shy-student-44422
11/21/2024, 5:16 PMbrief-egg-61061
11/21/2024, 5:16 PMbrief-egg-61061
11/21/2024, 5:17 PMjson
{
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
}
}
}
}
}
}
}
[Identity Schema Documentation](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password)
2. API Registration with Email Only:
You can use the Kratos API to create a user with just an email. Here's an example cURL command:
bash
curl -X POST -H "Content-Type: application/json" \
-d '{"traits.email": "<mailto:user@example.com|user@example.com>"}' \
"https://$<http://PROJECT_SLUG.projects.oryapis.com/admin/identities|PROJECT_SLUG.projects.oryapis.com/admin/identities>"
[API Registration Documentation](https://www.ory.sh/docs/kratos/manage-identities/invite-users)
3. Recovery Email Configuration:
To enable account recovery, you need to configure the recovery address in your identity schema:
json
{
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"recovery": {
"via": "email"
}
}
}
}
}
}
}
[Account Recovery Configuration](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address)
4. Enable Recovery Flow:
Make sure the recovery flow is enabled in your Kratos configuration:
yaml
selfservice:
flows:
recovery:
enabled: true
ui_url: <http://127.0.0.1:4455/recovery>
[Recovery Flow Configuration](https://www.ory.sh/docs/kratos/quickstart#account-recovery)
5. SMTP Configuration:
Ensure that you have configured SMTP for sending emails:
yaml
courier:
smtp:
connection_uri: <smtps://username:password@smtp-server:1234/>
[SMTP Configuration](https://www.ory.sh/docs/kratos/self-hosted/account-activation-email-verification)brief-egg-61061
11/21/2024, 5:17 PMjson { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } } } } } } } }
[Identity Schema Documentation](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password) 2. API Registration with Email Only: You can use the Kratos API to create a user with just an email. Here's an example cURL command: bash curl -X POST -H "Content-Type: application/json" \ -d '{"traits.email": "<mailto:user@example.com|user@example.com>"}' \ "https://$<http://PROJECT_SLUG.projects.oryapis.com/admin/identities|PROJECT_SLUG.projects.oryapis.com/admin/identities>"
[API Registration Documentation](https://www.ory.sh/docs/kratos/manage-identities/invite-users) 3. Recovery Email Configuration: To enable account recovery, you need to configure the recovery address in your identity schema: json { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } }, "recovery": { "via": "email" } } } } } } }
[Account Recovery Configuration](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address) 4. Enable Recovery Flow: Make sure the recovery flow is enabled in your Kratos configuration: yaml selfservice: flows: recovery: enabled: true ui_url: <http://127.0.0.1:4455/recovery>
[Recovery Flow Configuration](https://www.ory.sh/docs/kratos/quickstart#account-recovery) 5. SMTP Configuration: Ensure that you have configured SMTP for sending emails: yaml courier: smtp: connection_uri: <smtps://username:password@smtp-server:1234/>
[SMTP Configuration](https://www.ory.sh/docs/kratos/self-hosted/account-activation-email-verification) With these configurations in place, users can register via the UI with email and password, or you can create accounts via API with just an email. In both cases, users can use the recovery flow to set or reset their password.shy-student-44422
11/22/2024, 11:49 AMbrief-egg-61061
11/22/2024, 11:49 AMbrief-egg-61061
11/22/2024, 11:50 AMbash curl --request POST -sL \ --header "Authorization: Bearer {ORY_API_KEY}" \ --header "Content-Type: application/json" \ --data '{ "schema_id": "<preset://email>", "traits": { "email": "$USER_EMAIL_ADDRESS" } }' https://{project-slug}.<http://projects.oryapis.com/admin/identities|projects.oryapis.com/admin/identities>
2. After creating the user, you need to manually trigger the recovery process for this user. You can do this by creating a recovery link for the newly created identity: bash curl --request POST -sL \ --header "Authorization: Bearer {ORY_API_KEY}" \ --header "Content-Type: application/json" \ --data '{ "expires_in": "12h", "identity_id": "$ACCOUNT_ID" }' https://{project-slug}.<http://projects.oryapis.com/admin/recovery/link|projects.oryapis.com/admin/recovery/link>
This will return a recovery link in the response [as shown in the documentation](https://www.ory.sh/docs/kratos/manage-identities/account-recovery#magic-links). 3. You would then need to send this recovery link to the user's email address. Currently, Kratos does not provide a built-in way to send this email directly, as mentioned in the documentation: "It is currently not possible to send the recovery link directly to a user's email, this feature is tracked as [#595](https://github.com/ory/kratos/issues/595)." 4. When the user clicks on the recovery link, they will be able to set their password and gain access to their account. It's important to note that this process requires you to implement the email sending functionality yourself. You would need to use the recovery link generated by Kratos and send it to the user's email address using your own email service. Remember to ensure that your Kratos configuration has the recovery flow enabled and properly configured, as mentioned in the [Account Recovery Configuration documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address). This approach allows you to register users with only an email and then provide them with a way to set their password through the recovery process. However, it does require additional steps on your part to send the recovery email.shy-student-44422
11/22/2024, 12:01 PMbrief-egg-61061
11/22/2024, 12:01 PMbrief-egg-61061
11/22/2024, 12:01 PMshy-student-44422
11/22/2024, 4:51 PMoauth2TokenExchange()
from the php sdkbrief-egg-61061
11/22/2024, 4:51 PMbrief-egg-61061
11/22/2024, 4:51 PMoauth2TokenExchange()
method from the PHP SDK for Ory. The oauth2TokenExchange()
method is not directly mentioned in the provided documentation for the PHP SDK. However, the OAuth2 token exchange endpoint is described in the Ory API Reference [OAuth2 Token Endpoint documentation](https://www.ory.sh/docs/reference/api). It's important to note that Ory recommends not using their SDK for OAuth2 token exchange. Instead, they suggest using well-established open-source libraries for handling OAuth2 flows. As stated in the [Ory SDK documentation](https://www.ory.sh/docs/sdk): "This endpoint should not be used via the Ory SDK and is only included for technical reasons. Instead, use one of the libraries linked above." The documentation further emphasizes this point in the [Hydra SDK Overview](https://www.ory.sh/docs/hydra/sdk/overview): "The Ory Hydra SDK doesn't provide a comprehensive API for handling OAuth 2.0 flows such as the authorization code flow and refresh flow. Use one of the many well-established libraries for this purpose, don't write your own code to interact with OAuth 2.0." Therefore, while the OAuth2 token exchange endpoint exists in the Ory API, it's recommended to use a dedicated OAuth2 library for PHP to handle token exchanges and other OAuth2 flows, rather than using the Ory SDK directly for this purpose. If you need to implement OAuth2 flows in your PHP application, you should look for a well-established OAuth2 library that is compatible with Ory's OAuth2 implementation.shy-student-44422
11/22/2024, 4:54 PMdiscoverJsonWebKeys()
?brief-egg-61061
11/22/2024, 4:54 PMbrief-egg-61061
11/22/2024, 4:54 PMdiscoverJsonWebKeys()
method. The discoverJsonWebKeys()
method is indeed available and documented in the Ory API. This method is used to discover JSON Web Keys, which are essential for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. Here's what you need to know about `discoverJsonWebKeys()`: 1. Endpoint: The method corresponds to a GET request to the /.well-known/jwks.json
endpoint [as documented in the Ory API Reference](https://www.ory.sh/docs/reference/api). 2. Purpose: It returns JSON Web Keys required for verifying OpenID Connect ID Tokens and OAuth 2.0 JWT Access Tokens (if enabled) [Ory API Reference](https://www.ory.sh/docs/reference/api). 3. Usage: This endpoint can be used with client libraries like [node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) and others [Ory API Reference](https://www.ory.sh/docs/reference/api). 4. Authentication: This operation does not require authentication [Ory API Reference](https://www.ory.sh/docs/reference/api). 5. Response: The response will be a JSON Web Key Set, containing an array of JSON Web Key (JWK) values [Ory API Reference](https://www.ory.sh/docs/reference/api). While the method is available in the API, it's important to note that the specific implementation in the PHP SDK isn't directly mentioned in the provided documentation. However, given that it's a standard endpoint in the Ory API, it's likely that the PHP SDK provides a way to access this endpoint. If you're using the PHP SDK, you should be able to use a method similar to discoverJsonWebKeys()
to access this functionality. However, to be certain, I recommend checking the PHP SDK documentation or the SDK's source code for the exact method name and usage. Remember, this endpoint is publicly accessible and doesn't require authentication, so you can also make a direct HTTP GET request to /.well-known/jwks.json
if needed.shy-student-44422
01/21/2025, 10:13 AMfunction(ctx) {
oryUuid: ctx.identity.id,
email: ctx.identity.traits.email
}
I would like to add the googleId and appleId
Where do I get these informations ?brief-egg-61061
01/21/2025, 10:13 AMbrief-egg-61061
01/21/2025, 10:14 AMjsonnet
{
identity: {
traits: {
// other traits...
