ory Third-Party / IdP initiated login: Am I right in the assumption that Ory Kratos does not support OIDC using IdP-initiated or third-party initiated login? Haven’t found anything in the documentation. https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin I remember to have read somewhere that this would pose a security risk. If you don’t support it from a security perspective, do you have some article about that somewhere, so we can send it to our integration partners/customers? In the case where Ory is the service-provider, and NOT the Identity provider! Meaning, users login using OIDC into our app, not the other ways round.

Hydra is an OIDC service provider.

I’m essentially interested in the case where you set up Ory in a way where people log in to their Ory user account using an external Identity provider. Not the other way round, where people log into another service using their Ory user account.

Oh, I was confused by “In the case where Ory is the service-provider, and NOT the Identity provider!“. For social sign-in, Ory is the OIDC client.

There are way too many terms used for the various parties 🙈

Hello @mysterious-processor-51766 are you looking for OIDC signup/in https://www.ory.sh/docs/kratos/social-signin/overview ? This way you can add any OIDC compliant third party Idp.

No quite, we have set up already an “OIDC compliant third party Idp”. I’m looking more for how to trigger the OIDC flow. Right now, we have to call e.g. https://www.ory.sh/docs/reference/api#tag/frontend/operation/createNativeLoginFlow from our side first, then redirect to the third-party, which redirects back to Ory, and then back to our app. (The standard flow) Our App -> Third-Party IdP -> Ory -> Our App — However, there is also a standard, where the third-party initiates the sign-in flow, and not we. https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin This is useful when the third-party wants to link to our app and automatically register the user when they click on the link. The flow would then be something like Third-Party IdP -> Ory -> Our App And thus the user gets automatically logged in without the roundtrip back to the IdP. — Do you support this standard here: https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin And if not, is there a rationale why it’s not supported (would be awesome if you have a link to documentation/article explaining why)? I think I’ve read somewhere that such a flow is less secure?!