Skip to main content

Social sign-in

Follow these steps to add a generic provider as a social sign-in provider when self-hosting Ory Kratos.

  1. Define the redirect URL:

    http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

  2. Create a client at your generic provider to get a Client ID and Client Secret.

  3. Set the redirect URI to URL that follows this pattern. http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>.

  4. Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema.

  5. Encode the Jsonnet snippet with Base64 or store it in a location available to your Ory Kratos instance.

  6. Add the social sign-in provider configuration to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file.

Environment variables

It is not recommended to use environment variables to configure OIDC providers, as the data object is complex and getting the syntax right is difficult. If you want to use environment variables, it is recommended to set the full JSON array as an environment variable:

export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[{"id":"google","provider":"google","mapper_url":"<file_location>","client_id":"<client_id>","client_secret":"<client_secret>","scope":["openid","email","profile"],"auth_url":"https://accounts.google.com/o/oauth2/v2/auth","token_url":"https://www.googleapis.com/oauth2/v4/token","issuer_url":"https://accounts.google.com"}]'

Prevent having to log in after sign-up

When adding social sign-in providers manually, remember to add the session hook to after/oidc/hooks. If you don't add this hook, users will have to log in again after signing up to get a session.

selfservice:
  flows:
    registration:
      after:
        oidc:
          hooks:
            - hook: session