https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
b
Hi Shaun, I’ll have to look into the google case, but could you post your identity schema and the uuid of a flow where this happened? (It’s in the url when you click „login with google“ on the login/registration screen.) As for the session q: you‘re looking for the /sessions/whoami endpoint (called 
toSession
in our sdk). That endpoint has a parameter called „`tokenizeAs`“ which can be used to convert the session to a JWT. The docs for that are here: https://www.ory.sh/docs/identities/session-to-jwt-cors
p
Hi @bland-eye-99092 - I am just using the default schema for Email and password
Copy code
{
  "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              },
              "code": {
                "identifier": true,
                "via": "email"
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}
uuid for the flow that failed is 
b75375d4-eb8b-4d8a-b3d8-3b5a7f9bc786
and 
2701aa5e-4176-419f-b4b4-71824354bba4
. I also tried a standard gmail account and had similar issues 
fa8a524e-2065-4d51-883c-0c7e605842fb
I have managed to get the Ory session and the email if the logged in user (I still need to do the Jwt stuff) but the flow proves the point even if it needs hardening
b
Okay, I looked at the logs, and the error message I see is: 
additionalProperties \"first_name\", \"hd\", \"last_name\" not allowed"
. This means, that after Ory processed the response from Google, the returning object contained these properties, which did not conform to your identity schema. To fix this, you can replace the Jsonnet snippet in your OIDC provider configuration with this (go to “Authentication” -> “Social Sign-in” -> Edit your Google Provider -> “Show Advanced Settings” in the Ory Console):
Copy code
local claims = {
  email_verified: true,
} + std.extVar('claims');

{
  identity: {
    traits: {
      [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
    },
  },
}
This will essentially only return the email address from the google account that’s logging in. If you want to collect other data, such as first name or last name, you can adjust the snippet to also return them (e.g. keep it as the default), but then you’ll also need to add the fields to the identity schema. This docs page should give some more context. Feel free to ping me, if anything is unclear, though. 🙂
p
Thanks for that - email is all we need for our purposes - do we have access to those logs ourselves when in the console or do we have to make a cal via the CLI (assuming it is possible)
b
We’re working on making them available. For now, these are just internal logs.
p
thanks - I'll try to remember to not make assumptions that the defaults are good out of the box
12 Views
Open in Slack
PreviousNext
Powered by