https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> How can we use the google_sign_in f...
# ory-copilot
w
@chilly-king-10285 How can we use the google_sign_in flutter SDK in native apps when a nonce is required to complete the login flow? The issue is that the SDK doesn’t expose or allow setting a nonce.
b
A message from kapa.ai
The knowledge sources confirm that Ory recommends using a nonce for Google social sign-in in native apps to prevent replay attacks. However, they also explicitly state that not all Google SDKs support nonce handling: > While not explicitly required, as not all of Google SDKs support it, we recommend that you use a 
nonce
to prevent replay attacks wherever possible. > ... > If your SDK supports nonce validation, make sure to use a generated value and submit that during the next step. > ... > Obtain an 
id_token
from Google using the Google SDK. Make sure to also submit the 
nonce
if you generated one in the step before. > ... > Submit the 
id_token
and 
nonce
(as the 
id_token_nonce
) as part of the 
updateRegistrationFlow
or 
updateLoginFlow
request to Ory. > ... > [Flutter code example omitted for brevity] > — [Ory Docs: Google SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps) The provided Flutter code example using the 
google_sign_in
package does not include any handling of a nonce, and there is no mention of a workaround for this limitation. The documentation suggests that if the SDK does not support nonce, you may proceed without it, but using a nonce is recommended "wherever possible." Summary: If the 
google_sign_in
Flutter SDK does not allow you to set or retrieve a nonce, you cannot use a nonce in the Ory login flow with this SDK. Ory recommends using a nonce for better security, but acknowledges that it is not always possible with all SDKs, including the Flutter one. There is no documented workaround in the knowledge sources for this limitation. If nonce support is critical for your use case, you may need to look for alternative SDKs or approaches that allow nonce injection, but the Ory documentation does not provide guidance or solutions for this scenario.
w
@chilly-king-10285 Is there any alternative solution?
b
A message from kapa.ai
I'm sorry, but the knowledge sources do not provide an alternative solution for using a nonce with the google_sign_in Flutter SDK when the SDK does not support setting or retrieving a nonce. The Ory documentation acknowledges this limitation and simply states that using a nonce is recommended "wherever possible," but not all SDKs support it. No workaround or alternative approach is documented for this scenario in the provided sources [Ory Docs: Google SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps).
w
@chilly-king-10285 Any other package can help?
b
A message from kapa.ai
Based on the knowledge sources provided, there is no mention of an alternative Flutter package that allows you to set or handle a nonce for Google sign-in in native apps. The Ory documentation only references the use of the official 
google_sign_in
Flutter package and notes its limitation regarding nonce support. No other packages or workarounds are suggested or documented for this use case [Ory Docs: Google SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps). If nonce support is essential for your application, the knowledge sources do not provide a solution or recommend an alternative package at this time.
w
@chilly-king-10285 What is 
session_inactive
error means?
b
A message from kapa.ai
The 
session_inactive
error means that no active Ory Session was found in the request. This typically occurs when: - There is no valid Ory Session Cookie or Ory Session Token included in the request. - The session has expired or is otherwise inactive. When this error occurs, the API will respond with a 401 status code, indicating that the user is not authenticated and needs to sign in again ([Ory API Reference: toSession](https://www.ory.sh/docs/reference/api)). You may encounter this error in various endpoints, such as when checking the current session with 
/sessions/whoami
or when accessing self-service flows that require an active session ([Ory API Reference: getSettingsFlow](https://www.ory.sh/docs/reference/api)). In summary, 
session_inactive
means the system could not find an active session for the request, so authentication is required.
