Skip to main content

Social sign-in

Follow these steps to add a social sign-in provider when self-hosting Ory Kratos.

  1. Define the redirect URL:

    http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

  2. Create a client at your provider to get the Client ID and Client Secret.

  3. Set the redirect URI to URL that follows this pattern. http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>.

  4. Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema.

  5. Encode the Jsonnet snippet with Base64 or store it in a location available to your Ory Kratos instance.

  6. Add the configuration for your social sign-in provider to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file.

Example configuration

selfservice:
  methods:
    oidc:
      config:
        providers:
          - id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
            provider: generic
            client_id: .... # Replace this with the Client ID
            client_secret: .... # Replace this with the Client secret
            issuer_url: https://accounts.google.com # Replace this with the providers issuer URL
            mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
            # Alternatively, use an URL:
            # mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17
            scope:
              - email
            # supported scopes can be found in your providers dev docs
      enabled: true

Environment variables

It is not recommended to use environment variables to configure OIDC providers, as the data object is complex and getting the syntax right is difficult. If you want to use environment variables, it is recommended to set the full JSON array as an environment variable:

export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[{"id":"google","provider":"google","mapper_url":"<file_location>","client_id":"<client_id>","client_secret":"<client_secret>","scope":["openid","email","profile"],"auth_url":"https://accounts.google.com/o/oauth2/v2/auth","token_url":"https://www.googleapis.com/oauth2/v4/token","issuer_url":"https://accounts.google.com"}]'

Prevent having to log in after sign-up

When adding social sign-in providers manually, remember to add the session hook to after/oidc/hooks. If you don't add this hook, users will have to log in again after signing up to get a session.

selfservice:
  flows:
    registration:
      after:
        oidc:
          hooks:
            - hook: session
Ory Network

The most flexible and scalable way to manage identi­ties, authen­tication, autho­rization and access control.Explore Ory Network

Explore Ory Network