Social sign-in
Follow these steps to add a social sign-in provider when self-hosting Ory Kratos.
-
Define the redirect URL:
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>
-
Create a client at your provider to get the Client ID and Client Secret.
-
Set the redirect URI to URL that follows this pattern.
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>
. -
Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema.
-
Encode the Jsonnet snippet with Base64 or store it in a location available to your Ory Kratos instance.
-
Add the configuration for your social sign-in provider to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file.
Example configuration
selfservice:
methods:
oidc:
config:
providers:
- id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: generic
client_id: .... # Replace this with the Client ID
client_secret: .... # Replace this with the Client secret
issuer_url: https://accounts.google.com # Replace this with the providers issuer URL
mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
# Alternatively, use an URL:
# mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17
scope:
- email
# supported scopes can be found in your providers dev docs
enabled: true
Environment variables
It is not recommended to use environment variables to configure OIDC providers, as the data object is complex and getting the syntax right is difficult. If you want to use environment variables, it is recommended to set the full JSON array as an environment variable:
export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[{"id":"google","provider":"google","mapper_url":"<file_location>","client_id":"<client_id>","client_secret":"<client_secret>","scope":["openid","email","profile"],"auth_url":"https://accounts.google.com/o/oauth2/v2/auth","token_url":"https://www.googleapis.com/oauth2/v4/token","issuer_url":"https://accounts.google.com"}]'
Prevent having to log in after sign-up
When adding social sign-in providers manually, remember to add the session
hook to after/oidc/hooks
. If you don't add this
hook, users will have to log in again after signing up to get a session.
selfservice:
flows:
registration:
after:
oidc:
hooks:
- hook: session