w
@chilly-king-10285 My use case is the get setting browser flow and submit the settings with oidc method link google. My session token includes in it. But I got 
session_inactive
after Google OAuth
b
A message from kapa.ai
The 
session_inactive
error means that Ory Kratos could not find an active session for your request. In the context of the settings flow with the OIDC method (linking Google), this typically happens if: - The session token is missing, invalid, or expired. - The session was invalidated after the OAuth flow (for example, if the identity is disabled or the session is otherwise no longer valid). - The session cookie or token is not being forwarded correctly after the Google OAuth callback. Key points from the knowledge sources: - The 
session_inactive
error is returned when no active session is found in the request, such as when the Ory Session Cookie or Session Token is missing or invalid ([Ory API Reference: toSession](https://www.ory.sh/docs/reference/api)). - For browser-based settings flows, a valid session cookie must be present. For API/native flows, the session token must be included in the request headers ([Ory API Reference: createBrowserSettingsFlow](https://www.ory.sh/docs/reference/api), [Ory API Reference: getSettingsFlow](https://www.ory.sh/docs/reference/api)). - If the session is inactive after the OAuth flow, it could be due to the identity being disabled or the session being invalidated for another reason (for example, as described in [this GitHub issue](https://github.com/ory/network/issues/397), where an inactive identity causes a 401 error after OIDC login). What you can check: 1. Session Token Validity: Ensure the session token you are sending is current and valid. If the session expired during the OAuth flow, you will get 
session_inactive
. 2. Identity State: If the identity was disabled or set to inactive, the session will be invalid after OAuth, resulting in this error. 3. Token Forwarding: Make sure the session token or cookie is correctly forwarded in all requests after the Google OAuth callback. 4. Session Expiry: If your settings flow takes too long or the session expires during the process, you will need to re-authenticate. If you have confirmed all of the above and still encounter the error, it may be related to the state of the identity (e.g., disabled) or a misconfiguration in your flow. The knowledge sources do not provide a more specific troubleshooting guide for this scenario, but these are the most common causes for 
session_inactive
in the settings flow with OIDC ([Ory API Reference: getSettingsFlow](https://www.ory.sh/docs/reference/api), [GitHub Issue: OIDC callback returns 401 to browser when identity state is inactive](https://github.com/ory/network/issues/397)).
w
@chilly-king-10285 Valid token, State is active, session is not expired, How to checkout token fowarding?
b
A message from kapa.ai
To check if your session token is being forwarded correctly in the Ory settings flow, you should ensure that the token is included in the appropriate HTTP header when making requests to Ory endpoints. For API/native flows, the session token must be sent in the 
Authorization: Bearer <session-token>
header or as the 
X-Session-Token
header. For browser flows, the session cookie must be present in the 
Cookie
header. Here’s how you can verify token forwarding: - With cURL (API/native flow):
Copy code
sh   curl -H "Authorization: Bearer {your-session-token}" \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>"
This checks if the session token is valid and active. If you get a 200 OK and session data, the token is forwarded and accepted. If you get a 401 with 
session_inactive
, the token is not being forwarded or is invalid [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api). - With Ory SDK (Node/Express example):
Copy code
js   const session = await ory.toSession({     xSessionToken: sessionToken,   })
Make sure the 
sessionToken
variable contains your valid session token and is passed as shown above [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api). - For browser flows: The session cookie should be automatically included by the browser if it is set for the correct domain and path. You can inspect the network requests in your browser’s developer tools to confirm that the 
Cookie
header contains the 
ory_kratos_session
value. Summary: Check your network requests to ensure the session token is present in the 
Authorization
or 
X-Session-Token
header (for API/native), or the session cookie is present in the 
Cookie
header (for browser). If these are set correctly and you still get 
session_inactive
, the issue is likely elsewhere [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api).
w
@chilly-king-10285 everything are valid
b
A message from kapa.ai
Sorry @witty-librarian-39711, I'm currently experiencing some technical difficulties. Please try again in a few minutes. If this issue persists, please reach out to the administrators of this Slack workspace.
w
@chilly-king-10285 everything are valid
b
A message from kapa.ai
If everything is valid—your session token is correct, the identity state is active, and the session is not expired—but you are still receiving a 
session_inactive
error after the Google OAuth flow in the settings (OIDC link) flow, the knowledge sources do not provide a definitive solution or further troubleshooting steps for this scenario. The documentation and issues reviewed indicate that 
session_inactive
is returned when no active session is found, typically due to missing, invalid, or expired session tokens, or an inactive identity. If you have verified that none of these apply, and token forwarding is correct, then the cause is unclear based on the available documentation ([Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api), [GitHub Issue: OIDC callback returns 401 to browser when identity state is inactive](https://github.com/ory/network/issues/397)). I'm sorry, but the knowledge sources do not contain enough information to explain or resolve this specific situation where all session and identity parameters are valid, yet 
session_inactive
is still returned.
w
@chilly-king-10285 Explain POST /settings
b
A message from kapa.ai
The 
POST /settings
endpoint is used to complete a settings flow in Ory (Kratos). This endpoint allows a user to update their settings, such as password, profile traits, or link/unlink social sign-in providers (OIDC), depending on which methods are enabled in your configuration. ### How it works - API-initiated flows: - Send a JSON body with the updated settings. - On success, you receive HTTP 200 and a JSON body with the session token. - On errors (expired flow, validation errors, missing/invalid session), you receive appropriate HTTP status codes (400, 401, 403, 303). - Browser flows: - If the request does not have 
Accept: application/json
, you are redirected (HTTP 303) to the appropriate UI or error page. - If the request has 
Accept: application/json
, you receive a JSON response with the updated identity or error details. ### Required parameters - flow (query parameter): The ID of the settings flow, usually from the 
flow
query parameter in your app's URL. - Session Token or Cookie: - For API flows: 
X-Session-Token
header. - For browser flows: session cookie in the 
Cookie
header. ### Example use cases - Update password (
method: password
) - Update profile traits (
method: profile
) - Link/unlink OIDC providers (
method: oidc
) ### Error handling - `session_refresh_required`: The user must re-authenticate. - `security_csrf_violation`: CSRF token is invalid or missing. - `session_inactive`: No active session found. - `security_identity_mismatch`: The session does not match the identity. - `browser_location_change_required`: The browser needs to open a specific URL (often in social sign-in flows). For more details, see the [Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api). --- In summary: 
POST /settings
is the endpoint to submit changes to a user's settings in Ory, handling password, profile, and OIDC methods, with different behaviors for API and browser flows, and requires a valid session and flow ID to operate correctly.
w
@chilly-king-10285 Focus on browser flow and session inactive possible cases
b
A message from kapa.ai
In the context of the browser flow for 
POST /self-service/settings
, the 
session_inactive
error means that Ory could not find an active session associated with the request. According to the knowledge sources, this can happen in the following cases: - No valid session cookie is included in the request. The browser flow relies on the presence of a valid Ory Kratos session cookie in the 
Cookie
header. If this cookie is missing, invalid, or expired, the request will result in a 
session_inactive
error ([Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api)). - The session has expired or is otherwise inactive. If the user's session has expired or has been invalidated (for example, due to logout or session revocation), the error will be returned. - The session token/cookie is not forwarded correctly. If your application is acting as a proxy or server-side handler, you must ensure that the original session cookie from the browser is forwarded to Ory. If not, Ory will not be able to validate the session ([Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api)). - The identity associated with the session is inactive. If the identity has been disabled or set to an inactive state, the session will be considered inactive, and the error will be returned ([GitHub Issue: OIDC callback returns 401 to browser when identity state is inactive](https://github.com/ory/network/issues/397)). Summary: For browser flows, 
session_inactive
during 
POST /self-service/settings
typically means the session cookie is missing, invalid, expired, not forwarded, or the identity is inactive. The request will not succeed until a valid, active session is present in the browser and properly sent to Ory. You can find more details in the [Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api).
w
@chilly-king-10285 provide all upstream_parameters config
b
A message from kapa.ai
The knowledge sources list the following 
upstream_parameters
that can be configured and passed to upstream identity providers (such as Google) in Ory flows (login, registration, and settings): - login_hint: Suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. - hd: Limits the login/registration process to a specific Google Organization (e.g., 
<http://mycollege.edu|mycollege.edu>
). - prompt: Specifies whether the Authorization Server prompts the End-User for reauthentication and consent (e.g., 
select_account
). - auth_type: Used to specify authentication type, such as 
reauthenticate
(mentioned in form example). These parameters can be passed in the form body as follows:
Copy code
html <form action="https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>" method="POST">   <input type="submit" name="provider" value="google" />   <input type="hidden" name="upstream_parameters.login_hint" value="foo@bar.com" />   <input type="hidden" name="upstream_parameters.hd" value="bar.com" />   <input type="hidden" name="upstream_parameters.prompt" value="select_account" />   <input type="hidden" name="upstream_parameters.auth_type" value="reauthenticate" /> </form>
Supported parameters according to the knowledge sources: - 
login_hint
- 
hd
- 
prompt
- 
auth_type
For more details, see the [Advanced Integration documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login) and [Google provider additional parameters](https://www.ory.sh/docs/kratos/social-signin/google#additional-parameters). If you need to use other parameters, the knowledge sources do not mention any beyond those listed above.
w
@chilly-king-10285 List all available kratos config for settings flow
b
A message from kapa.ai
Here are the available Ory Kratos configuration options for the settings flow as found in the knowledge sources: --- ### Enable/Disable Settings Methods You can enable or disable the following methods for the settings flow:
Copy code
yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true     profile:       enabled: true   # ...
- `password`: Allows users to update their password. - `oidc`: Allows users to link/unlink social sign-in providers (e.g., Google, Facebook). - `profile`: Allows users to update identity traits (e.g., email, name) ([Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings)). --- ### Privileged Session Max Age Controls how long a session can be used to update privileged fields (like password or email) before requiring re-authentication:
Copy code
yaml selfservice:   flows:     settings:       privileged_session_max_age: 1m
- If the session is older than this value, the user must re-authenticate before updating privileged fields ([Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings)). --- ### Required Authentication Assurance Level (AAL) Require a certain AAL (e.g., multi-factor authentication) for accessing the settings flow:
Copy code
yaml selfservice:   flows:     settings:       required_aal: highest_available
- Forces users to provide the highest available authentication assurance level before changing settings ([Account recovery and password reset: Configuration](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#configuration)). --- ### UI and Redirect URLs You can configure the UI and redirect URLs for the settings flow (not shown in YAML in the docs, but referenced in issues and config dumps): - `kratos_selfservice_flows_settings_ui_url`: URL for the settings UI. - `kratos_selfservice_flows_settings_after_default_browser_return_url`: Redirect after settings update. - `kratos_selfservice_flows_settings_after_password_default_browser_return_url`: Redirect after password update. - `kratos_selfservice_flows_settings_after_profile_default_browser_return_url`: Redirect after profile update. - `kratos_selfservice_flows_settings_lifespan`: Lifespan of the settings flow. These are visible in configuration dumps and issues ([GitHub Issue: Unable to select custom Identity Schema](https://github.com/ory/network/issues/54)). --- Note: The knowledge sources do not provide a full exhaustive list of every possible settings flow configuration, but the above are the main documented options for controlling the behavior of the settings flow in Ory Kratos. If you need more advanced or undocumented options, please refer to the official Ory documentation or configuration reference.
w
@chilly-king-10285 Any config related to after oidc account linking
b
A message from kapa.ai
Based on the knowledge sources, you can configure the redirect URL after OIDC account linking (or other OIDC-related settings actions) using the following configuration key:
Copy code
yaml selfservice:   flows:     settings:       after:         oidc:           default_browser_return_url: <https://end-up-here-after-settings-with-oidc/>
This setting controls where the user is redirected after successfully linking (or unlinking) an OIDC account in the settings flow. If this is not set, the default redirect URL for the settings flow will be used instead ([Ory Concepts: Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#redirect-flows)). Summary: Yes, there is a config for redirecting after OIDC account linking in the settings flow: 
selfservice.flows.settings.after.oidc.default_browser_return_url
. If you need more details or examples, see the [Ory Concepts: Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#redirect-flows).
