Hello everyone! Our app uses self-hosted Kratos as identity provider, and we recently enabled SSO for login with various OIDC providers. Everything works great. My question is - We would like to extend the functionality beyond basic authentication, and let users manage their identities using their provider of choice. So for example, let's say that upon registration we get a list of groups the user is a member of and define it's roles accordinally. But afterwards, if the users settings are changed in the providers, like if the user is removed from one of the groups, we want to be able to know about it and update our database as well. There is not a real need for "realtime" actions, but say within the hour. What is the best way / best practice to achieve this?

Such use cases are usually handled using SCIM (https://www.rfc-editor.org/rfc/rfc7644). For a practical example, visit https://scim.dev/guide/. To my knowledge, Kratos currently does not support SCIM, but having this feature in the future would be highly beneficial.

An alternative solution. We are not using OIDC, users authenticate against kratos, however we add public metadata to the users Identity in giving the groups the user is in, Thus the group membership is under our control. I believe this is also supported if the authentication is done via OIDC. Perhaps this would work for you?

@some-bear-63847 We also use the metadata field to store information from the provider, but the problem is how to have the information always synced with the upstream provider.