Based on the information provided in the knowledge sources, I can explain why you might not see the

link

option for OIDC in your settings flow even after enabling both OIDC and password methods. The settings flow in Ory Kratos includes different methods, and the

oidc

method is specifically responsible for linking and unlinking social sign-in providers. According to the [Settings flow documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings), when the

oidc

method is enabled, it should be part of the

methods

payload in the Settings Flow. However, it's important to note that the

link

option for OIDC providers is only shown for providers that are not yet linked to the user's account. If you've registered with a password and haven't linked any social providers yet, you should see a

link

option for available OIDC providers. To verify this, you can check the response from the

/self-service/settings/api

endpoint. The OIDC-related nodes should be present in the

ui.nodes

array, specifically with the

group

attribute set to

"oidc"

. Here's an example of what you should look for:

json {   "type": "input",   "group": "oidc",   "attributes": {     "name": "link",     "type": "submit",     "value": "github",     "disabled": false   },   "messages": null,   "meta": {     "label": {       "id": 1050002,       "text": "Link github",       "type": "info",       "context": {         "provider": "github"       }     }   } }

If you don't see any OIDC-related nodes in the response, there could be a few reasons: 1. The OIDC provider might not be properly configured in your Ory Kratos setup. 2. There might be an issue with the flow initialization or the API request. 3. The OIDC method might not be fully enabled or recognized by the system despite the configuration. To troubleshoot, you can try the following: 1. Double-check your OIDC provider configuration in the Ory Kratos settings. 2. Ensure that you're using the latest version of Ory Kratos, as features and behaviors may change between versions. 3. Review the Ory Kratos logs for any errors or warnings related to OIDC initialization. If the issue persists, you might want to consult the [Ory documentation](https://www.ory.sh/docs/) for more detailed troubleshooting steps or reach out to the Ory community for support.

Thank you for providing more context about your situation. Since you can sign up using Google, it does indeed suggest that your OIDC provider configuration is correct. Let's explore this issue further based on the information available in the knowledge sources. Given that you're using Ory Kratos version v1.3.0 and can successfully sign up with Google, the issue might be related to how the settings flow is handling the OIDC method for existing users. Here's what we can infer: 1. The OIDC method is correctly configured for registration, as evidenced by your ability to sign up with Google. 2. The settings flow might not be displaying the link option as expected for users who have already registered. Based on the [Settings flow documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings), the OIDC method in the settings flow is specifically designed for linking and unlinking social sign-in providers. The documentation states: "When the

oidc

method is enabled, it will be part of the

methods

payload in the Settings Flow" However, it's important to note that the link and unlink options are presented differently depending on the user's current state. According to the [User account linking documentation](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account), users can link accounts: - To start signing in with a profile created in a social sign-in provider when they originally signed up with email and password - To link another social sign-in provider to their profile Given that you've registered with a password, you should see an option to link your account with Google. If this option is not appearing, it could be due to one of the following reasons: 1. The settings flow might not be correctly initialized or fetched. 2. There might be a specific behavior in version v1.3.0 that's affecting the display of link options. To troubleshoot this issue, you could try the following: 1. Ensure you're fetching the settings flow correctly. You might want to check the full response from the

/self-service/settings/api

endpoint to see if there are any OIDC-related nodes at all. 2. Try to manually construct a link request to the OIDC provider, as described in the [Settings flow payloads documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20). 3. If possible, consider upgrading to the latest version of Ory Kratos, as there might have been fixes or improvements to this functionality in newer versions. If the issue persists after trying these steps, it would be advisable to open an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos) with a detailed description of your setup and the steps to reproduce the problem. The Ory team or community might be able to provide more specific guidance based on your exact configuration and use case.

deleted (too long)

Sorry @rough-policeman-54679, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?

Sorry @rough-policeman-54679, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?