email: claims.email,
},
metadata_public: {
google_id: claims.sub, // for Google
apple_id: claims.sub, // for Apple
},
},
}
4. Accessing in Webhook:
Once you've mapped these IDs to your identity, you should be able to access them in your webhook. The exact path depends on where you mapped them in your identity structure. If you followed the example above, you might access them like this:
javascript
function(ctx) {
return {
oryUuid: ctx.identity.id,
email: ctx.identity.traits.email,
googleId: ctx.identity.metadata_public.google_id,
appleId: ctx.identity.metadata_public.apple_id
}
}
Please note that the exact structure might vary based on your specific configuration and data mapping.
5. Verifying the Data:
After implementing this, you should verify that the data is indeed being captured and stored as expected. You can do this by inspecting the identity data after a social sign-in registration.
Remember, the key to making this work is in the data mapping configuration for your social sign-in providers. Make sure you're capturing the provider-specific IDs in your identity structure, and then you'll be able to access them in your webhook.
If you need more specific guidance, you might want to review your current social sign-in configuration and data mapping, as the exact implementation can vary based on these settings.brief-egg-61061
01/21/2025, 10:14 AMjsonnet { identity: { traits: { // other traits... email: claims.email, }, metadata_public: { google_id: claims.sub, // for Google apple_id: claims.sub, // for Apple }, }, }
4. Accessing in Webhook: Once you've mapped these IDs to your identity, you should be able to access them in your webhook. The exact path depends on where you mapped them in your identity structure. If you followed the example above, you might access them like this: javascript function(ctx) { return { oryUuid: ctx.identity.id, email: ctx.identity.traits.email, googleId: ctx.identity.metadata_public.google_id, appleId: ctx.identity.metadata_public.apple_id } }
Please note that the exact structure might vary based on your specific configuration and data mapping. 5. Verifying the Data: After implementing this, you should verify that the data is indeed being captured and stored as expected. You can do this by inspecting the identity data after a social sign-in registration. Remember, the key to making this work is in the data mapping configuration for your social sign-in providers. Make sure you're capturing the provider-specific IDs in your identity structure, and then you'll be able to access them in your webhook. If you need more specific guidance, you might want to review your current social sign-in configuration and data mapping, as the exact implementation can vary based on these settings. [Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/overview) [Data Mapping Documentation](https://www.ory.sh/docs/kratos/social-signin/data-mapping)shy-student-44422
01/21/2025, 10:35 AMbody: "<base64://ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGV>tYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIGdvb2dsZUlkOiBjdHguaWRlbnRpdHkudHJhaXRzLmdvb2dsZUlkLAp9"
shy-student-44422
01/21/2025, 10:37 AM"error": {
"code": 500,
"status": "Internal Server Error",
"message": "base64decode: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGV>tYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIGdvb2dsZUlkOiBjdHguaWRlbnRpdHkudHJhaXRzLmdvb2dsZUlkLAp9=: illegal base64 data at input byte 164"
@chilly-king-10285brief-egg-61061
01/21/2025, 10:37 AMbrief-egg-61061
01/21/2025, 10:37 AMjavascript function(ctx) { oryUuid: ctx.identity.id, email: ctx.identity.traits.email, googleId: ctx.identity.traits.googleId, }
2. The issue is that this JavaScript object is not properly formatted. It should be wrapped in curly braces and use colons instead of equal signs. Here's the corrected version: javascript function(ctx) { return { oryUuid: ctx.identity.id, email: ctx.identity.traits.email, googleId: ctx.identity.traits.googleId } }
3. Now, let's encode this correctly formatted function into base64: ZnVuY3Rpb24oY3R4KSB7CiAgcmV0dXJuIHsKICAgIG9yeVV1aWQ6IGN0eC5pZGVudGl0eS5pZCwKICAgIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogICAgZ29vZ2xlSWQ6IGN0eC5pZGVudGl0eS50cmFpdHMuZ29vZ2xlSWQKICB9Cn0=
When setting up your webhook in Ory, use this new base64 encoded string for the body
field. For example: yaml hooks: - hook: web_hook config: url: <https://your-webhook-url.com> method: POST body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmV0dXJuIHsKICAgIG9yeVV1aWQ6IGN0eC5pZGVudGl0eS5pZCwKICAgIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogICAgZ29vZ2xlSWQ6IGN0eC5pZGVudGl0eS50cmFpdHMuZ29vZ2xlSWQKICB9Cn0>=
This should resolve the base64 decoding error you're experiencing. Remember to ensure that your identity schema includes the googleId
trait if you're planning to use it. If you continue to experience issues, you might want to double-check your [webhook configuration](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors) and ensure all other parameters are correctly set.shy-student-44422
01/21/2025, 10:42 AM"error": {
"code": 500,
"status": "Internal Server Error",
"message": "jsonnetsecure: ERROR: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmV0dXJuIHsKICAgIG9yeVV1aWQ6IGN0eC5pZGV>udGl0eS5pZCwKICAgIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogICAgZ29vZ2xlSWQ6IGN0eC5pZGVudGl0eS50cmFpdHMuZ29vZ2xlSWQKICB9Cn0=:2:10-11 Expected token OPERATOR but got \"{\"\n\n return {\n\n"
brief-egg-61061
01/21/2025, 10:42 AMbrief-egg-61061
01/21/2025, 10:42 AMjsonnet function(ctx) { oryUuid: ctx.identity.id, email: ctx.identity.traits.email, googleId: ctx.identity.traits.googleId }
Now, let's encode this correctly formatted Jsonnet snippet into base64: ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIGdvb2dsZUlkOiBjdHguaWRlbnRpdHkudHJhaXRzLmdvb2dsZUlkCn0=
When setting up your webhook in Ory, use this new base64 encoded string for the body
field. For example: yaml hooks: - hook: web_hook config: url: <https://your-webhook-url.com> method: POST body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIGdvb2dsZUlkOiBjdHguaWRlbnRpdHkudHJhaXRzLmdvb2dsZUlkCn0>=
This adjustment should resolve the Jsonnet parsing error you're experiencing. The key changes are: 1. Removed the return
