Hello. I have a situation were I need to manually ...
# talk-kratosl
lemon-xylophone-61253
11/07/2023, 9:29 AMHello. I have a situation were I need to manually remove a specific OIDC credential/provider from an identity through the API. I have tried both the
updateIdentitypatchIdentitym
magnificent-energy-493
11/07/2023, 10:39 AM
It should work with updateIdentity as that gives the option to modify the credentials.
Can you share your request/payload/identity example here in this thread maybe?
l
lemon-xylophone-61253
11/07/2023, 10:47 AMThe identity I'm testing with currently has a google oidc identifier on it. If I use the following payload, the credential will still persist:
Copy code
{
"credentials": {
"oidc": {
"config": {
"providers": []
}
}
},
"schema_id": "user",
"state": "active",
"traits": {
"name": {
"last": "bar",
"first": "foo"
},
"email": "<mailto:foo@bar.com|foo@bar.com>"
}
} Copy code
{
"id": "0bbc6e4b-fc87-45e8-960c-922e9d518bcd",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"google:123123123123"
],
"version": 0,
...lemon-xylophone-61253
11/07/2023, 10:49 AMAdding something like
Copy code
"oidc": {
"config": {
"providers": [
{
"provider": "google",
"subject": "123123123123"
}
]
...lemon-xylophone-61253
11/07/2023, 10:53 AMSo it seems the special handling of credentials is actually preventing me from deleting. If I provide a new credential, it is added to the list. Request:
Copy code
"config": {
"providers": [
{
"provider": "whatever",
"subject": "123456789"
}
]
... Copy code
"id": "0bbc6e4b-fc87-45e8-960c-922e9d518bcd",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"google:108351732960792347704",
"whatever:123456789"
],lemon-xylophone-61253
11/08/2023, 12:00 PM@magnificent-energy-493 have you been able to have a look at this yet?
m
magnificent-energy-493
11/08/2023, 12:53 PM
Hey Martin,
could it be that you want to remove the only credential on the identity?
An identity needs to have at least one credential
l
lemon-xylophone-61253
11/08/2023, 12:56 PMHey. The identity I am testing with also has a password credential, so that should not be the case
m
magnificent-energy-493
11/08/2023, 1:52 PM
I see.
So if I create an identity with password/email and e.g. Github OIDC credentials and then try to remove the github oidc, I should be able to reproduce this?
l
lemon-xylophone-61253
11/08/2023, 1:58 PMYes, correct.
m
magnificent-energy-493
11/08/2023, 4:13 PM
Ok!
To manage expectations: I probably wont get around to reproducing this until after the Ory Summit tomorrow
l
lemon-xylophone-61253
11/09/2023, 7:49 AMNo worries. Thanks for looking into it 👍
lemon-xylophone-61253
11/16/2023, 8:13 AM@magnificent-energy-493 Hi Vincent. Did you get around to testing this?
b
broad-rainbow-22760
12/05/2023, 8:40 AMHi @magnificent-energy-493! I'm Martins colleague, I was just wondering if you got to test/verify this topic?
d
damp-car-18231
01/03/2024, 2:54 PMI have the same issue. Only solution I have found is to delete and recreate the identity without the oidc credential
m
magnificent-energy-493
01/23/2024, 1:34 PM
@broad-rainbow-22760
Hello Per, sorry for the late reply - have been bogged down with other priorities until now.
I did not get around to test it but AFAICT deleting and recreating the identity is the only way to do this as an admin.
Feel free to create an issue on GitHub to track this for our maintainers though - and please include as much information on the use case as possible.
d
damp-car-18231
01/23/2024, 1:36 PMOur case is: User had only one credential which was oidc from a third party provider. The user lost access to the third party provider and now cannot log in any more.