@chilly-king-10285 Here is the response I get when calling

/self-service/settings/api

I cannot see anything related to OIDC

{
  "id": "b77aefae-1ee1-4ce8-9b97-43141e1bbbb8",
  "type": "api",
  "expires_at": "2024-10-30T11:02:03.282287994Z",
  "issued_at": "2024-10-30T10:02:03.282287994Z",
  "request_url": "<http://127.0.0.1:4433/self-service/settings/api>",
  "ui": {
    "action": "<http://myname.local/baracoda/prconfiguration/dev/kratos/self-service/settings?flow=b77aefae-1ee1-4ce8-9b97-43141e1bbbb8>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "uxz1ZeiXLPxQ/+eiuvgcd8pmHidSUKk1XWP40qwPojhaPehjlSOf5Xq3topVC9tLGfkl5yAOPlRqzJmx+2fTLw==",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {}
      },
      {
        "type": "input",
        "group": "profile",
        "attributes": {
          "name": "traits.email",
          "type": "email",
          "value": "<mailto:hello.world@gmail.com|hello.world@gmail.com>",
          "required": true,
          "autocomplete": "email",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info",
            "context": {
              "title": "E-Mail"
            }
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "autocomplete": "new-password",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1070003,
            "text": "Save",
            "type": "info"
          }
        }
      }
    ]
  },
  "identity": {
    "id": "61a55b79-50b3-40e7-99b1-ed09bd6a2275",
    "schema_id": "default",
    "schema_url": "<http://myname.local/baracoda/prconfiguration/dev/kratos/schemas/ZGVmYXVsdA>",
    "state": "active",
    "state_changed_at": "2024-10-30T10:01:51.487416Z",
    "traits": {
      "email": "<mailto:hello.world@gmail.com|hello.world@gmail.com>"
    },
    "verifiable_addresses": [
      {
        "id": "bca6be1a-ab5e-4884-90b7-b98c3d3ed815",
        "value": "<mailto:hello.world@gmail.com|hello.world@gmail.com>",
        "verified": false,
        "via": "email",
        "status": "pending",
        "created_at": "2024-10-30T10:01:51.488762Z",
        "updated_at": "2024-10-30T10:01:51.488762Z"
      }
    ],
    "recovery_addresses": [
      {
        "id": "25e7dc4d-b886-4bfa-9a69-fcfb7eef7dd3",
        "value": "<mailto:hello.world@gmail.com|hello.world@gmail.com>",
        "via": "email",
        "created_at": "2024-10-30T10:01:51.489406Z",
        "updated_at": "2024-10-30T10:01:51.489406Z"
      }
    ],
    "metadata_public": null,
    "created_at": "2024-10-30T10:01:51.48813Z",
    "updated_at": "2024-10-30T10:01:51.48813Z",
    "organization_id": null
  },
  "state": "show_form"
}

Based on the response you've provided from the

/self-service/settings/api

endpoint, you are correct that there is no OIDC-related information present. This is unexpected, given that you have enabled both OIDC and password methods in your configuration. The response shows only the password and profile settings options, which suggests that the OIDC method is not being included in the settings flow for some reason. Here are a few observations and potential reasons for this: 1. Configuration mismatch: Although you've enabled OIDC in the configuration, it's possible that this setting is not being applied correctly or is being overridden somewhere else in the system. 2. Version-specific behavior: You mentioned using Ory Kratos version v1.3.0. It's possible that this version has a specific behavior or bug related to OIDC in the settings flow. 3. User state: The system might not be recognizing that the user should have OIDC options available, possibly due to how the account was created or how the session is being managed. 4. API endpoint behavior: The

/self-service/settings/api

endpoint might be behaving differently than expected in this version or configuration. To troubleshoot this issue, you could try the following: 1. Double-check your Ory Kratos configuration to ensure that the OIDC settings are correctly applied and not being overridden elsewhere. 2. Consider upgrading to a newer version of Ory Kratos if possible, as this issue might have been addressed in later releases. 3. Try initializing a new settings flow and compare the results to see if the OIDC options appear. 4. Check the Ory Kratos logs for any warnings or errors related to OIDC initialization during the settings flow. 5. Verify that the OIDC provider (Google in your case) is correctly configured and recognized by Ory Kratos. If none of these steps resolve the issue, it would be advisable to open an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos) with your configuration details, the steps to reproduce the problem, and the full API response. The Ory team or community might be able to provide more specific guidance based on your exact setup and the version you're using. Remember that the behavior of Ory Kratos can be quite complex and dependent on various configuration settings and the specific version in use. If you continue to face issues, seeking direct support from the Ory community or considering an upgrade to a more recent version might be your best options.