statement and the extra set of curly braces. 2. Kept the function as a simple key-value mapping. Remember to ensure that your identity schema includes the googleId
trait if you're planning to use it. If you continue to experience issues, you might want to review the [Ory Actions webhook guide](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks) for more details on configuring webhooks correctly.shy-student-44422
01/21/2025, 10:44 AM"error": {
"code": 500,
"status": "Internal Server Error",
"message": "jsonnetsecure: ERROR: RUNTIME ERROR: Field does not exist: googleId\n\<tbase64://ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGV>tYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIGdvb2dsZUlkOiBjdHguaWRlbnRpdHkudHJhaXRzLmdvb2dsZUlkCn0=:4:13-41\tobject <anonymous>\n\tField \"googleId\"\t\n\tDuring manifestation\t\n"
how to add it only if it exists ?brief-egg-61061
01/21/2025, 10:44 AMbrief-egg-61061
01/21/2025, 10:45 AMgoogleId
field only if it exists, we need to modify the Jsonnet code to conditionally include this field. We can use Jsonnet's object comprehension feature to achieve this. Here's how we can update the code: jsonnet function(ctx) { oryUuid: ctx.identity.id, email: ctx.identity.traits.email, [if std.objectHas(ctx.identity.traits, 'googleId') then 'googleId']: ctx.identity.traits.googleId }
Now, let's encode this updated Jsonnet snippet into base64: ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIFtpZiBzdGQub2JqZWN0SGFzKGN0eC5pZGVudGl0eS50cmFpdHMsICdnb29nbGVJZCcpIHRoZW4gJ2dvb2dsZUlkJ106IGN0eC5pZGVudGl0eS50cmFpdHMuZ29vZ2xlSWQKfQ==
When setting up your webhook in Ory, use this new base64 encoded string for the body
field: yaml hooks: - hook: web_hook config: url: <https://your-webhook-url.com> method: POST body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgb3J5VXVpZDogY3R4LmlkZW50aXR5LmlkLAogIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsLAogIFtpZiBzdGQub2JqZWN0SGFzKGN0eC5pZGVudGl0eS50cmFpdHMsICdnb29nbGVJZCcpIHRoZW4gJ2dvb2dsZUlkJ106IGN0eC5pZGVudGl0eS50cmFpdHMuZ29vZ2xlSWQKfQ>==
This modification uses std.objectHas()
to check if the googleId
field exists in ctx.identity.traits
. If it does, the field is included in the output; if not, it's omitted. This approach should resolve the error you're encountering and only include the googleId
field when it exists in the identity traits. For more information on customizing webhook payloads and using Jsonnet in Ory, you can refer to the [Ory documentation on Jsonnet templating](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#jsonnet-templating).shy-student-44422
01/21/2025, 10:47 AMbrief-egg-61061
01/21/2025, 10:47 AMbrief-egg-61061
01/21/2025, 10:48 AMkratos identities delete
. This command allows you to delete one or more identities by their ID(s). Here's how you can use it to reset all identities: 1. First, list all identities using the kratos identities list
command: kratos identities list --format json
2. Then, you can pipe this output to jq
to extract all identity IDs and pass them to the delete command: kratos delete identity $(kratos list identities --format json | jq -r '.[].id')
This command will delete all identities in your Kratos instance. [Kratos CLI Documentation](https://www.ory.sh/docs/kratos/cli/kratos-identities) However, please be extremely cautious when using this command, as it will permanently delete all identity data. Make sure you have a backup or are absolutely certain you want to delete all identities before proceeding. If you need to delete identities based on specific criteria, you can use jq
to filter the identities. For example, to delete identities with a specific email address: kratos delete identity $(kratos list identities --format json | jq -r 'map(select(.recovery_addresses[].value == "<mailto:user@example.com|user@example.com>")) | .[].id')
[Kratos Delete Identity Documentation](https://www.ory.sh/docs/kratos/cli/kratos-delete-identity) Remember to replace {ORY_API_KEY}
and {project-slug}
with your actual Ory API key and project slug when using these commands. Always exercise caution when deleting identities, especially in bulk, as this action is irreversible.shy-student-44422
01/21/2025, 10:59 AMlocal claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
googleId: claims.sub,
},
},
}
How to make sure that it works. How to debug its content ?brief-egg-61061
01/21/2025, 10:59 AMbrief-egg-61061
01/21/2025, 11:00 AMyaml
log:
level: debug
[Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration)
3. Test the social sign-in flow:
Go through the Google sign-in process and check the Kratos logs for detailed information about the claims received and how they're being processed.
4. Inspect the identity after sign-in:
After a successful sign-in, you can inspect the created or updated identity to see if the googleId
trait is present. Use the Kratos Admin API to get the identity details:
curl --request GET \
--url 'https://{project-slug}.<http://projects.oryapis.com/admin/identities/{identity_id}|projects.oryapis.com/admin/identities/{identity_id}>' \
--header 'Authorization: Bearer {ORY_API_KEY}'
[Ory API Reference](https://www.ory.sh/docs/reference/api)
5. Use Ory Actions for debugging:
You can create an Ory Action (webhook) that fires after registration to log the entire identity object. This can help you see exactly what data is available after the sign-in process. Here's an example Jsonnet snippet for the webhook:
jsonnet
function(ctx) {
identity: ctx.identity,
traits: ctx.identity.traits,
metadata: ctx.identity.metadata_public
}
[Ory Actions Documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks)
6. Check the claims
object:
In your Google mapper, you're using claims.sub
for the googleId
. Make sure that the sub
claim is actually present in the claims object returned by Google. You can modify your mapper to log all claims:
jsonnet
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
googleId: claims.sub,
},
},
debug_claims: claims, // This will include all claims in the identity metadata
}
Then, inspect the debug_claims
field in the identity metadata to see all available claims.
7. Verify OAuth scopes:
Ensure that you've requested the necessary OAuth scopes from Google to receive the sub
claim. The openid
scope is typically required for this.
