Support Custom Subject Mapping via Webhook for OAuth2 Flows

### Preflight checklist

- [x] I could not find a solution in the existing issues, docs, nor discussions.
- [x] I agree to follow this project's [Code of Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md).
- [x] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md).
- [ ] I have joined the [Ory Community Slack](https://slack.ory.com).
- [x] I am signed up to the [Ory Security Patch Newsletter](https://www.ory.com/l/sign-up-newsletter).

### Ory Network Project

_No response_

### Describe your problem

While Ory Kratos provides excellent support for identity migration via external_id and standard pairwise subject identifiers, some complex migration scenarios require dynamic logic.

Specifically, when a legacy system uses a custom pairwise algorithm that varies per OAuth2 client, a static mapping is insufficient. Currently, Kratos is limited to using the Internal Identity ID or a pre-defined External ID, which makes it difficult to maintain backward compatibility for specialized subject (sub) requirements.

### Describe your ideal solution

Add a subject_hook to the oauth2_provider configuration. This hook would trigger during the login acceptance flow, sending the identity context and the login challenge to an external service. The external service would then return the desired subject identifier.

## Example Configuration:

```yaml
oauth2_provider:
  url: http://hydra-admin.internal
  subject_hook:
    enabled: true
    config:
      url: http://hook-sever.internal
      body: "file:///etc/config/subject-hook.jsonet"
```

## Expected Webhook Response:
The hook should return the mapping between the Kratos Identity and the custom identifier:

```json
{
  "identity_id": "abc",
  "obfuscated_id": "xyz"
}
```

## Implementation Logic
When the hook is enabled and returns a successful response, Kratos would use the obfuscated_id to set the ForceSubjectIdentifier when communicating with Hydra:

```go
alr := hydraclientgo.NewAcceptOAuth2LoginRequest(params.IdentityID)
if params.ObfuscatedID != "" {
    alr.ForceSubjectIdentifier = &params.ObfuscatedID
}
```

### Workarounds or alternatives

Add server between Kratos and Hydra to modify `AcceptOAuth2LoginRequest` body

```yaml
oauth2_provider:
  url: http://custom-server.internal
```


### Version

v25.4.0

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Custom Subject Mapping via Webhook for OAuth2 Flows #4553

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Example Configuration:

Expected Webhook Response:

Implementation Logic

Workarounds or alternatives

Version

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Support Custom Subject Mapping via Webhook for OAuth2 Flows #4553

Description

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Example Configuration:

Expected Webhook Response:

Implementation Logic

Workarounds or alternatives

Version

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions