To automatically update claims such as email when coming from a social provider, you need to use Jsonnet data mapper. This is a script that maps the claims returned by the social provider to the Ory Identity schema. Here is an example of how you can do this:

jsonnet local claims = {     email_verified: false,   } + std.extVar('claims');      {     identity: {       traits: {         [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,       },     },   }

In this script, the

email

claim is only returned if it exists and is marked as verified by the social provider. If the email claim has changed on the provider's site, it will be updated in the Ory Identity schema the next time the user signs in using the social provider. You can add this Jsonnet data mapper to your Ory Identities configuration like this:

yaml selfservice:     methods:       oidc:         config:           providers:             - id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!               provider: generic               client_id: .... # Replace this with the Client ID               client_secret: .... # Replace this with the Client secret               issuer_url: <https://accounts.google.com> # Replace this with the providers issuer URL               mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"               # Alternatively, use an URL:               # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4>               scope:                 - email               # supported scopes can be found in your providers dev docs               claims_source: id_token  # set to "userinfo" to read the claims from the UserInfo endpoint         enabled: true

Then, update the Ory Identities configuration using the Ory CLI:

bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

Please note that this only works if the verified address is also present in the identity's traits and marked as a verifiable email. If the verified address is not present in the identity's traits, the verified status is not carried over. Sources: - [Map and merge profile data](https://www.ory.sh/docs/kratos/social-signin/data-mapping#emails-and-phone-numbers) - [Carry over verified status from Social Sign-In](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in) - [Generic provider configuration](https://www.ory.sh/docs/kratos/social-signin/generic)

To include the user's traits in the response token, you need to modify the session data when accepting the consent request. This can be done by adding the traits to the

id_token

field of the session data. Here is an example of how you can do this using the Ory Client SDK:

javascript import { Configuration, OAuth2Api } from "@ory/client"  const ory = new OAuth2Api(   new Configuration({     basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,     accessToken: process.env.ORY_API_KEY,   }), )  export async function acceptConsent(consentChallenge: string) {   const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })    return await ory     .acceptOAuth2ConsentRequest({       consentChallenge: consentChallenge,       acceptOAuth2ConsentRequest: {         session: {           access_token: {             some_custom_claim: "some_custom_value",           },           id_token: {             id_custom_claim: "some_value",             // Add the user's traits here             traits: data.subject.traits,           },         },       },     })     .then(({ data }) => data) }

In this example, the user's traits are added to the

id_token

field of the session data. This means that the traits will be included in the ID token that is returned to the OAuth client. Please note that the

/userinfo

endpoint is publicly available. Its contents are thus as visible as those of ID Tokens. It is therefore imperative to not expose sensitive information without user consent. Sources: - [Adding custom claims to the userinfo response](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response) - [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh)