Yes, if you sign up via SSO (using OAuth2/OIDC) and the user allows the appropriate scopes (such as profile), you can retrieve the firstname and lastname—provided that the upstream identity provider (IdP) supplies these attributes. Ory maps the OpenID Connect profile scope to identity traits. Specifically: - If your identity schema has a name object (e.g., traits.name.first and traits.name.last), these will be mapped to the given_name and family_name claims from the IdP. - If the IdP returns these claims and the user consents to the profile scope, Ory will include them in the identity traits during registration. Here’s how the mapping works: - If identity.traits.name is an object, traits.name.first and traits.name.last are used for the given_name and family_name claims, respectively. - The profile scope is required for these claims to be available and mapped. So, as long as the IdP provides firstname and lastname (often as given_name and family_name) and the user consents to the profile scope, Ory will retrieve and map these values during SSO signup. If the IdP does not provide these claims, or the user does not consent to the profile scope, these fields will not be available in the identity traits [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom/). If you are using a custom data mapping (e.g., with Jsonnet), you can further control how these claims are mapped to your identity schema. For example, with SAML, you can map firstName and lastName from the IdP to your schema as shown in the documentation [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations/#saml-via-ory-network).

Based on the available knowledge sources, you cannot reliably retrieve the firstname in the after webhook unless it is present in the identity traits or metadata. The webhook receives the identity object as it is stored, which means only the fields defined in your identity schema (traits, metadata, etc.) are included. If firstname is not a trait or part of the metadata, it will not be available in the webhook payload. However, if you use the new transient_payload feature during registration, you can pass additional data (such as firstname) to the webhook without persisting it in the identity. This data is available to the webhook but is not stored in the identity itself. Here’s how you can use it:

ts await frontendAPI.updateRegistrationFlow({   flow: id,   updateRegistrationFlowBody: {     method: "password",     password: "super secure password",     traits: {       email: "<mailto:mymail@example.com|mymail@example.com>",     },     transient_payload: {       firstname: "John"     },   }, })

The transient_payload will be presented to any post-registration webhook, but it will not be persisted by Ory. This allows you to access firstname in the webhook without adding it as a trait to your identity [Possibility to define complex data types in the metadata of identity](https://github.com/ory/network/issues/187). If you do not use transient_payload and firstname is not part of the identity traits or metadata, it will not be available in the after webhook.