https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> How to register kratos webhook to t...
# ory-copilot
g
@chilly-king-10285 How to register kratos webhook to trigger when an user creation happens via oidc flow ?
b
A message from kapa.ai
To register a webhook in Ory Kratos that triggers when a user is created via the OIDC (social sign-in) flow, you need to configure an "after registration" hook specifically for the OIDC method. This ensures your webhook is called only when registration happens through OIDC. Here's how you can do it: 1. Create your webhook configuration (for example, in JSON):
Copy code
json {   "hook": "web_hook",   "config": {     "url": "<https://your-webhook-endpoint>",     "method": "POST",     "response": {       "ignore": true     }     // Add authentication or other config as needed   } }
2. Add the webhook to your Ory Kratos configuration under the OIDC registration flow. For Ory Network, you can use the CLI:
Copy code
sh ory patch identity-config --project <project-id> --workspace <workspace-id> \   --add "/selfservice/flows/registration/after/oidc/hooks/0=$(cat webhook-action.json)" \   --format yaml
This command ensures the webhook is triggered only after successful registration via OIDC (e.g., Google, Facebook, etc.) and not for other registration methods like password-based sign-up. If you want the webhook to trigger for all registration methods, add it under 
/selfservice/flows/registration/after/hooks
instead. For more details and examples, see the official documentation on [HubSpot integration with Ory Actions](https://www.ory.sh/docs/actions/integrations/hubspot#create-a-hubspot-webhook), which demonstrates how to set up a webhook for OIDC registration flows. The same approach applies to any webhook endpoint, not just HubSpot. Note: The webhook will only be triggered after successful user creation via OIDC registration, not for OIDC logins where the user already exists. If you need to handle both registration and login, you may need to configure hooks for both flows as appropriate. [HubSpot integration with Ory Actions](https://www.ory.sh/docs/actions/integrations/hubspot#create-a-hubspot-webhook)
g
@chilly-king-10285 please note this is related to self hosted kratos environment
b
A message from kapa.ai
To register a webhook in a self-hosted Ory Kratos environment that triggers when a user is created via the OIDC flow, you need to configure an "after registration" hook specifically for the OIDC method in your Kratos configuration file. Here’s how you can do it: 1. Edit your Kratos configuration file (typically 
kratos.yaml
or similar) to add a webhook under the OIDC registration flow. The relevant section looks like this:
Copy code
yaml selfservice:   flows:     registration:       after:         oidc:           hooks:             - hook: web_hook               config:                 url: <http://your-webhook-endpoint>                 method: POST                 can_interrupt: false                 # Optionally, add body, response, and auth config as needed
2. Restart your Kratos service to apply the configuration changes. This configuration ensures that your webhook is triggered only after a successful registration via the OIDC method. If you want the webhook to trigger for all registration methods, place the hook under the general 
after
section instead of under 
oidc
. Note: There are known issues where webhooks may not be triggered as expected in certain OIDC registration-to-login flows due to how Kratos handles the flow method internally. For example, if an account already exists and OIDC registration transitions to login, the post-login webhooks may not fire because the credentials type is not set correctly in the flow. There are discussions and proposed patches for this in the community, but as of now, this is a limitation you should be aware of in self-hosted environments. See the related issue for more details: [OIDC registration to login flow fails to invoke webhooks](https://github.com/ory/kratos/issues/3627). Example from a GitHub issue:
Copy code
yaml flows:   registration:     after:       oidc:         hooks:           - hook: web_hook             config:               url: <http://backend:5000/activate/pre>               method: POST               can_interrupt: false               body: file:///etc/config/kratos/webhook.activate.jsonnet               response:                 parse: true
[source](https://github.com/ory/kratos/issues/3627) If you need more advanced payloads, you can use a Jsonnet file for the body, as shown above. Summary: - Add your webhook under 
selfservice.flows.registration.after.oidc.hooks
in your Kratos config. - Restart Kratos. - Be aware of current limitations with OIDC registration-to-login transitions. If you need further details on configuring hooks, refer to the [official Kratos hooks documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks#available-actions).
g
@chilly-king-10285 webhook payload should include identity.id
b
A message from kapa.ai
New message text here
g
@chilly-king-10285 verify whether this is valid request body for webhook:
Copy code
body: json://{"identity_id":"${identity.id}","traits":${identity.traits}}
b
A message from kapa.ai
I'm sorry, but the knowledge sources do not contain explicit documentation or examples confirming that the syntax
Copy code
body: json://{"identity_id":"${identity.id}","traits":${identity.traits}}
is valid for configuring a webhook request body in self-hosted Ory Kratos. The documentation does mention that you can use Jsonnet files to customize the webhook request body, and that the identity object (including traits and id) is available in the context for templating. However, it does not provide an example using the 
json://
URI scheme or the 
${...}
variable interpolation syntax in the configuration file. Instead, the recommended approach for customizing the webhook body is to use a Jsonnet file referenced by a file path, such as:
Copy code
yaml body: file:///etc/config/kratos/webhook.activate.jsonnet
and in the Jsonnet file, you would use the context object, e.g.:
Copy code
jsonnet {   identity_id: ctx.identity.id,   traits: ctx.identity.traits, }
[Trigger custom logic and integrate with external systems with webhooks](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#define-http-request) Therefore, based on the available knowledge sources, your example does not match the documented or recommended configuration style, and its validity cannot be confirmed. If you want to ensure compatibility, use a Jsonnet file as shown in the documentation.