@chilly-king-10285 I verified the OIDC settings and they look good because I am able to create an account using Google sign-in. I have tried latest version v1.3.1 as well as v1.3.0. I tried to initialize multiple settings flow with the same result. Is there any chance that the identity email needs to be verified before getting

link

options in settings flow ?

Based on the information provided in the knowledge sources and your question, there is indeed a possibility that email verification could be related to the absence of the

link

options in the settings flow. Let's explore this further. While there's no explicit mention in the provided documents that email verification is required for OIDC linking options to appear in the settings flow, we can infer some relevant information: 1. Email verification is an important feature in Ory Kratos, as mentioned in the [Address verification documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). 2. The response you shared from the

/self-service/settings/api

endpoint includes a

verifiable_addresses

field, which shows your email address as unverified:

json    "verifiable_addresses": [      {        "id": "bca6be1a-ab5e-4884-90b7-b98c3d3ed815",        "value": "<mailto:hello.world@gmail.com|hello.world@gmail.com>",        "verified": false,        "via": "email",        "status": "pending",        "created_at": "2024-10-30T10:01:51.488762Z",        "updated_at": "2024-10-30T10:01:51.488762Z"      }    ]

3. Some Ory features can be configured to require verified email addresses. For example, there's an option to [allow login only with verified email](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). Given this information, it's plausible that email verification could be a prerequisite for displaying OIDC linking options in the settings flow, although this is not explicitly stated in the provided documentation. To test this hypothesis, you could try the following: 1. Verify your email address using the verification flow described in the [Address verification documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). 2. After verifying your email, initiate a new settings flow and check if the OIDC linking options appear. If the OIDC options appear after email verification, it would confirm that email verification is indeed a requirement for displaying these options. If the issue persists even after email verification, it would be advisable to: 1. Check your Ory Kratos configuration for any settings that might be restricting the display of OIDC options in the settings flow. 2. Review the Ory Kratos logs for any relevant messages or errors. 3. Consider opening an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos) with a detailed description of your setup, configuration, and the steps you've taken to troubleshoot. Remember that the behavior of Ory Kratos can be complex and dependent on various configuration settings. If you continue to face issues after trying these steps, seeking direct support from the Ory community would be your best option for resolving this specific problem.

Thank you for providing additional details about your troubleshooting efforts. It's clear that you've been thorough in your approach, trying different versions and verifying emails. Since the issue persists across multiple versions and scenarios, let's focus on the configuration. To enable linking between Google (OIDC) and email accounts, you need a minimal configuration that includes both methods. Here's a basic configuration that should allow for account linking:

yaml
selfservice:
  methods:
    password:
      enabled: true
    oidc:
      enabled: true
      config:
        providers:
          - id: google
            provider: google
            client_id: your_google_client_id
            client_secret: your_google_client_secret
            mapper_url: file:///path/to/oidc.google.jsonnet
  flows:
    settings:
      ui_url: <http://your-ui-url/settings>
      privileged_session_max_age: 15m

identity:
  schemas:
    - id: default
      url: file:///path/to/identity.schema.json

Make sure to replace

your_google_client_id

,

your_google_client_secret

,

/path/to/oidc.google.jsonnet

,

<http://your-ui-url/settings>

, and

/path/to/identity.schema.json

with your actual values. The

oidc.google.jsonnet

file should map the Google OIDC claims to your identity schema. A basic example might look like this:

jsonnet
{
  identity: {
    traits: {
      email: claims.email,
    },
  },
}

Your

identity.schema.json

should include an email field in the traits, for example:

json
{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        }
      }
    }
  }
}

If you've already implemented a configuration similar to this and are still not seeing the

link

option in the settings flow, here are a few more suggestions: 1. Ensure that your OIDC provider (Google) is correctly configured in the Ory Console or your configuration file. 2. Check if there are any network issues preventing communication between Ory Kratos and the OIDC provider. 3. Try to manually trigger an OIDC flow to see if it works outside of the settings context. 4. Review the [Social Sign-In documentation](https://www.ory.sh/docs/kratos/social-signin/overview) to ensure all necessary steps for Google integration are completed.

