Is there any way for me to reject an account link if the social identity provider email does not match the ory email in traits? For example, if I have a ory user with traits {email: abc@gmail.com} and I link my account, I don't want to allow linking with xyz@othermail.com -- only abc@gmail.com I want to deactivate the account if abc@gmail.com gets deactivated, and if the account is linked with xyz@othermail.com, they can still be able to log in even though the account is deactivated (I believe)

I want to deactivate the account if abc@gmail.com gets deactivated, and if the account is linked with xyz@othermail.com, they can still be able to log in even though the account is deactivated (I believe)

Hey @big-evening-36539 Are you sure? If the identity is deactivated you cant log in any more AFAICT. Or do you mean just the gmail account is deactivated - but that would not prevent login anyway 🤔

Sorry, I don't want to deactivate -- but I don't want the user to be able to log in 🙂 So a bit more concrete: employee@company.org registers, and then I only want them to do SSO with the microsoft office account employee@company.org -- I don't want them to link with johndoe@hotmail.com, so in the case that employee@company.org gets deactivated (John quits and the account is deactivated by an IT administrator in Company), they won't be able to access the account with any social login provider --- I've looked more into this, and it might be possible with a webhook? https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks Something along the lines of this? (I don't know jsonnet so syntax might be off)

local claims = std.extVar('claims');
if ctx.identity.traits.email != claims.email then
  error "provider must have matching email"
else
{
    identity: {
        traits: {
            email: claims.email, // If email isn't set the Jsonnet snippet will fail with an error.
            name: {
                [if "given_name" in claims then "first" else null]: claims.given_name,
                [if "family_name" in claims then "last" else null]: claims.family_name,
            }            
        },
    },
}

Hmm I am not sure right now, but would you be willing to create a github discussion for this in github.com/ory/kratos? I dont think we have docs on best practices around “deactivation” or “deletion” of users and it would be good to use this opportunity to gather some material and start a document. Is deactivating the account not an option? Wouldn’t they not be able to log in anymore then? I usually delete the identity in your use case, but I guess there are reasons to not do that? If yes, what are they in your case?