Yes, it is possible to configure Ory Identities to allow registration only via OIDC (OpenID Connect) while restricting password-based registration. Here's how you can achieve this: 1. Enable both OIDC and password methods in your configuration, as you've already done. 2. Disable the password method for registration, but keep it enabled for login. This allows existing password-based identities to log in, but prevents new users from registering with a password. 3. Keep the OIDC method enabled for both registration and login. 4. Use the admin API to create password-based identities when needed. To implement this, you can adjust your Ory Identities configuration as follows:

yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true   flows:     registration:       enabled_methods:         - oidc

This configuration keeps both password and OIDC methods enabled overall, but only allows OIDC for registration. Password-based identities can still log in, but new users can't register using passwords. For creating password-based identities via the admin API, you can use the

createIdentity

endpoint [as described in the Ory API Reference](https://www.ory.sh/docs/reference/api). This allows you to create identities with password credentials programmatically. It's worth noting that Ory Identities also supports a two-step registration process, which might be useful in your case. As mentioned in the [Two-step registration documentation](https://www.ory.sh/docs/identities/sign-in/two-step-registration), this approach separates the collection of identity traits from the selection of authentication method, providing a more streamlined user experience when multiple authentication methods are available. Remember to thoroughly test your configuration to ensure it behaves as expected, especially regarding the registration flow and admin API identity creation.

I apologize for the confusion in my previous response. You are correct that

enabled_methods

is not an allowed property in the Ory Identities configuration. Thank you for pointing that out. Let me provide you with the correct approach to achieve your goal. To restrict registration to OIDC only while keeping password login available, you can use the

enabled

property for each method in the registration flow configuration. Here's the correct way to configure this:

yaml selfservice:   flows:     registration:       after:         password:           hooks: []         oidc:           hooks:             - hook: session       before:         hooks: []   methods:     password:       enabled: true     oidc:       enabled: true     profile:       enabled: false

In this configuration: 1. Both

password

and

oidc

methods are enabled globally. 2. For the registration flow, we only define hooks for the

oidc

method, effectively enabling only OIDC for registration. 3. The

password

method is still enabled, allowing existing password-based identities to log in. This approach is based on the [Ory Identities documentation on registration flows](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#initialize-registration-flow) and the [configuration example from a GitHub issue](https://github.com/ory/network/issues/185). To create password-based identities via the admin API, you can use the

createIdentity

endpoint as mentioned before. I apologize again for the incorrect information in my previous response. Always refer to the official Ory documentation and test your configuration to ensure it behaves as expected.

I apologize for the continued confusion. You're right that the previous suggestions didn't work as expected. Let me provide a more accurate answer based on the available knowledge sources. After reviewing the documentation more carefully, I realize that there isn't a straightforward configuration option to enable OIDC registration while disabling password registration in Ory Identities. The knowledge sources don't provide a clear method to achieve this specific setup. However, there are a couple of approaches you might consider: 1. Custom Implementation: You could potentially implement this behavior in your application layer. Allow users to initiate the registration flow, but only present the OIDC option in your user interface. This way, you're not relying on Ory's configuration to restrict the methods, but rather controlling it at the presentation layer. 2. Use Hooks: You might be able to use [hooks in the registration flow](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#updating-privileged-fields) to interrupt or redirect password-based registrations. However, the exact implementation of this would require further investigation and testing. 3. Identity Schema Approach: You could potentially use the identity schema to make the password field optional, while making the OIDC-related fields required. This might effectively prevent password-based registrations without explicitly disabling the method. An example of how to mark fields in the identity schema can be found in the [custom identity schema documentation](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password#custom-identity-schema). For creating password-based identities via the admin API, you can still use the

createIdentity

endpoint as described in the [Ory API Reference](https://www.ory.sh/docs/reference/api). I apologize that I can't provide a more definitive solution. The current knowledge sources don't contain information about a configuration that exactly matches your requirements. It might be worth reaching out to Ory support or community forums for more specific guidance on this use case.

Certainly! I'll show you how to use the hook method to potentially control the registration flow. Based on the available knowledge sources, we can use a "before" hook in the registration flow to implement custom logic. Here's how you can set it up: 1. First, configure the hook in your Ory Identities configuration file:

yaml selfservice:   flows:     registration:       before:         hooks:           - hook: web_hook             config:               url: <https://your-custom-hook-endpoint.com>               method: POST               body: ""               auth:                 type: api_key                 config:                   name: Authorization                   value: "your-api-key"                   in: header

This configuration is based on the examples from the [Ory documentation on hooks](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers) and a [GitHub issue discussing webhook configuration](https://github.com/ory/network/issues/346). 2. Implement your custom webhook endpoint. This endpoint should receive the registration request and decide whether to allow it or not. Here's a basic example of what the webhook might do:

python from flask import Flask, request, jsonify  app = Flask(__name__)  @app.route('/registration-hook', methods=['POST']) def registration_hook():     data = request.json          # Check if the registration method is OIDC     if data.get('method') == 'oidc':         return jsonify({"status": "success"}), 200     else:         # If it's not OIDC, interrupt the flow         return jsonify({             "status": "error",             "message": "Only OIDC registration is allowed"         }), 400  if __name__ == '__main__':     app.run(port=5000)

This webhook will allow OIDC registrations to proceed but will interrupt any other registration method. 3. In your Ory configuration, make sure both password and OIDC methods are enabled:

yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true

With this setup, the webhook will be called before any registration attempt. It can then decide whether to allow the registration to proceed based on the method being used. Please note that this is a basic example and may need to be adjusted based on your specific requirements and the exact structure of the data Ory sends to the webhook. Also, remember to secure your webhook endpoint appropriately. For more detailed information on configuring hooks, you can refer to the [Ory documentation on configuring hooks](https://www.ory.sh/docs/kratos/hooks/configure-hooks). Remember to thoroughly test this setup to ensure it behaves as expected in your environment.