https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Do I need to add to my identity sch...
# ory-copilot
s
@chilly-king-10285 Do I need to add to my identity schema to allow user identities to import Facebook OIDC credentials?
c
A message from kapa.ai
Yes, to import Facebook OIDC credentials, you need to modify your identity schema. Specifically, you need to add a 
credentials
field with an 
oidc
subfield in your identity schema. This 
oidc
subfield should contain a 
config
field, which in turn contains a 
providers
array. Each provider in this array should have a 
provider
field set to the social sign-in provider ID (in this case, "facebook") and a 
subject
field set to the ID of the user on the given platform. Here is an example of how to structure this in your identity schema:
Copy code
json {   "schema_id": "<preset://email>",   "traits": {     "email": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)"   },   "credentials": {     "oidc": {       "config": {         "providers": [           {             "provider": "facebook",             "subject": "12345"           }         ]       }     }   } }
In this example, replace "12345" with the actual user ID from Facebook. Please note that the 
subject
ID must be the ID of the user on the given platform. Usually, this is the 
sub
claim of the OpenID Connect ID Token provider. For more information, refer to the [Ory documentation on importing social sign-in connections](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections).
s
@chilly-king-10285 That's the payload I would send to the API, but that's not the schema I'm asking about. I'm asking about the custom identity schema where you define traits.
c
A message from kapa.ai
I apologize for the confusion. The identity schema in Ory Kratos is primarily used for defining and validating the traits of an identity. Traits are the data associated with an identity and can be modified by the identity owner or users with Ory Identities (Kratos) Admin API access. The identity schema uses JSON Schema to validate these traits. Each identity can have a different JSON Schema, which can be useful in various situations such as having different types of identities in the system (customers, support, staff, etc.), or when the system needs to ingest another company's Identity Schema. However, the identity schema does not directly handle the storage or validation of credentials, such as Facebook OIDC credentials. These are typically managed separately through the Ory Kratos API and are not directly included in the identity schema. Here is an example of a basic identity schema:
Copy code
json {     "$schema": "<http://json-schema.org/draft-07/schema#>",     "type": "object",     "properties": {       "traits": {         "type": "object",         "properties": {           "username": {             "title": "Username",             "type": "string"           },           "name": {             "type": "object",             "properties": {               "first": {                 "title": "First name",                 "type": "string"               },               "last": {                 "title": "Last name",                 "type": "string"               }             }           }         }       }     }   }
In this example, the traits include a username and a name object, which includes first and last names. For more information on managing identities and customizing identity schemas in Ory Kratos, you can refer to the [official Ory Kratos documentation](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#writing-your-first-custom-identity-schema).
s
@chilly-king-10285 It's true you don't store the actual credentials, but there are other settings around authentication methods that the identity schema requires. For example, you could have
Copy code
"traits": {
    "type": "object",
    "properties": {
        "email": {
            "type": "string",
            "format": "email",
            "title": "E-Mail",
            "<http://ory.sh/kratos|ory.sh/kratos>": {
                "credentials": {
                    "password": {
                        "identifier": true
                    },
                    "webauthn": {
                        "identifier": true
                    },
                    "totp": {
                        "account_name": true
                    },
                    "code": {
                        "identifier": true,
                        "via": "email"
                    }
                },
                "recovery": {
                    "via": "email"
                },
                "verification": {
                    "via": "email"
                }
            },
            "maxLength": 320
        },
    },
    "required": [
        "email"
    ],
    "additionalProperties": false
}
In the 
<http://ory.sh/kratos|ory.sh/kratos>
section of the identity schema, do I need to include anything around OIDC?
c
A message from kapa.ai
New message text here
3 Views
Open in Slack
PreviousNext
Powered by