diff --git a/auth/auth.nix b/auth/auth.nix
index 35d333d..d1c3c20 100644
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -23,6 +23,16 @@ let
   kanidm-service-account-token-fp =
     "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
 
+  kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
+    # handle a case when kanidm database is not yet created (the first startup)
+    if [ -f ${config.services.kanidm.serverSettings.db_path} ]
+    then
+        set -o xtrace
+        # since it's the last command, it produces an exit code for systemd as well
+        ${lib.getExe pkgs.sqlite} ${config.services.kanidm.serverSettings.db_path} < ${./kanidm-db-migration.sql}
+    fi
+  '';
+
   spApiUserExecStartPostScript =
     pkgs.writeShellScript "spApiUserExecStartPostScript" ''
       export HOME=$RUNTIME_DIRECTORY/client_home
@@ -199,6 +209,11 @@ lib.mkIf config.selfprivacy.sso.enable {
     };
   };
 
+  systemd.services.kanidm.serviceConfig.ExecStartPre =
+    # idempotent script to run on each startup only for kanidm v1.5.0
+    lib.mkIf (pkgs.kanidm.version == "1.5.0")
+      (lib.mkBefore [ kanidmMigrateDbScript ]);
+
   systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
     [ spApiUserExecStartPostScript ];
 
diff --git a/auth/kanidm-db-migration.sql b/auth/kanidm-db-migration.sql
new file mode 100644
index 0000000..0af27ea
--- /dev/null
+++ b/auth/kanidm-db-migration.sql
@@ -0,0 +1,56 @@
+update id2entry
+set data = cast(
+    json_replace(
+        data,
+        '$.ent.V3.attrs.acp_create_attr.I8',
+        json_array(
+            'class','description','displayname','image','name',
+            'oauth2_allow_insecure_client_disable_pkce',
+            'oauth2_allow_localhost_redirect',
+            'oauth2_device_flow_enable',
+            'oauth2_jwt_legacy_crypto_enable',
+            'oauth2_prefer_short_username',
+            'oauth2_rs_claim_map',
+            'oauth2_rs_basic_secret',
+            'oauth2_rs_name',
+            'oauth2_rs_origin',
+            'oauth2_rs_origin_landing',
+            'oauth2_rs_scope_map',
+            'oauth2_rs_sup_scope_map',
+            'oauth2_strict_redirect_uri'
+        )
+    ) as blob
+)
+where cast (id as text) = (
+    select json_extract(idl, '$.t.s[0]')
+    from idx_eq_name
+    where key = 'idm_acp_oauth2_manage'
+);
+
+update id2entry
+set data = cast(
+    json_replace(
+        data,
+        '$.ent.V3.attrs.acp_modify_presentattr.I8',
+        json_array(
+            'description','displayname','image','name',
+            'oauth2_allow_insecure_client_disable_pkce',
+            'oauth2_allow_localhost_redirect',
+            'oauth2_device_flow_enable',
+            'oauth2_jwt_legacy_crypto_enable',
+            'oauth2_prefer_short_username',
+            'oauth2_rs_claim_map',
+            'oauth2_rs_basic_secret',
+            'oauth2_rs_origin',
+            'oauth2_rs_origin_landing',
+            'oauth2_rs_scope_map',
+            'oauth2_rs_sup_scope_map',
+            'oauth2_strict_redirect_uri'
+        )
+    ) as blob
+)
+where cast (id as text) = (
+    select json_extract(idl, '$.t.s[0]')
+    from idx_eq_name
+    where key = 'idm_acp_oauth2_manage'
+);