[Ory Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/google#additional-configuration)brief-egg-61061
01/21/2025, 11:00 AMyaml log: level: debug
[Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration) 3. Test the social sign-in flow: Go through the Google sign-in process and check the Kratos logs for detailed information about the claims received and how they're being processed. 4. Inspect the identity after sign-in: After a successful sign-in, you can inspect the created or updated identity to see if the googleId
trait is present. Use the Kratos Admin API to get the identity details: curl --request GET \ --url 'https://{project-slug}.<http://projects.oryapis.com/admin/identities/{identity_id}|projects.oryapis.com/admin/identities/{identity_id}>' \ --header 'Authorization: Bearer {ORY_API_KEY}'
[Ory API Reference](https://www.ory.sh/docs/reference/api) 5. Use Ory Actions for debugging: You can create an Ory Action (webhook) that fires after registration to log the entire identity object. This can help you see exactly what data is available after the sign-in process. Here's an example Jsonnet snippet for the webhook: jsonnet function(ctx) { identity: ctx.identity, traits: ctx.identity.traits, metadata: ctx.identity.metadata_public }
[Ory Actions Documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks) 6. Check the claims
object: In your Google mapper, you're using claims.sub
for the googleId
. Make sure that the sub
claim is actually present in the claims object returned by Google. You can modify your mapper to log all claims: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email, googleId: claims.sub, }, }, debug_claims: claims, // This will include all claims in the identity metadata }
Then, inspect the debug_claims
field in the identity metadata to see all available claims. 7. Verify OAuth scopes: Ensure that you've requested the necessary OAuth scopes from Google to receive the sub
claim. The openid
scope is typically required for this. [Ory Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/google#additional-configuration) By following these steps, you should be able to debug the content of your Google mapper and ensure that the googleId
is being correctly mapped to the identity traits. If you're still having issues, the debug logs and identity inspection should provide more clues about what might be going wrong in the process.shy-student-44422
01/21/2025, 12:47 PMlocal claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
googleId: claims.sub,
claims: claims,
},
metadata_public: {
email: claims.email,
googleId: claims.sub,
claims: claims
},
},
}
When I register, the webhook is fired. Then I list identities with GET /identities, but I donât see any claim in the result. Why ?brief-egg-61061
01/21/2025, 12:47 PMbrief-egg-61061
01/21/2025, 12:47 PMgoogle_mapper.json
, the traits
and metadata_public
fields are indeed stored with the identity. However, the /identities
endpoint doesn't always return all this information by default. 2. API Behavior: The GET /identities
endpoint, which is used to list identities, typically returns a simplified version of the identity information. It doesn't include all the details that are stored for each identity, especially not the full traits or metadata. 3. Viewing Full Identity Details: To see the complete identity information, including all traits and metadata, you need to retrieve a specific identity using its ID. You can do this with the GET /admin/identities/{id}
endpoint, as mentioned in the [Ory API Reference](https://www.ory.sh/docs/reference/api). curl --request GET \ --url 'https://{project-slug}.<http://projects.oryapis.com/admin/identities/{identity_id}|projects.oryapis.com/admin/identities/{identity_id}>' \ --header 'Authorization: Bearer {ORY_API_KEY}'
4. Webhook vs. API Results: The webhook you've set up receives the full context of the identity at the time of registration, which includes all the mapped data. However, this doesn't mean that all of this data is returned when listing identities through the API. 5. Privacy and Performance Considerations: The list endpoint might intentionally omit detailed information like full traits and metadata for privacy and performance reasons, especially when dealing with large numbers of identities. To verify that your claims are indeed being stored, you should: 1. Use the GET /admin/identities/{id}
endpoint to retrieve a specific identity after registration. 2. Check the traits
and metadata_public
fields in the response to see if they contain the mapped claims. If you still don't see the claims in the individual identity details, there might be an issue with how the claims are being mapped or stored. In that case, you may need to: 1. Double-check your Ory Kratos configuration to ensure it's set up to store the metadata and traits as you've defined them. 2. Review the Kratos logs (set to debug level) to see if there are any errors or warnings during the registration process. 3. Verify that the Google OAuth configuration is providing all the expected claims. Remember, storing all claims directly in the identity might not be the best practice for security and privacy reasons. Consider carefully which information you really need to store and access frequently. [Ory Kratos Identity Model Documentation](https://www.ory.sh/docs/kratos/concepts/identity-user-model) [Ory API Reference - Get Identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/getIdentity)shy-student-44422
01/21/2025, 12:58 PMbrief-egg-61061
01/21/2025, 12:58 PMbrief-egg-61061
01/21/2025, 12:58 PMGET /identities/{identityId}
endpoint. Let's troubleshoot this issue step by step:
1. Verify the endpoint:
Make sure you're using the correct endpoint. The full endpoint should be:
GET https://{project-slug}.<http://projects.oryapis.com/admin/identities/{identityId}|projects.oryapis.com/admin/identities/{identityId}>
Note the /admin/
part in the URL, which is crucial for accessing the full identity details.
2. Check your authorization:
Ensure you're including the correct authorization header:
Authorization: Bearer {ORY_API_KEY}
Your API key should have the necessary permissions to access identity details.
3. Inspect the response structure:
The claims should be located in the traits
and metadata_public
fields of the response. Make sure you're looking in the right place within the JSON structure.
4. Verify the mapper:
Double-check your google_mapper.json
file. It should be correctly mapping the claims to both traits
and `metadata_public`:
jsonnet
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
googleId: claims.sub,
claims: claims,
},
metadata_public: {
email: claims.email,
googleId: claims.sub,
claims: claims
},
},
}
5. Check Kratos configuration:
Ensure that your Kratos configuration allows storing these fields. Check your identity schema to make sure it includes definitions for googleId
and claims
.
6. Debug with logs:
Enable debug logging in your Kratos configuration and examine the logs during the registration process to see if there are any errors or warnings related to storing the claims.
7. Test with a new registration:
Try registering a new user and then immediately check their identity details. This will help determine if the issue is with storing the data or retrieving it.
8. Use the Ory CLI:
If you have access to the Ory CLI, you can try retrieving the identity details using the command:
ory get identity {identityId}
This might provide more detailed output.
9. Check for data sanitization:
Ory might be sanitizing or omitting certain data for security reasons. Make sure you're not trying to store sensitive information that Ory automatically removes.