g
@chilly-king-10285 provide the ory kratos documentation link which is related to this webhook
b
A message from kapa.ai
You can find the relevant Ory Kratos documentation for configuring webhooks (hooks) here: [Hooks Documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks) and for registration flow hooks specifically here: [Self-service Registration Flow Hooks](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#hooks). These pages explain how to set up and configure webhooks for various flows in Ory Kratos, including after registration events.<|https://www.ory.sh/docs/kratos/hooks/configure-hooks|><|https://www.ory.sh/docs/kratos/self-service/flows/user-registration#hooks|>
g
@chilly-king-10285 provide sample webhook.activate.jsonnet for webhook body
b
A message from kapa.ai
Certainly! Here is a sample 
webhook.activate.jsonnet
for a webhook body, based on the documented examples for customizing webhook payloads in Ory Kratos. This Jsonnet template will include the identity ID and traits in the request body:
Copy code
jsonnet function(ctx) {   identity_id: ctx.identity.id,   traits: ctx.identity.traits, }
This format is supported and recommended for customizing webhook request bodies in Ory Kratos. You reference this file in your Kratos config like so:
Copy code
yaml body: file:///etc/config/kratos/webhook.activate.jsonnet
This approach is documented in the official guides for integrating with webhooks and customizing request bodies using Jsonnet templates [Trigger custom logic and integrate with external systems with webhooks](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#define-http-request).
g
@chilly-king-10285 how to pass oidc client to webhook
b
A message from kapa.ai
The knowledge sources do not explicitly document a way to directly pass the OIDC client information (such as the OIDC client ID) to a webhook in self-hosted Ory Kratos. The available documentation and examples focus on passing identity data and traits to webhooks, typically using a Jsonnet template for the request body, but do not mention OIDC client details as part of the webhook context or payload. If you need the OIDC client information in your webhook, you may need to check if it is available in the context object (
ctx
) within your Jsonnet template. However, based on the current documentation, only identity-related data is guaranteed to be present in the webhook payload. Summary: There is no documented way in the provided knowledge sources to pass the OIDC client to a webhook in self-hosted Ory Kratos. If this is a critical requirement, you may need to explore the Kratos source code or open a feature request with the Ory team. [Trigger custom logic and integrate with external systems with webhooks](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks)
g
@chilly-king-10285 how to get oidc provider id and mapp in webhook.activate.jsonnet file
b
A message from kapa.ai
I'm sorry, but the knowledge sources do not contain explicit information on how to access the OIDC provider ID (such as the 
id
field from your OIDC provider configuration) within the 
webhook.activate.jsonnet
file for a webhook in self-hosted Ory Kratos. The documentation and examples focus on passing identity data (like 
ctx.identity.id
and 
ctx.identity.traits
) to the webhook, but do not mention the availability of OIDC provider details in the webhook context. If you require the OIDC provider ID in your webhook payload, the current documentation does not provide a method to access or map this value in the Jsonnet template. You may need to consult the Ory community or source code for further clarification. In summary: There is no information in the provided knowledge sources on how to get the OIDC provider ID in the webhook Jsonnet context.
g
@chilly-king-10285 provide ctx object which available for after oidc signup flow for webhook
b
A message from kapa.ai
Based on the knowledge sources, the 
ctx
object available to the webhook Jsonnet template for the "after" execution path of registration flows (including OIDC) contains at least the following fields: - `ctx.identity`: The identity object, including fields like 
id
, 
traits
, etc. - `ctx.flow`: The registration flow object, which may include fields such as 
id
, 
expires_at
, 
issued_at
, 
request_url
, and 
transient_payload
. - `ctx.request_headers`: The HTTP request headers. - `ctx.request_method`: The HTTP request method. - `ctx.request_url`: The HTTP request URL. Here is an example structure of the 
ctx
object for a registration flow, as shown in the documentation:
Copy code
jsonnet {   identity: {     id: "3a5293f1-f4d6-49f4-b34f-6da62c360604",     traits: {       email: "[email protected]"     },     // ... other identity fields   },   flow: {     id: "cec1c06e-48eb-4f9d-abf1-2e287371f4eb",     expires_at: "2023-01-31T12:19:35.782238Z",     issued_at: "2023-01-31T11:19:35.782238Z",     request_url: "<https://playground.projects.oryapis.com/self-service/registration/browser?return_to=>",     transient_payload: {       custom_data: "test"     },     // ... other flow fields   },   request_headers: {     Accept: ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],     // ... other headers   },   request_method: "POST",   request_url: "<https://playground.projects.oryapis.com/self-service/registration?flow=cec1c06e-48eb-4f9d-abf1-2e287371f4eb>" }
You can access these fields in your Jsonnet template, for example:
Copy code
jsonnet function(ctx) {   identity_id: ctx.identity.id,   traits: ctx.identity.traits,   flow_id: ctx.flow.id,   custom_data: ctx.flow.transient_payload.custom_data, }
Note: The knowledge sources do not show any OIDC-specific fields (such as the OIDC provider ID) in the 
ctx
object. Only the general registration flow and identity data are documented as available in the context for webhooks [Jsonnet templating](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#jsonnet-templating).