Thank you for providing additional details about your troubleshooting efforts. It's clear that you've been thorough in your approach, trying different versions and verifying emails. Since the issue persists across multiple versions and scenarios, let's focus on the configuration. To enable linking between Google (OIDC) and email accounts, you need a minimal configuration that includes both methods. Here's a basic configuration that should allow for account linking:

yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true       config:         providers:           - id: google             provider: google             client_id: your_google_client_id             client_secret: your_google_client_secret             mapper_url: file:///path/to/oidc.google.jsonnet   flows:     settings:       ui_url: <http://your-ui-url/settings>       privileged_session_max_age: 15m  identity:   schemas:     - id: default       url: file:///path/to/identity.schema.json

Make sure to replace

your_google_client_id

,

your_google_client_secret

,

/path/to/oidc.google.jsonnet

,

<http://your-ui-url/settings>

, and

/path/to/identity.schema.json

with your actual values. The

oidc.google.jsonnet

file should map the Google OIDC claims to your identity schema. A basic example might look like this:

jsonnet {   identity: {     traits: {       email: claims.email,     },   }, }

Your

identity.schema.json

should include an email field in the traits, for example:

json {   "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "title": "E-Mail",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               }             },             "verification": {               "via": "email"             },             "recovery": {               "via": "email"             }           }         }       }     }   } }

If you've already implemented a configuration similar to this and are still not seeing the

link

option in the settings flow, here are a few more suggestions: 1. Ensure that your OIDC provider (Google) is correctly configured in the Ory Console or your configuration file. 2. Check if there are any network issues preventing communication between Ory Kratos and the OIDC provider. 3. Try to manually trigger an OIDC flow to see if it works outside of the settings context. 4. Review the [Social Sign-In documentation](https://www.ory.sh/docs/kratos/social-signin/overview) to ensure all necessary steps for Google integration are completed. 5. If possible, enable debug logging in Ory Kratos to get more detailed information about what's happening during the settings flow. If you've tried all these steps and the issue persists, it might be worth opening an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos) with your full configuration (make sure to redact sensitive information) and detailed steps to reproduce the problem. The Ory team or community might be able to spot something specific to your setup that's causing this behavior.

Thank you for providing your configuration details. After reviewing the configuration you've shared, I don't see any obvious issues that would prevent the OIDC linking options from appearing in the settings flow. Your configuration seems to include the necessary elements for both password and OIDC (Google) authentication methods. However, there are a few points to consider and potential improvements: 1. The

selfservice.flows.settings

configuration is missing the

ui_url

parameter. While this might not directly cause the issue you're experiencing, it's generally recommended to set this URL. It should point to your UI for handling settings flows [Source](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). 2. Your Google OIDC configuration looks correct, including the necessary scopes and requested claims. The

mapper_url

is correctly pointing to a local file. 3. The Google jsonnet config is very basic. While it should work, you might want to consider mapping more fields if your identity schema allows for it. For example:

jsonnet    {      identity: {        traits: {          email: claims.email,          // Add more mappings if your schema includes them          // first_name: claims.given_name,          // last_name: claims.family_name,        },      },    }

4. Your identity schema looks correct and includes the necessary Ory Kratos extensions for email verification and recovery. Given that your configuration appears to be correct, the issue might lie elsewhere. Here are a few additional things to check: 1. Ensure that the file paths for

mapper_url

and identity schema

url

are correct and accessible to Ory Kratos. 2. Double-check that your Google OAuth credentials (client ID and secret) are correct and that the authorized redirect URIs in your Google Console project include the correct Ory Kratos callback URL. 3. Verify that you're using the correct endpoints when initiating the settings flow. The settings flow should be initiated via the

/self-service/settings/browser

or

/self-service/settings/api

endpoints [Source](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). 4. Check the Ory Kratos logs for any warnings or errors related to OIDC configuration or the settings flow. If you've verified all these points and the issue persists, it might be worth opening an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos) with your full configuration (make sure to redact sensitive information) and detailed steps to reproduce the problem. The Ory team or community might be able to provide more specific guidance based on your exact setup and the version you're using.