Yes, it is possible to create a new identity on the fly when someone signs in with a new social sign-in user in Ory. This process is part of the automatic account creation feature that Ory provides for social sign-in. When a user attempts to sign in using a social provider for the first time, and their account doesn't exist in the Ory system, a new identity is automatically created. This is evident from the [Social Sign-in Overview](https://www.ory.sh/docs/kratos/social-signin/overview) documentation, which states: "By signing up with external identity providers, users give Ory access to the profile data of their account created in an external identity provider. This data is used to create an Ory identity and a user account in your application." The process works as follows: 1. A user attempts to sign in using a social provider (e.g., Google, GitHub, Facebook). 2. If the user doesn't have an existing account in Ory, the system will automatically create a new identity using the information provided by the social sign-in provider. 3. The data from the social provider is mapped to the Ory identity traits using a [data mapping configuration](https://www.ory.sh/docs/kratos/social-signin/data-mapping) that you define. It's important to note that you need to configure the social sign-in providers in your Ory project and set up the appropriate data mapping to ensure that the required information is correctly transferred from the social provider to the Ory identity. This automatic account creation feature helps reduce friction in the sign-up process, potentially boosting conversion rates, as mentioned in the documentation: "Adding social sign-in to your system can increase conversion rates by up to 40%." [Social Sign-in Overview](https://www.ory.sh/docs/kratos/social-signin/overview) [Data Mapping for Social Sign-in](https://www.ory.sh/docs/kratos/social-signin/data-mapping)

I understand that you're experiencing an issue where a new user is created through social sign-in, but you're not automatically logged in afterward. This is a known issue in Ory, and there's a specific configuration you need to add to resolve it. The problem occurs because Ory Kratos doesn't automatically issue a session after registration by default. To fix this, you need to add a "session" hook to the registration flow configuration. Here's how you can do it: 1. In your Ory Kratos configuration file (usually

kratos.yml

), add the following:

yaml selfservice:   flows:     registration:       after:         password:           hooks:             - hook: session         oidc:           hooks:             - hook: session

This configuration tells Kratos to create a session after successful registration, both for password-based and OIDC (social sign-in) methods. 2. It's particularly important to add the "session" hook for the OIDC flow, as mentioned in the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration): "It's very important to add the "session" hook to the after

oidc

registration hooks. Otherwise your users need to use the login flow again to be able to get a session." By adding this configuration, users should be automatically logged in after registering through social sign-in. If you're using Ory Network (the cloud offering) instead of self-hosted Kratos, you might need to configure this through the Ory Console or CLI, as direct access to the configuration file might not be available. [Ory Kratos Registration Flow Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration) If you've already made this configuration change and are still experiencing issues, there might be other factors at play, and you may need to investigate further or reach out to Ory support for more specific assistance.

Yes, you can enable the registration flow only for OIDC (OpenID Connect) and disable it for the password flow in Ory. This configuration allows you to restrict password-based registrations while still allowing users to register through social sign-in providers. Here's how you can achieve this: 1. First, you need to disable the password method for registration. In your Ory configuration, you can set this up as follows:

yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true   flows:     registration:       after:         password:           hooks: []

By removing the hooks for the password method in the registration flow, you effectively disable password-based registration. 2. Next, ensure that the OIDC method is enabled for registration:

yaml selfservice:   flows:     registration:       after:         oidc:           hooks:             - hook: session

This configuration enables OIDC-based registration and ensures that users get a session after registering through a social sign-in provider. 3. To allow only admins to create password identities, you would need to use the Ory Identities API to programmatically create identities. This can be done through your admin interface or backend service. The API endpoint for creating identities is described in the [Ory Identities API documentation](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity). By implementing these configurations, you achieve the following: - Users can only register through OIDC (social sign-in) methods. - Password-based registration is disabled for regular users. - Only admins (or your backend services) can create password-based identities using the Ory Identities API. Remember to adjust these configurations based on your specific Ory setup (Ory Network or self-hosted Kratos) and ensure that your admin interface or backend service has the necessary permissions to create identities via the API. [Ory Kratos Configuration](https://www.ory.sh/docs/kratos/reference/configuration) [Ory Identities API](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity)

Yes, you can onboard OIDC (OpenID Connect) identities using the Ory Identities API. This process allows you to programmatically create identities with OIDC credentials, which can be useful for various scenarios such as bulk imports or administrative tasks. To create an identity with OIDC credentials using the Ory Identities API, you can use the

POST /admin/identities

endpoint. Here's how you can structure your request: 1. First, you need to include the OIDC credentials in the identity creation payload. The structure for OIDC credentials is as follows:

json {   "credentials": {     "oidc": {       "config": {         "providers": [           {             "subject": "some-user",             "provider": "google",             "initial_access_token": "********************",             "initial_refresh_token": "********************",             "initial_id_token": "********************"           }         ]       }     }   } }

2. You would include this in your full identity creation payload, along with other required fields such as

schema_id

and

traits

. Here's an example of how the full payload might look:

json {   "schema_id": "default",   "traits": {     "email": "<mailto:user@example.com|user@example.com>"   },   "credentials": {     "oidc": {       "config": {         "providers": [           {             "subject": "some-user",             "provider": "google",             "initial_access_token": "********************",             "initial_refresh_token": "********************",             "initial_id_token": "********************"           }         ]       }     }   } }

3. Send this payload to the

/admin/identities

endpoint using a POST request. It's important to note that the exact structure of the

traits

object will depend on your identity schema configuration. This method of creating OIDC identities is particularly useful when you need to import existing users from another system or when you're performing administrative tasks that require creating identities with pre-existing OIDC credentials. Remember to handle the tokens securely, as they provide access to user accounts. Also, ensure that your application has the necessary permissions to create identities via the API. [Ory Identities API - Create Identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity) [Ory Kratos - Get Social Sign-in Provider Tokens](https://www.ory.sh/docs/kratos/social-signin/get-tokens)