To determine when a user links an OIDC provider to a password account using webhooks in Ory, you can utilize the "after settings" hook. This hook is triggered when a user successfully changes their account settings, which includes linking an OIDC provider to their existing account. Here's how you can set this up: 1. Create an "after settings" webhook in your Ory configuration. 2. In the webhook configuration, specify the OIDC method to trigger the webhook. This ensures that the webhook is only called when OIDC-related settings are changed. 3. When the webhook is triggered, you'll receive information about the user's account changes, including the newly linked OIDC provider. Here's an example of how the configuration might look:

yaml selfservice:   methods:     oidc:       config:         after:           hooks:             - hook: web_hook               config:                 url: <https://your-webhook-endpoint.com>                 method: POST                 body: "..."

In this configuration, replace

<https://your-webhook-endpoint.com>

with the actual URL of your webhook endpoint. When a user links an OIDC provider to their existing password account, this webhook will be triggered, allowing you to perform any necessary actions or record the event in your system. For more detailed information on configuring webhooks and the available triggers, you can refer to the [Ory Kratos Hooks documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers).

To determine which provider has been linked in the webhook body when a user links an OIDC provider to their account, you need to examine the webhook payload. The webhook payload will contain information about the identity, including the newly linked OIDC provider. Here's how you can access this information: 1. In your webhook handler, you'll receive a JSON payload containing the identity details. 2. The OIDC provider information will be included in the

credentials

field of the identity object, specifically under the

oidc

key. 3. Look for the

providers

array within the

oidc

credentials. Each object in this array represents a linked provider. Here's an example of what the relevant part of the webhook payload might look like:

json {   "credentials": {     "oidc": {       "type": "oidc",       "identifiers": [         "google:some-user",         "github:another-user"       ],       "config": {         "providers": [           {             "subject": "some-user",             "provider": "google",             "initial_access_token": "********************",             "initial_refresh_token": "********************",             "initial_id_token": "********************",           },           {             "subject": "another-user",             "provider": "github",             "initial_access_token": "********************",             "initial_refresh_token": "********************",             "initial_id_token": "********************",           }         ]       }     }   } }

In this example, you can see that the user has linked both Google and GitHub as OIDC providers. The most recently linked provider will typically be the last one in the

providers

array. To determine which provider was just linked, you can: 1. Compare the

providers

array with the previous state of the identity (if you have access to it). 2. Look at the

updated_at

timestamp of the

oidc

credentials to see if it matches the time of the webhook call. Remember that the exact structure of the webhook payload may vary depending on your Ory configuration and version. Always refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/get-tokens) for the most up-to-date information on identity structures and OIDC provider data.