g
@chilly-king-10285 how to pass oidc provider id via transient_payload to webhook
b
A message from kapa.ai
To pass the OIDC provider ID to your webhook via 
transient_payload
, you can include the provider information in the registration request when starting or updating the registration flow. The 
transient_payload
field is designed to carry arbitrary data (such as the OIDC provider) through the flow and make it available to webhooks, without persisting it in the identity. How to do it: 1. Include the OIDC provider in the 
transient_payload
when updating the registration flow:
Copy code
json {   "method": "oidc",   "provider": "google",   "traits": {     "email": "<mailto:user@example.com|user@example.com>"   },   "transient_payload": {     "oidc_provider": "google"   } }
2. In your webhook’s Jsonnet template (
webhook.activate.jsonnet
), access it like this:
Copy code
jsonnet function(ctx) {   oidc_provider: ctx.flow.transient_payload.oidc_provider,   identity_id: ctx.identity.id,   traits: ctx.identity.traits, }
Notes: - The 
transient_payload
is available in the webhook context as 
ctx.flow.transient_payload
 and is not persisted in the identity, but is forwarded to webhooks as part of the flow context [see GitHub discussion](https://github.com/ory/network/issues/187). - You must ensure that your client includes the OIDC provider in the 
transient_payload
when initiating or updating the registration flow. This approach allows your webhook to receive the OIDC provider information as part of the payload, even though Ory Kratos does not natively expose the OIDC provider in the webhook context by default [see GitHub discussion](https://github.com/ory/network/issues/187).
A message from kapa.ai
To pass the OIDC provider ID to your webhook via 
transient_payload
in Ory Kratos, you need to include the provider information in the 
transient_payload
field when you update the registration flow. This field is designed to carry arbitrary data through the flow and is made available to webhooks, but is not persisted in the identity. How to do it: 1. When updating the registration flow (for example, using the Ory SDK or API), include the OIDC provider ID in the `transient_payload`:
Copy code
json {   "method": "oidc",   "provider": "google",   "traits": {     "email": "<mailto:user@example.com|user@example.com>"   },   "transient_payload": {     "oidc_provider": "google"   } }
2. In your webhook’s Jsonnet template (e.g., 
webhook.activate.jsonnet
), you can access it like this:
Copy code
jsonnet function(ctx) {   oidc_provider: ctx.flow.transient_payload.oidc_provider,   identity_id: ctx.identity.id,   traits: ctx.identity.traits, }
This approach is supported and documented as a way to pass additional data to webhooks using the 
transient_payload
field, which is available in the webhook context as 
ctx.flow.transient_payload
 [see GitHub issue discussion](https://github.com/ory/network/issues/187). Summary: Include the OIDC provider ID in the 
transient_payload
when updating the registration flow. It will then be available to your webhook in the context object.
g
@chilly-king-10285 where do we specify this
Copy code
{
  "method": "oidc",
  "provider": "google",
  "traits": {
    "email": "user@​<http://example.com|example.com>"
  },
  "transient_payload": {
    "oidc_provider": "google"
  }
}
b
A message from kapa.ai
You specify this JSON object as the request body when you update the registration flow using the Ory Kratos API. Specifically, you send it to the 
updateRegistrationFlow
endpoint after initiating a registration flow. The 
transient_payload
field is supported in the request body for this endpoint, and it will be available to webhooks as part of the flow context. This is confirmed in the API reference, which shows that 
transient_payload
is an optional field in the request body for updating the registration flow, including for the OIDC method [Kratos API Reference – updateRegistrationFlow](https://www.ory.sh/docs/kratos/reference/api): > 
'transient_payload': {'description': 'Transient data to pass along to any webhooks', 'type': 'object'}
You would typically use this in your backend or frontend code when calling the API to complete the registration flow, for example:
Copy code
http POST /self-service/registration?flow=<flow-id> Content-Type: application/json  {   "method": "oidc",   "provider": "google",   "traits": {     "email": "<mailto:user@example.com|user@example.com>"   },   "transient_payload": {     "oidc_provider": "google"   } }
This ensures that the 
oidc_provider
value is available in the webhook context as 
ctx.flow.transient_payload.oidc_provider
 [see GitHub discussion](https://github.com/ory/network/issues/187). Summary: You specify this object as the body of your request to the 
updateRegistrationFlow
endpoint when completing the OIDC registration flow in Ory Kratos.
10 Views
Open in Slack
PreviousNext
Powered by