We are looking into Cloud, alt. OSS for our platfo...
# ory-networkr
rhythmic-whale-28602
08/24/2022, 9:37 AMWe are looking into Cloud, alt. OSS for our platform. Everything looks nice and all, but one case is throwing us off right now.
Users should not be able to register themselves. We only want to use Social sign in providers as well.
From our tests, creating an identity through the api is not enough as the sso process is still marked as registration flow (makes sense in some way tho), is there any way around this? Our only knowledge of the user is email and name etc.
One solution is to let everyone register and we check if the email is provisioned or exists on our end in the callback - else delete the identity server side and be done with it.
Maybe the latter is how it is done?
h
high-optician-2097
08/24/2022, 9:41 AM
Thank you for the question! Not sure if I understand the use case correctly. How can users enroll to your service using social sign up, when they can’t register themselves? I assume that you (the admin) do not have control over their social profiles?
high-optician-2097
08/24/2022, 9:41 AM
To answer your question, this is possible by importing the user’s OIDC credentials: https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections
r
rhythmic-whale-28602
08/24/2022, 9:44 AMOk so we just have plain username/pw login today which is built into the API. Users cant register, since it is a B2B service. Admins create users and an invitation is sent.
So we kind of want the same logic, think of it like a whitelist or if the identity exists with trait xy.
rhythmic-whale-28602
08/24/2022, 9:44 AMYeah we do not have any access to the customers' workspaces.
rhythmic-whale-28602
08/24/2022, 9:45 AMMaybe this is out of scope from what this feature is intended to do?
h
high-optician-2097
08/24/2022, 9:50 AM
I see, to allow only certain domain names from signing up you can use web hooks. In the web hook, you can cancel the registration request. The docs for this are not merged yet, but you can find them here:
https://github.com/ory/docs/pull/678/files
r
rhythmic-whale-28602
08/24/2022, 9:53 AMAh yes might work! Is this possible to do in cloud?
h
high-optician-2097
08/24/2022, 9:55 AM
Absolutely 🙂
r
rhythmic-whale-28602
08/24/2022, 9:58 AMLooks nice. So just update the conf through the ory cli?
h
high-optician-2097
08/24/2022, 10:06 AM
yup 🙂 if you have problems with that @magnificent-energy-493 can probably help :)
r
rhythmic-whale-28602
08/24/2022, 10:42 AMThank you very much, going to try some stuff out now 🙂
rhythmic-whale-28602
08/24/2022, 10:43 AMIf I were to disable a user, is there any setting for the identity in ory or same with a webhook during login?
p
proud-plumber-24205
08/24/2022, 11:20 AMHi @rhythmic-whale-28602
Every flow has a web hook that can alter the flow. So in your system, if you decide all users with a certain email should be disable, you can just return an error on the response to the web hook
proud-plumber-24205
08/24/2022, 11:21 AM*except logout and error i believe
r
rhythmic-whale-28602
08/24/2022, 1:59 PMNice, should be able to do some fun things with those then
rhythmic-whale-28602
08/30/2022, 7:47 AMCaptured ctx in a pre-registration hook, and didn't get anything that useful for me. Any way to get the e-mail?
rhythmic-whale-28602
08/30/2022, 12:18 PMok so played around a bit, might work if I put it in the after section. However,
can_interrupth
high-optician-2097
08/30/2022, 1:15 PM
Hi vincent, it’s possible that we missed migrating this config entry to the cloud system
high-optician-2097
08/30/2022, 1:15 PM
sorry about that 😞
high-optician-2097
08/30/2022, 1:16 PM
yup, we don’t have that setting yet in the cloud. how urgent is this topic for you?
r
rhythmic-whale-28602
08/30/2022, 1:17 PMNpnp. If you can answer this, then it won't be that critical atm:
If I do a blocking hook in registration.after, let's make it fail. Does it still save the user identity?
rhythmic-whale-28602
08/30/2022, 1:17 PMBefore hook shows too little info with Google sign in. Our use case is the whole email :)
h
high-optician-2097
08/30/2022, 1:31 PM
no, it would not create the identity afaik
high-optician-2097
08/30/2022, 1:31 PM
we’re working towards a hook system were we have pre and post persistence in the after step
high-optician-2097
08/30/2022, 1:31 PM
so you can choose which one you want
r
rhythmic-whale-28602
08/30/2022, 1:33 PMAh great, was wondering where in the flow this was ran. But good to know that this is the thought.
What is the timeline for getting the interrupt in cloud? It's not super important now, since I am still making a Frankenstein poc with our current system, no prod :)
h
high-optician-2097
08/30/2022, 1:35 PM
we’ll finish up a couple of other features first but I’d say probably 4-6 weeks-ish depending on how urgent it is
high-optician-2097
08/30/2022, 1:36 PM
we’ve got a couple of other keys that are not yet supported
r
rhythmic-whale-28602
08/30/2022, 1:37 PMThat works for me!
rhythmic-whale-28602
08/30/2022, 1:37 PMAnything special?
h
high-optician-2097
08/30/2022, 1:41 PM
Anything special?what do you mean? 🙂
r
rhythmic-whale-28602
08/30/2022, 1:41 PMThe other keys that are not supported 😄
h
high-optician-2097
08/30/2022, 1:42 PM
ah
high-optician-2097
08/30/2022, 1:42 PM
mostly obscure config flags that were recently added
r
rhythmic-whale-28602
08/30/2022, 4:01 PMAhh, got it