Hey TL DR how to disable sign up via google but keep sign in Ory Community #talk-kratos

Hey, TL;DR: how to disable sign-up via google but...

many-microphone-43631

03/31/2023, 9:23 PM

Hey, TL;DR: how to disable sign-up via google but keep sign-in at the same time. I configured ory to allow sign-up with google at the beginning. Now I want to disable this option, but at the same time I want to allow sign-in via google for users that sign-up via google, is there a way to do that? cc @magnificent-energy-493

magnificent-energy-493

04/03/2023, 9:12 AM

Hello @many-microphone-43631 You could solve it through a custom UI I think 🤔 Not something that can be solved very easily I fear. So you can display the UI with Sign In with google to users who have the “old” identity schema, and display it without to users who have the “new” identity schema without OIDC provider. Let me know if that helps 😬

many-microphone-43631

04/03/2023, 9:20 AM

That was my original plan, but I wanted to check if there's a way to make it faster via UI

many-microphone-43631

04/03/2023, 9:20 AM

So thanks for the help 🙂

many-microphone-43631

04/12/2023, 9:33 PM

Hey @magnificent-energy-493, I tried to apply this solution and then I realized that at the stage of sign-up/sign-in I don't have information about user id/schema so there's no way for me to know if I should display google sign in or not. Below is a really poor solution I went with

Copy code

const setFlowWithoutOidc = (baseFlow: SelfServiceRegistrationFlow | null) =>
    setFlow(
      produce(baseFlow, (flow) => {
        if (flow) {
          flow.ui.nodes = flow.ui.nodes.filter((node) => node.group !== 'oidc')
        }
      }),
    )

There's still one problem. If you don't have an account then the sign in (via google) creates one for you which is in most cases good pattern. But in my case, I don't want that and in config, I only have the option to either enable or disable oidc. There's no option to disable for sign-up, can you help here?

magnificent-energy-493

04/13/2023, 12:58 PM

Hey, a simple “discovery” feature would be great I agree. We do have this on the roadmap for sure, I cant say when it will be implemented. But glad you found a solution, even if it is not great now. As for the disabling of signup, so users should only be able to create an account through username/pw but not through OIDC? From the top of my head and this is most likely not the best solution: disable registration entirely and “hack” the pw/username registration through an admin API call. So instead of using the normal registration flow, you create the account through the admin API. Otherwise I suggest to take a look at github discussions, if something similar came up before - and if not feel free to create one, as Slack is more for quick, “disappearing” messages.

many-microphone-43631

04/13/2023, 9:39 PM

users should only be able to create an account through username/pw but not through OIDC?

Correct I totally agree with you that this is not the best (even not good solution), but rather bad. At the same time our product allowed to signup via google and now the new business require is to disable google sign-up, but at the same time allow old users that sign-up via google to still use this as a login option. I haven't found anything like that in discussions and if there's nothing that comes to your mind, then I'll stick with what I posted because it's way less work than "hacking" with admin API, thanks one more time!

magnificent-energy-493

04/14/2023, 4:08 PM

Yes I see, it is not a very common use case. In fact I dont think I came across it yet. On the other hand it makes sense that you would run into this issue when you are “phasing out” a social login provider. Other than migrating all users to the new auth methods I see no good solution 🤔

36 Views

Open in Slack

Previous Next