If after trying these steps you still don't see the claims, there might be an issue with how Ory is processing or storing the data from your mapper. In this case, I would recommend reaching out to Ory support directly with the specific details of your setup, including your configuration, mapper file, and an example of the API response you're receiving.brief-egg-61061
01/21/2025, 12:58 PMGET /identities/{identityId}
endpoint. Let's troubleshoot this issue step by step: 1. Verify the endpoint: Make sure you're using the correct endpoint. The full endpoint should be: GET https://{project-slug}.<http://projects.oryapis.com/admin/identities/{identityId}|projects.oryapis.com/admin/identities/{identityId}>
Note the /admin/
part in the URL, which is crucial for accessing the full identity details. 2. Check your authorization: Ensure you're including the correct authorization header: Authorization: Bearer {ORY_API_KEY}
Your API key should have the necessary permissions to access identity details. 3. Inspect the response structure: The claims should be located in the traits
and metadata_public
fields of the response. Make sure you're looking in the right place within the JSON structure. 4. Verify the mapper: Double-check your google_mapper.json
file. It should be correctly mapping the claims to both traits
and `metadata_public`: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email, googleId: claims.sub, claims: claims, }, metadata_public: { email: claims.email, googleId: claims.sub, claims: claims }, }, }
5. Check Kratos configuration: Ensure that your Kratos configuration allows storing these fields. Check your identity schema to make sure it includes definitions for googleId
and claims
. 6. Debug with logs: Enable debug logging in your Kratos configuration and examine the logs during the registration process to see if there are any errors or warnings related to storing the claims. 7. Test with a new registration: Try registering a new user and then immediately check their identity details. This will help determine if the issue is with storing the data or retrieving it. 8. Use the Ory CLI: If you have access to the Ory CLI, you can try retrieving the identity details using the command: ory get identity {identityId}
This might provide more detailed output. 9. Check for data sanitization: Ory might be sanitizing or omitting certain data for security reasons. Make sure you're not trying to store sensitive information that Ory automatically removes. If after trying these steps you still don't see the claims, there might be an issue with how Ory is processing or storing the data from your mapper. In this case, I would recommend reaching out to Ory support directly with the specific details of your setup, including your configuration, mapper file, and an example of the API response you're receiving. Remember, handling OAuth claims requires careful consideration of security and privacy implications. Always ensure you're following best practices for data storage and access. [Ory Kratos Identity Management](https://www.ory.sh/docs/kratos/manage-identities/overview) [Ory API Reference - Get Identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/getIdentity)shy-student-44422
01/21/2025, 1:01 PM{
"$id": "<https://schemas.timada.co/presets/kratos/default.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "User",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-mail du titulaire du compte",
"minLength": 3,
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
},
"code": {
"identifier": true,
"via": "email"
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
brief-egg-61061
01/21/2025, 1:01 PMbrief-egg-61061
01/21/2025, 1:02 PMidentity.schema.json
. This schema defines the structure of user identities in your Ory Kratos setup. Let's break down the key components of this schema: 1. The schema is for a "User" object. 2. It defines a single required trait: "email". 3. The email trait has several important configurations: - It must be a string in email format. - It has a minimum length of 3 characters. - It's used as an identifier for password-based authentication. - It's used for email-based one-time code authentication. - It's used for email verification. - It's used for account recovery via email. This is a basic but functional schema for managing user identities with email-based authentication and account management. However, it doesn't include any fields for storing additional user information or social login identifiers like googleId
. If you want to store additional information from social logins (like Google), you'll need to modify this schema. For example, to add a googleId
field, you could update the schema like this: json { "$id": "<https://schemas.timada.co/presets/kratos/default.json>", "$schema": "<http://json-schema.org/draft-07/schema#>", "title": "User", "type": "object", "properties": { "traits": { "type": "object", "properties": { "email": { // ... (keep the existing email configuration) }, "googleId": { "type": "string", "title": "Google ID" } }, "required": ["email"], "additionalProperties": false } } }
This modification would allow you to store the Google ID for users who sign in with Google. Remember to update your google_mapper.json
to map the Google ID to this new trait. If you want to store all claims from social logins, you might consider adding a more flexible field: json "socialClaims": { "type": "object", "title": "Social Login Claims" }
This would allow you to store various claims from different social login providers. Remember, after modifying the identity schema, you'll need to update it in your Ory Kratos configuration. You can do this through the Ory Console or using the Ory CLI. [Identity Schema Documentation](https://www.ory.sh/docs/kratos/manage-identities/identity-schema) If you have any specific questions about modifying your schema or implementing social login, please feel free to ask!shy-student-44422
01/21/2025, 1:21 PM"traits": {
"email": "<mailto:some@mail.fr|some@mail.fr>",
"socialClaims": {}
},
brief-egg-61061
01/21/2025, 1:21 PMbrief-egg-61061
01/21/2025, 1:22 PMsocialClaims
field is being added to your identity traits as expected, but it's empty. This could be due to a few reasons:
1. Mapper Configuration: The google_mapper.json
file might not be correctly mapping the claims to the socialClaims
field. Let's review and adjust your mapper:
jsonnet
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
socialClaims: claims, // This will store all claims in the socialClaims object
},
},
}
2. Scope Configuration: Ensure that you've requested the necessary scopes from Google to receive the claims you're interested in. In your Ory configuration for the Google provider, make sure you have the required scopes:
yaml
selfservice:
methods:
oidc:
config:
providers:
- id: google
provider: google
client_id: your_client_id
client_secret: your_client_secret
mapper_url: "<file://path/to/your/google_mapper.json>"
scope:
- email
- profile
- openid
3. Debug with Ory Actions: To understand what claims are actually being received from Google, you can create an Ory Action (webhook) that fires after registration to log the entire claims object. Here's an example Jsonnet snippet for the webhook:
jsonnet
function(ctx) {
identity: ctx.identity,
traits: ctx.identity.traits,
claims: std.extVar('claims')
}
This will help you see exactly what data is available after the sign-in process.
[Ory Actions Documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks)
4. Check Kratos Logs: Enable debug logging in your Kratos configuration and examine the logs during the registration process. This might provide insights into why the claims are not being stored:
yaml
log:
level: debug
[Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration)
5. Verify Identity Schema: Make sure your identity schema allows for additional properties in the socialClaims
object. Your schema should look something like this:
json
{
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
// ... existing email configuration ...
},
"socialClaims": {
"type": "object",
"additionalProperties": true
}
},
"required": ["email"]
}
}
}
The "additionalProperties": true
in the socialClaims
object is crucial for allowing any claims to be stored.
If after implementing these changes you still don't see any claims in the socialClaims
object, it might be worth reaching out to Ory support with your specific configuration and debug logs. They can provide more targeted assistance based on your exact setup.brief-egg-61061
01/21/2025, 1:22 PMsocialClaims
field is being added to your identity traits as expected, but it's empty. This could be due to a few reasons: 1. Mapper Configuration: The google_mapper.json
file might not be correctly mapping the claims to the socialClaims
field. Let's review and adjust your mapper: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email, socialClaims: claims, // This will store all claims in the socialClaims object }, }, }
2. Scope Configuration: Ensure that you've requested the necessary scopes from Google to receive the claims you're interested in. In your Ory configuration for the Google provider, make sure you have the required scopes: yaml selfservice: methods: oidc: config: providers: - id: google provider: google client_id: your_client_id client_secret: your_client_secret mapper_url: "<file://path/to/your/google_mapper.json>" scope: - email - profile - openid
3. Debug with Ory Actions: To understand what claims are actually being received from Google, you can create an Ory Action (webhook) that fires after registration to log the entire claims object. Here's an example Jsonnet snippet for the webhook: jsonnet function(ctx) { identity: ctx.identity, traits: ctx.identity.traits, claims: std.extVar('claims') }
This will help you see exactly what data is available after the sign-in process. [Ory Actions Documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks) 4. Check Kratos Logs: Enable debug logging in your Kratos configuration and examine the logs during the registration process. This might provide insights into why the claims are not being stored: yaml log: level: debug
[Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration) 5. Verify Identity Schema: Make sure your identity schema allows for additional properties in the socialClaims
object. Your schema should look something like this: json { "properties": { "traits": { "type": "object", "properties": { "email": { // ... existing email configuration ... }, "socialClaims": { "type": "object", "additionalProperties": true } }, "required": ["email"] } } }
The "additionalProperties": true
in the socialClaims
object is crucial for allowing any claims to be stored. If after implementing these changes you still don't see any claims in the socialClaims
