Users can link their accounts to social sign-in providers in Ory Kratos manually through their account's settings page. Here are the steps to do so: 1. Configure at least two sign-up methods in your Ory project. One of these methods must be through a social sign-in provider. 2. Go to your project's Ory Account Experience at

https://{project.slug}.<http://projects.oryapis.com/ui|projects.oryapis.com/ui>

and sign up. 3. After you sign up, go to Account Settings and navigate to the Social Sign In section. 4. Select one of the buttons to link an available social sign-in provider. Please note that users can link their accounts only to social providers you configured in your Ory project. They can start signing in with a profile created in a social sign-in provider when they originally signed up with email and password, link another social sign-in provider to their profile, or remove a social sign-in provider link from the profile (possible only when multiple sign-in methods are available to prevent locking users out from accounts). For more details, please refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account).

@chilly-king-10285 I'm using self-hosted kratos

If you're using a self-hosted Ory Kratos, you can add a social sign-in provider by following these steps: 1. Define the redirect URL:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

. 2. Create a client at your provider to get the Client ID and Client Secret. 3. Set the redirect URI to URL that follows this pattern:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

. 4. Create a [Jsonnet code snippet](https://www.ory.sh/docs/kratos/social-signin/data-mapping) to map the desired claims to the Ory Identity schema. 5. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or store it in a location available to your Ory Kratos instance. 6. Add the configuration for your [social sign-in provider](https://www.ory.sh/docs/kratos/social-signin/overview) to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file. Here is an example configuration:

yaml selfservice:    methods:    oidc:    config:    providers:    - id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!    provider: generic    client_id: .... # Replace this with the Client ID    client_secret: .... # Replace this with the Client secret    issuer_url: <https://accounts.google.com> # Replace this with the providers issuer URL    mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"    # Alternatively, use an URL:    # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17>    scope:    - email    # supported scopes can be found in your providers dev docs    enabled: true

For more details, please refer to the [Ory documentation](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc).

In Ory Kratos, users can link their accounts from two different OIDC providers. Here are the steps to do so: 1. Configure at least two sign-up methods in your Ory project. Both of these methods should be through different social sign-in providers (OIDC providers). 2. Go to your project's Ory Account Experience at

https://{{project.slug}}.<http://projects.oryapis.com/ui|projects.oryapis.com/ui>

and sign up. 3. After you sign up, go to Account Settings and navigate to the Social Sign In section. 4. Select one of the buttons to link an available social sign-in provider. 5. Repeat the process for the second OIDC provider. Please note that users can link their accounts only to social providers you configured in your Ory project. They can start signing in with a profile created in a social sign-in provider when they originally signed up with email and password, link another social sign-in provider to their profile, or remove a social sign-in provider link from the profile (possible only when multiple sign-in methods are available to prevent locking users out from accounts). For more details, please refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account).

To link accounts from two different OIDC providers using HTTP calls, you can use the Ory Kratos API. Here's a general outline of the process: 1. Initiate the settings flow by making a GET request to the

/self-service/settings/flows

endpoint. This will return a payload that includes the

id

of the settings flow and the

ui

object which contains the form fields and action URL for the settings flow.

bash curl -s -X GET \  -H "Authorization: Bearer $sessionToken" \  -H "Accept: application/json" \  '<https://playground.projects.oryapis.com/self-service/settings/flows?id=14cbf9a7-0c71-46e9-b3b9-806cb7859145>'

2. The

ui

object will contain a group named

oidc

if the

oidc

method is enabled. This group will contain an

input

of type

submit

for each OIDC provider that can be linked. The

name

attribute of the

input

will be

link

and the

value

will be the name of the OIDC provider. 3. To link an account from an OIDC provider, make a POST request to the

action

URL from the

ui

object with the

name

and

value

of the

input

for the OIDC provider you want to link. Please note that the exact details of the HTTP calls and the data they return can vary depending on your Ory Kratos configuration. For more information, please refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20).

I'm sorry, but based on the provided knowledge sources, Ory Kratos does not currently support linking accounts from two different OIDC providers from an admin standpoint. The account linking process is designed to be a self-service operation that the user performs themselves. For more information, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20).