Hello @all we are using ory console for managing identities and user login signup, and we are using our own UI We want to enable social logins, starting with Google I have followed steps as mentioned on page https://www.ory.sh/docs/kratos/social-signin/google when I am hitting API to get login flow it work fine

GET https://{project}.<http://projects.oryapis.com/self-service/login/api|projects.oryapis.com/self-service/login/api>

and after than I am hitting API to submit login flow

POST https://{project}.<http://projects.oryapis.com/self-service/login?flow=|projects.oryapis.com/self-service/login?flow=><flow-id>

and json data in body as

{

"method": "oidc",

"provider": "google",

"traits": {}

}

I am getting 422 response as

{

"error": {

"id": "browser_location_change_required",

"code": 422,

"status": "Unprocessable Entity",

"reason": "In order to complete this flow please redirect the browser to: <https://accounts.google.com/o/oauth2/v2/auth?client_id=><my_clinetId>&redirect_uri=https%3A%2F%2F<my_project>.<http://projects.oryapis.com|projects.oryapis.com>%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fgoogle&response_type=code&scope=email+profile+openid&state=<some-string>",

"message": "browser location change required"

},

"redirect_browser_to": "<https://accounts.google.com/o/oauth2/v2/auth?client_id=><my_clinetId>&redirect_uri=https%3A%2F%2F<my_project>.<http://projects.oryapis.com|projects.oryapis.com>%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fgoogle&response_type=code&scope=email+profile+openid&state=<some-string>"

}

If paste this link in browser and after login I get error

An error occurred with the following message: The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again!

If i use ory' UI for whole flow, social login works but existing account it gives error

An account with the same identifier (email, phone, username, ...) exists already. Please sign in to your existing account and link your social profile in the settings page.

Ideally It should link the accounts can someone pls help me with steps or instructions to have social logins working with our own UI, not ory UI?

Hi @adamant-angle-54989 Please check out this document https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#social-sign-in Automatic account linking is not supported and it isn't something we want to support. The reason for this is account takeovers can occur if the social account was somehow compromised. Please see https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account

@proud-plumber-24205 it is clear that

Automatic account linking is not supported

can you please help to identify that which ORY API I should call after getting id-token or access-token from google or any other provider?

You don't need to, Kratos will do this automatically when the user registers

@proud-plumber-24205 could you pls help me that how ory session token is generated when Google redirects to the callback url like (https://{project}.projects.oryapis.com/self-service/methods/oidc/callback/google) after success I know those steps 1. Redirect to the social sign-in provider. 2. Redirect back to Ory with a

code

query parameter. 3. Ory exchanges the

code

for an access token and retrieves the user information. 4. Ory maps the user information to the Identity Schema traits. 5. (optional) Ory redirects back to the registration page, requiring the user to provide the values for the missing traits. Want to know using which API user is created and session token is generated witin ORY

Ory creates the user automatically after the callback or as you mention in step 5 after the user submits the missing traits. If you have sessions enabled after registration https://www.ory.sh/docs/identities/sign-in/actions#log-in-users-after-registration then the user browser will be issued a session in the form of an http cookie

@proud-plumber-24205 I don't want to use ory's callback url for redirect from google, I want to use my UI and my API for handling callback, can you pls help me with some ways to achieve this? ory's callback url generates browser based token/cookie and redirect to /ui/welcome, even if we redirect to our UI then then that token/cookie won't work for as we are using API based token, not browser based toke/cookie

Hi @adamant-angle-54989 Just to make sure I understand correctly, are you building a native application? With native applications you cannot use the

browser

flows since those require cookies to be set inside the browser for CSRF protection. For integrating social sign in with native applications, please check https://www.ory.sh/docs/kratos/social-signin/native-apps

Hi @proud-plumber-24205 thanks a lot, it is working!

Hi @adamant-angle-54989 There are two ways depending on the use case. 1. You are importing existing accounts and already have their social account subject (https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections) 2. The user has registered their account on your platform using their email and password, but now want to link a social sign in account. This is done after the user has a session and can be done through the settings flow https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account

Hi @proud-plumber-24205 I need one more help As I told you yesterday, social login worked for us using API approach with the help of instructions/guidance given by you. 1. If user is not already registered using email password, social login works expected 2. If user is already registered using email password, then gives error saying that

An account with the same identifier (email, phone, username, ...) exists already. Please sign in to your existing account and link your social profile in the settings page.

on ory's UI( becuase automatic account merging is not possible), but we don't want to show ory's UI to our users as we are using our UI interface and we communicate to ory via our backend API. a. is there any way we can redirect to our UI with similar message/error ? b. or some other better to tell user about the error without using Ory's UI

Hi @adamant-angle-54989 Yes of course. The UI can be completely replaced. I would recommend you check out the docs about custom UI https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-overview Go through the document as it explains the concepts of our APIs and how you integrate your own UI. If you are doing pure API calls (native apps) then you need to use the API for native apps (with session token). I would, however, not recommend adding an additional layer between Ory and your UI. The UI (browser i assume) can do native POST requests to Ory or if it's an SPA it can do AJAX requests with JSON.