object, it might be worth reaching out to Ory support with your specific configuration and debug logs. They can provide more targeted assistance based on your exact setup. Remember to always be cautious about what data you store and how you use it, especially when dealing with information from social login providers.shy-student-44422
01/22/2025, 1:31 PMbrief-egg-61061
01/22/2025, 1:31 PMbrief-egg-61061
01/22/2025, 1:31 PM<http://ory.sh/kratos|ory.sh/kratos>
extension in your identity schema: You can add the <http://ory.sh/kratos|ory.sh/kratos>
extension to the trait definition in your identity schema to control its visibility. Here's an example: json { "properties": { "traits": { "type": "object", "properties": { "newTrait": { "type": "string", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "exposed": false } } } } } } } }
By setting "exposed": false
, you prevent this trait from being displayed in the registration UI. [Identity Schema Documentation](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema) 2. Customize the UI: If you're using a custom UI, you can simply choose not to render the input field for the new trait. Ory Kratos provides the UI nodes, but you have control over which ones you actually display. 3. Use metadata
instead of `traits`: If the new field is not something the user should directly input, consider using metadata
instead of traits
. Metadata fields are not automatically exposed in the UI: json { "properties": { "metadata_public": { "type": "object", "properties": { "newField": { "type": "string" } } } } }
4. Adjust the trait's properties: You can set the trait as "readOnly": true
in your schema, which should prevent it from being editable in the UI: json { "properties": { "traits": { "type": "object", "properties": { "newTrait": { "type": "string", "readOnly": true } } } } }
Remember, after making changes to your identity schema, you'll need to update it in your Ory Kratos configuration. You can do this through the Ory Console or using the Ory CLI. [Customize Identity Schema Documentation](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema) If you're using the default Ory Kratos UI and none of these methods work as expected, you might need to implement a custom UI to have full control over which fields are displayed during registration.shy-student-44422
01/22/2025, 1:33 PMbrief-egg-61061
01/22/2025, 1:33 PMbrief-egg-61061
01/22/2025, 1:33 PMclaims.sub
(which is typically the Google user ID) to the metadata of an identity when using Google OIDC (OpenID Connect) with Ory Kratos, you need to modify your Google mapper configuration. Here's how you can do it: 1. Update your google_mapper.json
file to include the claims.sub
in the metadata_public
field: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email, }, metadata_public: { google_id: claims.sub, // This adds the Google user ID to metadata_public }, }, }
2. Make sure your Ory Kratos configuration for the Google provider includes the necessary scopes: yaml selfservice: methods: oidc: config: providers: - id: google provider: google client_id: your_client_id client_secret: your_client_secret mapper_url: "<file://path/to/your/google_mapper.json>" scope: - email - profile - openid
3. After updating the mapper and configuration, you need to apply these changes to your Ory Kratos instance. If you're using Ory Network, you can update the configuration through the Ory Console or using the Ory CLI. By adding the claims.sub
to metadata_public
, you ensure that: - The Google user ID is stored with the identity. - It's not directly editable by the user (unlike traits). - It doesn't appear as an input field on registration or profile pages. You can then access this information when needed, for example, in your application logic or through Ory's APIs. Remember, storing external IDs like this can be useful for linking accounts or for your internal user management, but always be mindful of data privacy and security considerations when storing and using such information. [Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/overview) [Data Mapping Documentation](https://www.ory.sh/docs/kratos/social-signin/data-mapping) If you need to verify that the Google ID is being correctly stored, you can use the Ory Kratos Admin API to retrieve the identity details after a successful sign-in and check the metadata_public
field.shy-student-44422
01/22/2025, 1:55 PMbrief-egg-61061
01/22/2025, 1:55 PMbrief-egg-61061
01/22/2025, 1:55 PMmetadata_public
field in Ory Kratos is used to store additional information about an identity that is accessible to the identity itself but cannot be directly modified by the user. Let's break down where it's used and who can see it: 1. Visibility to Users: Users can see the metadata_public
information when they access their own session data. Specifically, it's visible at the /session/whoami
endpoint, which returns information about the current session [as mentioned in the Ory documentation](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata). 2. API Access: The metadata_public
field is also accessible through various Ory Kratos API endpoints, such as when retrieving identity information. This means your application can access this data when needed. 3. Frontend Access: Since metadata_public
is available in the session information, frontend applications can potentially access and display this data to the user if you choose to implement such functionality. 4. Not Directly Editable: While users can see this information, they cannot directly edit or modify it through standard user interfaces or flows. Only administrative actions or specific API calls can modify metadata_public
. 5. Use Cases: metadata_public
is often used to store information that should be accessible to the user or the frontend application but shouldn't be editable by the user directly. This could include things like account creation date, subscription status, or, as in your case, external IDs from social login providers. 6. Security Considerations: While metadata_public
is visible to the user, it's important to note that you should not store sensitive information here. Sensitive data should be stored in metadata_admin
, which is only accessible through admin APIs. [Identity Metadata Documentation](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata) In summary, while metadata_public
is not prominently displayed to users by default, it is accessible to them through certain endpoints and can be incorporated into your application's user interface if you choose to do so. It's a way to store additional, non-sensitive information about an identity that should be readable but not directly editable by the user.shy-student-44422
01/22/2025, 3:56 PMbrief-egg-61061
01/22/2025, 3:56 PMbrief-egg-61061
01/22/2025, 3:57 PMafter
hook for the settings flow. Here's how you can set it up: 1. In your Ory Kratos configuration, you can add a webhook for the settings flow, specifically for the password method: yaml selfservice: flows: settings: after: password: hooks: - hook: web_hook config: url: <https://your-webhook-url.com> method: POST body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmV0dXJuIHsKICAgIG9yeVV1aWQ6IGN0eC5pZGVudGl0eS5pZCwKICAgIGVtYWlsOiBjdHguaWRlbnRpdHkudHJhaXRzLmVtYWlsCiAgfQp9>
2. The body
field in the configuration is a base64 encoded Jsonnet snippet. When decoded, it might look something like this: jsonnet function(ctx) { return { oryUuid: ctx.identity.id, email: ctx.identity.traits.email } }
This will send a POST request to your specified URL with the user's Ory UUID and email whenever a password is successfully updated. You can customize the webhook payload to include any additional information you need about the password update event. For more detailed information on configuring webhooks in Ory Kratos, you can refer to the [Ory documentation on configuring hooks](https://www.ory.sh/docs/kratos/hooks/configure-hooks). Remember to handle this webhook securely on your server, as it contains sensitive information about password changes. [Link to Ory Kratos Hooks Documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks)shy-student-44422
01/22/2025, 3:58 PMbrief-egg-61061
01/22/2025, 3:58 PMbrief-egg-61061
01/22/2025, 3:58 PMshy-student-44422
01/30/2025, 4:19 PMbrief-egg-61061
01/30/2025, 4:19 PMbrief-egg-61061
01/30/2025, 4:19 PMsetOAuth2Client
endpoint. Here's an example using curl: curl --request PUT \ --url 'https://{project-slug}.<http://projects.oryapis.com/admin/clients/{id}|projects.oryapis.com/admin/clients/{id}>' \ --header 'Authorization: Bearer {ORY_API_KEY}' \ --header 'Content-Type: application/json' \ --data '{ "client_secret": "generate_new" }'
This will generate a new client secret and return it in the response. Make sure to save this new secret securely, as you won't be able to retrieve it later. Remember, client secrets should be treated as sensitive information and stored securely. If you suspect a client secret has been compromised, it's best to generate a new one immediately. For more information on managing OAuth 2.0 clients in Ory Hydra, you can refer to the [Ory Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api).shy-student-44422
02/03/2025, 9:57 AMshy-student-44422
02/03/2025, 10:02 AMbrief-egg-61061
02/03/2025, 10:02 AMbrief-egg-61061
02/03/2025, 10:02 AMverified_addresses
field to carry over the verified status. Here's an example of how your Jsonnet mapper might look: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email, }, verified_addresses: std.prune([ if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email }, ]), }, }
This configuration checks if the email is verified by the OIDC provider and, if so, adds it to the verified_addresses
field. 2. Make sure your identity schema is set up to use email verification: json { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "verification": { "via": "email" } } } } } } }
With this setup, when a user registers through OIDC and their email is already verified by the provider, Ory Kratos will consider the email as verified and won't send a verification email. Remember, this only works if the verified address is also present in the identity's traits and marked as a verifiable email in your identity schema. [Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/overview) [Carry over verified status from Social Sign-In](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in) If you're still experiencing issues with this setup, you might want to check your Kratos logs for any errors or unexpected behavior during the registration process.shy-student-92360
02/03/2025, 10:32 AMbrief-egg-61061
02/03/2025, 10:32 AMbrief-egg-61061
02/03/2025, 10:32 AMemail_verified
claim is being correctly received from your OIDC provider (e.g., Google). You can verify this by enabling debug logging in Kratos and checking the logs during the sign-in process.
