Yes, you can configure custom identity traits to be mapped to

id_token

claims when using Ory Kratos. This is done through the use of Jsonnet data mapping. Jsonnet is a data templating language for app configuration. You can define how to map the data you get from the specific provider to the Identity traits by creating a Jsonnet code snippet. This snippet becomes a part of the Ory Identities configuration for the given social sign-in provider. Here is an example of a Jsonnet snippet that maps

email_primary

to the identity schema's `traits.email`:

json local claims = {    email_verified: false,   } + std.extVar('claims');   {    identity: {    traits: {    [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,    },    },   }

In this example, the email is only returned if it exists and is marked as verified by the provider. You can also set public and admin metadata fields. These fields will then be populated whenever data is mapped. This is useful if you want to store data from the social sign-in provider without the user being able to modify it.

json local claims = std.extVar('claims');      {    identity: {    traits: {    email: claims.email    },    metadata_public: {    discord_username: claims.discord_username,    },    metadata_admin: {    // ...    },    }   }

For more information, you can refer to the following documentation: - [Data Mapping](https://www.ory.sh/docs/kratos/social-signin/data-mapping) - [Set Identity Metadata](https://www.ory.sh/docs/kratos/social-signin/data-mapping#set-identity-metadata) Please note that secrets such as API keys, credentials, or personal data should not be saved directly in Jsonnet code snippets as they are not stored in an encrypted format in Ory Network.

To pass a Jsonnet file to the

ory/kratos-selfservice-ui-node

Docker container, you need to add the Jsonnet snippet with mappings as a Base64 string or provide a URL to the file in the social sign-in provider configuration. This configuration is part of the Ory Identities configuration. Here is an example of how to add the Jsonnet snippet as a Base64 string:

yaml selfservice:    methods:    oidc:    config:    providers:    - id: yourid    provider: generic    client_id: ....   client_secret: ....   issuer_url: <https://your-project-slug.projects.oryapis.com>   mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"    scope:    - email    - offline_access    - openid    enabled: true

Alternatively, you can provide a URL to the file:

yaml selfservice:    methods:    oidc:    config:    providers:    - id: yourid    provider: generic    client_id: ....   client_secret: ....   issuer_url: <https://your-project-slug.projects.oryapis.com>   mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4>    scope:    - email    - offline_access    - openid    enabled: true

After adding the Jsonnet snippet to the configuration, you need to update the Ory Identities configuration using the file you worked with:

bash ory update identity-config {project-id} --file identity-config.yaml

As for where to mount the file, it depends on your Docker setup. Generally, you would mount the file in a directory that the Docker container has access to. You can do this using Docker volumes. Here is an example of how to create a Docker volume:

bash docker run -v /path/to/your/jsonnet/file:/path/in/container ory/kratos-selfservice-ui-node

In this example,

/path/to/your/jsonnet/file

is the path to the Jsonnet file on your host machine, and

/path/in/container

is the path where you want to mount the file in the Docker container. For more information, you can refer to the following documentation: - [Ory Kratos Social Sign-in](https://www.ory.sh/docs/kratos/social-signin) - [Docker Volumes](https://docs.docker.com/storage/volumes/)

Yes, you can add custom claims to the

id_token

in the consent endpoint when using Ory Hydra. This is done by setting the

session.id_token

field when accepting the consent request. Here is an example:

javascript import { Configuration, OAuth2Api } from "@ory/client"  const ory = new OAuth2Api(  new Configuration({  basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,  accessToken: process.env.ORY_API_KEY,  }), )  export async function acceptConsent(consentChallenge: string) {  const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })   return await ory  .acceptOAuth2ConsentRequest({  consentChallenge: consentChallenge,  acceptOAuth2ConsentRequest: {  session: {  access_token: {  some_custom_claim: "some_custom_value",  },  id_token: {  id_custom_claim: "some_value",  },  },  },  })  .then(({ data }) => data) }

In this example,

id_custom_claim

is a custom claim added to the

id_token

. The value of this claim is

"some_value"

. Please note that any information included in

session.id_token

when accepting the consent request will also be included in the userinfo response. For more information, you can refer to the following documentation: - [Consent Endpoint Code Example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example) - [Adding Custom Claims to the Userinfo Response](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response)