpoint (credentials are optional)
2. Credentials are optional

Maybe it can be reworded to be more clear/less confusing.
As far as I can tell password, oidc, and saml are supported for updating.

To update a password, include the credentials.password.config.password field in your request body. For example:

{
  "schema_id": "preset://email",
  "traits": {
    "email": "user@example.com"
  },
  "state": "active",
  "credentials": {
    "password": {
      "config": {
        "password": "new-password"
      }
    }
  }
}

[icamys]

Thank you for the explanation and example, @vinckr. This answers my question.