Sure, here's an example of how to add a generic, OIDC-certified social sign-in provider to your project using the Ory Console and Ory CLI: Using the Ory Console: 1. Go to Authentication → Social Sign-In in the [Ory Console](https://console.ory.sh/projects/current/social-signin). 2. Click the Add A Generic Provider button. 3. Define the Provider name. This name is used for identification purposes only. 4. Paste the configuration details obtained from your social sign-in provider into the corresponding fields in the Console: - Client ID - Client Secret - Issuer URL 5. Copy the Redirect URI from the Console and add it to your provider's configuration. 6. Click Save Configuration to finish. Using the Ory CLI: 1. Create a client at your generic provider to get a Client ID and Client Secret. 2. Create a [Jsonnet code snippet](https://www.ory.sh/docs/kratos/social-signin/generic#data-mapping) to map the desired claims to the Ory Identity schema. 3. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or host it under an URL accessible to Ory Network. 4. Download the Ory Identities config from your project and save it to a file:

bash ## List all available projects   ory list projects      ## Get config   ory get identity-config {project-id} --format yaml > identity-config.yaml

5. Add the social sign-in provider configuration to the downloaded config. Add the Jsonnet snippet with mappings as a Base64 string or provide an URL to the file.

yaml selfservice:     methods:       oidc:         config:           providers:             - id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!               provider: generic               client_id: .... # Replace this with the Client ID               client_secret: .... # Replace this with the Client secret               issuer_url: <https://accounts.google.com> # Replace this with the providers issuer URL               mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"               # Alternatively, use an URL:               # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4>               scope:                 - email               # supported scopes can be found in your providers dev docs               claims_source: id_token  # set to "userinfo" to read the claims from the UserInfo endpoint         enabled: true

6. Update the Ory Identities configuration using the file you worked with:

bash ory update identity-config {project-id} --file identity-config.yaml

For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/generic).

@chilly-king-10285, can you elaborate more what should be the value of issuer_url?

The

issuer_url

is the URL of the OpenID Connect server used by the provider to issue tokens. It's a critical part of the configuration for setting up an OpenID Connect or OAuth2 client, as it tells the client where to communicate with the provider's server. For example, if you're setting up a generic OpenID Connect provider, the

issuer_url

might be something like

<https://accounts.google.com>

if you're using Google as your provider. In the context of Ory, if you're setting up Ory OAuth2 as a social sign-in provider, the

issuer_url

would be the URL of the Ory Network project or Ory Hydra Federation server instance. If you're using Ory's Oathkeeper, the

issuer_url

is used to set the "iss" value of the ID Token. Here are some examples from the provided sources: - In the [Oathkeeper configuration](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token-configuration), the

issuer_url

is set to

<https://my-oathkeeper/>

. - In the [Ory OAuth2 setup](https://www.ory.sh/docs/kratos/social-signin/ory#setting-up-authentication-through-the-upstream-sso-provider), the

issuer_url

is the URL of the Ory Network project or Ory Hydra Federation server instance. - In the [generic OIDC provider setup](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc#example-configuration), the

issuer_url

is set to

<https://accounts.google.com>

. Remember to replace these example URLs with the actual URL of your OpenID Connect server or Ory instance.

Sure, here's an example of how to map the data returned by a generic OIDC provider to traits as defined in the identity schema using a Jsonnet code snippet:

jsonnet local claims = std.extVar('claims');   {     identity: {       traits: {         // The email might be empty if the user hasn't granted permissions for the email scope.         [if 'email' in claims then 'email' else null]: claims.email,       },     },   }

In this example, the user's

email

is mapped to

email

in the identity schema. The

if

condition checks if the

email

claim is present in the data returned by the provider. If it is, the

email

claim is mapped to the

email

trait in the identity schema. If it's not,

null

is assigned to the

email

trait. Please note that the actual mapping will depend on the specific claims returned by your OIDC provider and the traits defined in your identity schema. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/generic#additional-configuration).

The

claims

object in Ory Kratos represents the data returned by the social sign-in provider. The structure of

claims

can vary depending on the provider, but it generally includes information about the authenticated user. Here's an example of a

claims

object structure:

json {     iss: "<https://accounts.google.com>",     sub: "1234",     name: "John Doe",     given_name: "John",     family_name: "Doe",     last_name: "Doe",     middle_name: "Peter",     nickname: "john_doe",     preferred_username: "johnny",     profile: "<https://plus.google.com/1234>",     picture: "<https://plus.google.com/1234/profile.png>",     website: "<https://example.org>",     email: "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)",     email_verified: true,     gender: "m",     birthdate: "1980/11/12",     zoneinfo: "de",     locale: "de",     phone_number: "+1123123123",     phone_number_verified: true,     updated_at: "2022-11-30T11:07:24.405345Z",     hd: "4321",     team: "some-microsoft-team",     raw_claims: {       /* ... */     },   }

In this example,

claims

includes standard claims like

iss

(issuer),

sub

(subject),

name

,

given_name

,

family_name

,

email

,

email_verified

, and others. It also includes a

raw_claims

object, which contains all claims that are not part of the standard userinfo claims. Please note that the actual structure and keys of the

claims

object will depend on the specific claims returned by your social sign-in provider. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/data-mapping#external-variable-claims).

The

claims

data in Ory Kratos is represented as a JSON object. This object contains key-value pairs where the keys are the claim names and the values are the claim values. Here's an example of what the

claims

JSON object might look like:

json {   "iss": "<https://accounts.google.com>",   "sub": "1234",   "name": "John Doe",   "given_name": "John",   "family_name": "Doe",   "email": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)",   "email_verified": true,   "gender": "m",   "birthdate": "1980/11/12",   "locale": "de",   "phone_number": "+1123123123",   "phone_number_verified": true,   "updated_at": "2022-11-30T11:07:24.405345Z" }

In this example, each key in the JSON object represents a claim name, and the associated value is the claim value. The actual structure and keys of the

claims

object will depend on the specific claims returned by your social sign-in provider. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/data-mapping#external-variable-claims).

The error message you're seeing suggests that the Jsonnet code is expecting an object but is receiving a string instead. This could be due to the way the

traits

are being mapped in your Jsonnet code. Here's an example of how to map the

claims

to

traits

in Jsonnet:

jsonnet local claims = std.extVar('claims');      {     identity: {       traits: {         email: claims.email,         name: claims.name,       preferred_username: claims.preferred_username,       zoneinfo: claims.zoneinfo     },     },   }

In this example, the

email

,

name

,

preferred_username

, and

zoneinfo

claims are mapped to corresponding traits in the identity schema. The

if

condition checks if the claim is present in the data returned by the provider. If it is, the claim is mapped to the trait in the identity schema. If it's not,

null

is assigned to the trait. Please adjust the Jsonnet code according to the actual claims you're receiving and the traits defined in your identity schema. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/data-mapping#external-variable-claims).