https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
w
You are going to need something along the lines of an action.
So, after a user attempts to connect his social account, a webook can be invoked and check if the social connect is acceptable and if the flow is a 
registration
or 
settings
flow, update the user's profile accordingly via response.
b
The problem here is google does not specify email it comes like userinfo.email so hard to get what email is provided by Google to this account
w
In your case, since it appears the user already exists, this would, in fact, be a 
settings
flow. Take a close look at the link I posted above. It will give you precise details on what the webhook will be sent and exactly what to return from the webhook to correct or approve the user's change.
You will likely have to get your hands dirty with some jsonnet (configuration/manuiplation) to get the parameters to your liking.
b
Even If I did try using jsonnet. the session object does not contain emails provided by the SSO in general. So again the user link which email ID using SSO remains a question
w
Then let me ask a clarifying question. What do you mean by this:
The problem here is google does not specify email it comes like userinfo.email.
please explain that in detail what that means to you.
b
Copy code
https://<projecturl>.<http://projects.oryapis.com/self-service/methods/oidc/callback/google?state=<state>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=1&hd=davisindex.com&prompt=none|projects.oryapis.com/self-service/methods/oidc/callback/google?state=<state>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=1&hd=davisindex.com&prompt=none>
This is how the authentication is being done, I did try setting one webhook and see what is the updated object for the session it does contain the array below:
Copy code
"authentication_methods": [
    {
      "method": "oidc",
      "aal": "aal1",
      "completed_at": "2024-02-16T09:20:38.858325815Z",
      "provider": "google"
    }]
but I need a way to understand which emailid was provided by google at the time of SSO linking. I am having difficulty getting that
The webhook for settings are limited to Profile and Password only. They don't have for Social Link and Hardware Tokens
w
this may be unrelated but it made me think of something. as an aside, are you trying to restrict social connections to only emails that match what the user registered with?
b
PERFECT!!!!
Yes
w
if so, that's a sticky area.
👀 1
i'll give you a nasty example.
b
okay, tell me.
w
given alice. let's say alice registers on your site with alicegood+nospamfromyoudavisindex@gmail.com. she goes on vacation for a few weeks. she comes back and you've implemented social connect. she tries connecting with google with userinfo.email = alice.good@gmail.com. will you be able to equate the two?
those resolve to exactly the same email address.
but how do you know?
google has a nifty "+" feature. not all email providers do that. some have different handling.
just something to think on.
b
I even tried a scenario where any email ID is allowed to link via social IDs infact. If you do Google Sign In with one and maybe LinkedIn with another it is still gonna allow
And to the suprise, once Social is linked basic tends to fail
w
> And to the suprise, once Social is linked basic tends to fail ? what?
b
I mean if u had registered via email id and password earlier and then linked your Google SSO. after that basic sign in with password does not work only the google one works, which makes sense actually.
w
ugh it won't let me remove the link
well. that's something entirely different 🙂
b
But that is still okay the main problem I want to solve is equate both email being same. That's all matters for now
w
> But that is still okay the main problem I want to solve is equate both email being same. That's all matters for now i don't see any way to do this reliably =/
🫣 1
i mean. think about it. unless there was a universal "email normalizer" that understood and could parse every nuance and ad-hoc-supported "feature" of every email provider...
the gmail 
+
thing is prolly the first one that will bite you. the `.`s will too. but those are both easily overcome.
the problem is.. do you want that spaghetti sprinkled in your credential => oidc logic?
not a fun issue to deal with (and this isn't an ory.sh only thing - it's a multiple identifier/credential matching thing).
b
You know a way how to do it?
Even if it was a hack want to see how well it works up
w
i mean if you limited social signin's to a few particular providers... but even then. i know people like me exist.
b
No, cannot limit providrs
w
for example, i've created a "work-based" gmail account for every work email i've ever had. (well, for the ones that didn't already use gmail)
well. unfortunately there's no way to be 100% without an imperfect parser. the glaring example cases are gmails support of "dots don't matter" and "+blah" email partitioning will be just the tip of the iceberg.
b
Oh god. That's crazy.
w
question: the "no restriction" is that cuz you think you can't or is that a "requirement" that the bonehead pms think they need?
b
the restriction for same email is requirement
w
well. that's a tough one. so, i haven't looked too deeply into oidc for kratos within ory but i'm fairly certain you can get the user's social-sign-on email address from the userinfo once they've "connected", from there you can perform checks and rules etc, but this all entails spinning up "yet another stupid service" aka "point of failure" into the mix.
🫥 1
93 Views
Open in Slack
PreviousNext
Powered by