2. Verify your Jsonnet mapper:
Make sure your mapper is correctly handling the email_verified
claim. Here's an example of how it should look:
jsonnet
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
email: claims.email,
},
verified_addresses: std.prune([
if claims.email_verified then { via: 'email', value: claims.email },
]),
},
}
3. Check your Kratos configuration:
Ensure that you haven't accidentally enabled forced verification for all registrations. Look for settings like verification.after.password.hooks
in your Kratos configuration and make sure they're not overriding the behavior for OIDC logins.
4. Inspect the created identity:
After a successful OIDC login, use the Kratos admin API to inspect the created identity. Check if the verified_addresses
field contains the email address. If it doesn't, that might explain why a verification email is being sent.
5. Check for conflicting flows:
Ensure that there are no other flows or hooks in your configuration that might be triggering the verification email.
If after checking all these points, you're still receiving verification emails, it might be a bug in Kratos. In this case, you could:
1. File an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos/issues), providing details about your configuration and the steps to reproduce the issue.
2. As a temporary workaround, you could disable email verification entirely for OIDC logins by modifying your identity schema. Remove the verification
section from the email trait in your schema:
json
{
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
}
// Remove the "verification" section here
}
}
}
}
}
}
However, be cautious with this approach as it might affect email verification for other registration methods.
Remember to always test thoroughly in a non-production environment before applying changes to your live system.brief-egg-61061
02/03/2025, 10:32 AMemail_verified
claim is being correctly received from your OIDC provider (e.g., Google). You can verify this by enabling debug logging in Kratos and checking the logs during the sign-in process. 2. Verify your Jsonnet mapper: Make sure your mapper is correctly handling the email_verified
claim. Here's an example of how it should look: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { email: claims.email, }, verified_addresses: std.prune([ if claims.email_verified then { via: 'email', value: claims.email }, ]), }, }
3. Check your Kratos configuration: Ensure that you haven't accidentally enabled forced verification for all registrations. Look for settings like verification.after.password.hooks
in your Kratos configuration and make sure they're not overriding the behavior for OIDC logins. 4. Inspect the created identity: After a successful OIDC login, use the Kratos admin API to inspect the created identity. Check if the verified_addresses
field contains the email address. If it doesn't, that might explain why a verification email is being sent. 5. Check for conflicting flows: Ensure that there are no other flows or hooks in your configuration that might be triggering the verification email. If after checking all these points, you're still receiving verification emails, it might be a bug in Kratos. In this case, you could: 1. File an issue on the [Ory Kratos GitHub repository](https://github.com/ory/kratos/issues), providing details about your configuration and the steps to reproduce the issue. 2. As a temporary workaround, you could disable email verification entirely for OIDC logins by modifying your identity schema. Remove the verification
section from the email trait in your schema: json { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } } // Remove the "verification" section here } } } } } }
However, be cautious with this approach as it might affect email verification for other registration methods. Remember to always test thoroughly in a non-production environment before applying changes to your live system. [Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration) [Ory Kratos Email and Phone Verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation)shy-student-92360
02/03/2025, 10:37 AMbrief-egg-61061
02/03/2025, 10:37 AMbrief-egg-61061
02/03/2025, 10:37 AMjson
{
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
}
}
}
}
}
}
}
2. Ensure your OIDC mapper (e.g., google_mapper.json) is correctly handling the verified status:
jsonnet
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
email: claims.email,
},
verified_addresses: std.prune([
if claims.email_verified then { via: 'email', value: claims.email },
]),
},
}
3. In your Kratos configuration, make sure you haven't disabled verification for OIDC providers. Check your kratos.yml
file:
yaml
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: google
provider: google
client_id: your_client_id
client_secret: your_client_secret
mapper_url: <file://path/to/your/google_mapper.json>
scope:
- email
- profile
4. Enable debug logging in Kratos to see what's happening during the registration process:
yaml
log:
level: debug
With these settings in place, you should receive verification emails for email registrations, but not for OIDC logins where the email is already verified.
If you're still experiencing issues, it might be helpful to:
1. Check the Kratos logs for any errors or unexpected behavior during both OIDC and email registrations.
2. Verify that the email_verified
claim is being correctly received from your OIDC provider.
3. Inspect the created identity after both OIDC and email registrations to ensure the verified_addresses
field is being set correctly.
If the problem persists, it might be a bug in Kratos. In that case, consider [filing an issue on the Ory Kratos GitHub repository](https://github.com/ory/kratos/issues) with detailed information about your configuration and the steps to reproduce the issue.brief-egg-61061
02/03/2025, 10:37 AMjson { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "credentials": { "password": { "identifier": true } }, "verification": { "via": "email" } } } } } } }
2. Ensure your OIDC mapper (e.g., google_mapper.json) is correctly handling the verified status: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { email: claims.email, }, verified_addresses: std.prune([ if claims.email_verified then { via: 'email', value: claims.email }, ]), }, }
3. In your Kratos configuration, make sure you haven't disabled verification for OIDC providers. Check your kratos.yml
file: yaml selfservice: methods: oidc: enabled: true config: providers: - id: google provider: google client_id: your_client_id client_secret: your_client_secret mapper_url: <file://path/to/your/google_mapper.json> scope: - email - profile
4. Enable debug logging in Kratos to see what's happening during the registration process: yaml log: level: debug
With these settings in place, you should receive verification emails for email registrations, but not for OIDC logins where the email is already verified. If you're still experiencing issues, it might be helpful to: 1. Check the Kratos logs for any errors or unexpected behavior during both OIDC and email registrations. 2. Verify that the email_verified
claim is being correctly received from your OIDC provider. 3. Inspect the created identity after both OIDC and email registrations to ensure the verified_addresses
field is being set correctly. If the problem persists, it might be a bug in Kratos. In that case, consider [filing an issue on the Ory Kratos GitHub repository](https://github.com/ory/kratos/issues) with detailed information about your configuration and the steps to reproduce the issue. [Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation) [Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/overview) Remember to always test these changes in a non-production environment before applying them to your live system.shy-student-92360
02/03/2025, 11:02 AMshy-student-92360
02/03/2025, 11:02 AMbrief-egg-61061
02/03/2025, 11:03 AMbrief-egg-61061
02/03/2025, 11:03 AMverified_addresses
field in the identity structure. Here's how you can achieve this: 1. Update your OIDC mapper (for both Google and Apple) to include the verified_addresses
field. Here's an example of how your mapper might look: jsonnet local claims = { email_verified: false, } + std.extVar('claims'); { identity: { traits: { email: claims.email, }, verified_addresses: std.prune([ if claims.email_verified then { via: 'email', value: claims.email }, ]), }, }
This mapper checks if the email is verified by the OIDC provider (Google or Apple) and, if so, adds it to the verified_addresses
field. 2. Ensure your identity schema is set up to use email verification: json { "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "<http://ory.sh/kratos|ory.sh/kratos>": { "verification": { "via": "email" } } } } } } }
With this setup, when a user registers through Google or Apple and their email is already verified by the provider, Ory Kratos will consider the email as verified. This effectively "tags" the user as verified without sending an additional verification email. You can check if a user is verified by inspecting the verified_addresses
field of their identity. If it contains their email address, it means they're verified. [Carry over verified status from Social Sign-In](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in) Remember, this approach relies on the OIDC provider (Google or Apple) to correctly report the email verification status. Always test thoroughly to ensure it works as expected with your specific setup.shy-student-92360
02/07/2025, 9:39 AMbrief-egg-61061
02/07/2025, 9:39 AMshy-student-44422
02/07/2025, 9:39 AMbrief-egg-61061
02/07/2025, 9:39 AMhttps://{votre-projet-slug}.<http://projects.oryapis.com/admin/oauth2/introspect|projects.oryapis.com/admin/oauth2/introspect>
Assurez-vous de remplacer {votre-projet-slug}
par l'identifiant de votre projet Ory. 2. MĂ©thode de vĂ©rification : Vous devez envoyer une requĂȘte POST Ă cette URL avec le token Ă vĂ©rifier. Voici un exemple de code en utilisant curl : bash curl --request POST \ --url 'https://{votre-projet-slug}.<http://projects.oryapis.com/admin/oauth2/introspect|projects.oryapis.com/admin/oauth2/introspect>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data 'token=VOTRE_TOKEN_ICI'
3. Interprétation de la réponse : La réponse de l'introspection vous indiquera si le token est actif ou non. Un token actif n'est ni expiré ni révoqué. Voici un exemple de réponse : json { "active": true, "scope": "openid email profile", "client_id": "votre-client-id", "sub": "identifiant-utilisateur", "exp": 1639580783, "iat": 1639577183, "iss": "https://{votre-projet-slug}.<http://projects.oryapis.com/|projects.oryapis.com/>" }
Si "active": true
, le token est valide et n'a pas Ă©tĂ© rĂ©voquĂ©. Il est important de noter que cette vĂ©rification doit ĂȘtre effectuĂ©e cĂŽtĂ© serveur pour des raisons de sĂ©curitĂ©, car elle nĂ©cessite l'utilisation de vos identifiants client OAuth2. [Introspection OAuth2 Token Documentation](https://www.ory.sh/docs/hydra/reference/api) Pour implĂ©menter cela dans votre API, vous pourriez crĂ©er une fonction qui effectue cette vĂ©rification chaque fois que vous avez besoin de valider un token. Assurez-vous de gĂ©rer les cas oĂč le token pourrait ĂȘtre invalide ou rĂ©voquĂ©. N'oubliez pas que l'introspection de token est une opĂ©ration qui peut ĂȘtre coĂ»teuse en termes de performance si elle est effectuĂ©e frĂ©quemment. Vous pourriez envisager de mettre en cache les rĂ©sultats de l'introspection pour une courte durĂ©e afin d'optimiser les performances de votre application. Si vous avez d'autres questions sur la mise en Ćuvre de cette vĂ©rification dans votre API spĂ©cifique, n'hĂ©sitez pas Ă demander plus de dĂ©tails.shy-student-92360
02/07/2025, 9:51 AMbrief-egg-61061
02/07/2025, 9:51 AMbrief-egg-61061
02/07/2025, 9:51 AM<http://localhost:4445/admin/oauth2/introspect>
Notez que le port 4445 est le port par défaut pour l'API admin de Hydra. Assurez-vous que ce port correspond à votre configuration locale. 3. Vérification du token : Vous pouvez utiliser cette URL locale pour vérifier votre token. Voici un exemple de commande curl : bash curl --request POST \ --url '<http://localhost:4445/admin/oauth2/introspect>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data 'token=VOTRE_TOKEN_ICI'
4. Configuration dans votre application : Dans votre code, vous devrez configurer l'URL de base de votre instance Hydra. Cela remplacera le concept de "projet-slug" utilisé dans la version hébergée. 5. Sécurité : Assurez-vous que votre instance locale d'Ory Hydra est correctement sécurisée, surtout si vous prévoyez de l'utiliser en production. Pour plus d'informations sur la configuration et l'utilisation d'Ory Hydra en local, vous pouvez consulter la [documentation officielle d'Ory Hydra](https://www.ory.sh/docs/hydra/5min-tutorial). N'oubliez pas que lors du passage en production, vous devrez ajuster ces URL pour qu'elles correspondent à votre environnement de déploiement. Si vous avez des questions spécifiques sur la configuration de votre instance locale d'Ory Hydra, n'hésitez pas à les poser.shy-student-92360
02/07/2025, 9:55 AM<http://hydra:4444/admin/oauth2/introspect>
brief-egg-61061
02/07/2025, 9:56 AMbrief-egg-61061
02/07/2025, 9:56 AM<http://hydra:4445/admin/oauth2/introspect>
2. Configuration des ports dans Docker : Assurez-vous que les ports sont correctement exposés dans votre configuration Docker. Vérifiez votre fichier docker-compose.yml
ou la commande docker run
que vous utilisez pour lancer Hydra. Il devrait y avoir une ligne similaire Ă celle-ci : yaml ports: - "4444:4444" - "4445:4445"
3. RĂ©seau Docker : Assurez-vous que le conteneur Ă partir duquel vous faites l'appel est sur le mĂȘme rĂ©seau Docker que le conteneur Hydra. Vous pouvez vĂ©rifier cela dans votre docker-compose.yml
ou en utilisant la commande docker network inspect
. 4. Nom du service : Vérifiez que "hydra" est bien le nom du service ou du conteneur dans votre configuration Docker. Si ce n'est pas le cas, remplacez-le par le nom correct. 5. Vérification des logs Hydra : Examinez les logs du conteneur Hydra pour voir s'il y a des erreurs ou des informations utiles : docker logs <nom_du_conteneur_hydra>
6. Test de connectivité : Essayez de faire un ping depuis le conteneur qui fait l'appel vers le conteneur Hydra pour vérifier la connectivité : docker exec <votre_conteneur> ping hydra
7. Utilisation de l'IP interne : Si le nom "hydra" ne fonctionne pas, essayez d'utiliser l'IP interne du conteneur Hydra. Vous pouvez la trouver avec : docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <nom_du_conteneur_hydra>
8. Vérification de la configuration Hydra : Assurez-vous que Hydra est configuré pour écouter sur toutes les interfaces dans le conteneur. Vérifiez la configuration pour vous assurer qu'il n'y a pas de restriction d'adresse IP. Si aprÚs avoir vérifié ces points, le problÚme persiste, il serait utile de voir votre configuration Docker (docker-compose.yml ou commande docker run) et la configuration de Hydra pour un diagnostic plus précis. [Documentation Ory Hydra pour Docker](https://www.ory.sh/docs/hydra/configure-deploy) N'hésitez pas à fournir plus de détails sur votre configuration si vous avez besoin d'une assistance supplémentaire.