w
@chilly-king-10285 anything config could relate to session_inactive?
b
A message from kapa.ai
There is no specific configuration option in the knowledge sources that directly controls or prevents the 
session_inactive
error in Ory Kratos. The 
session_inactive
error occurs when no valid session is found—typically due to missing, expired, or invalid session cookies or tokens, or if the identity is inactive. The knowledge sources focus on ensuring that a valid session is present and forwarded, but do not mention a configuration key that would alter the behavior of this error or its handling. If you are encountering 
session_inactive
, you should check that your session management settings (such as session lifespan and cookie forwarding) are correct, but there is no documented config to change how 
session_inactive
is triggered or handled [Ory API Reference: updateSettingsFlow](https://www.ory.sh/docs/reference/api).
w
@chilly-king-10285 ory_kratos_session is missing in oidc callback why?
b
A message from kapa.ai
If the 
ory_kratos_session
cookie is missing in the OIDC callback, the most common reasons according to the knowledge sources are: 1. Cookie Domain or Path Issues: If Ory Kratos and your application/UI are running on different subdomains or domains, the session cookie may not be set or sent correctly. Cookies work best when both the UI and Ory Kratos are on the same domain. If they are on different subdomains, you must set the cookie domain explicitly in the Kratos config (
session.cookie.domain
). If they are on different top-level domains, cookies will not work at all ([CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)). 2. Missing or Misconfigured Continuity Cookie: During the OIDC flow, Kratos uses a continuity cookie to resume the session after the callback. If this cookie is not set with the correct domain, Kratos cannot access it after the redirect, resulting in "no resumable session found" and the session cookie not being set. This is a known issue when running Kratos under a subdomain and the continuity cookie is not configured to be accessible across subdomains ([GitHub Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713)). 3. Secure and SameSite Cookie Attributes: If you are running over HTTP (not HTTPS) and not in 
--dev
mode, cookies with the 
Secure
flag will not be sent by the browser. Also, 
SameSite
settings can prevent cookies from being sent in cross-origin requests. For local development, use 
--dev
mode; for production, always use HTTPS ([CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)). 4. Mixing 127.0.0.1 and localhost: These are treated as different domains by browsers. Make sure you use one consistently across your configuration ([CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)). 5. Session Hook Not Enabled: If you do not have the 
session
hook enabled in your OIDC registration flow, the session will not be created after OIDC sign-in, and thus no session cookie will be set ([Social sign-in configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc), [Successful registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration)). Summary: The most likely reasons for a missing 
ory_kratos_session
cookie in the OIDC callback are cookie domain/path issues, missing or misconfigured continuity cookie, secure/SameSite attribute problems, inconsistent domain usage, or missing session hook in your OIDC flow configuration. Check your Kratos configuration and deployment setup for these common pitfalls.
w
@chilly-king-10285 Is there a way to do settings account linking for native app?
b
A message from kapa.ai
Based on the knowledge sources, settings account linking (linking an OIDC/social account to an existing identity) is not currently supported for native apps (API flows) in Ory Kratos. - The official documentation for the settings flow explicitly states: > Social Sign In is not possible for API Clients. It will be possible in a future version, which is partially tracked as [kratos#273](https://github.com/ory/kratos/issues/273) [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20) - This is further confirmed in GitHub issues and discussions, where maintainers note that while OIDC is supported for native login/registration, account linking via the settings flow is not yet implemented for API/native flows [Github Issue: Settings flow does not have 
link
option with OIDC & Password methods enabled](https://github.com/ory/kratos/issues/4185), [Discussion: How to link Apple provider using native auth?](https://github.com/ory/kratos/discussions/4356). Summary: There is currently no supported way to perform account linking (settings flow OIDC link) for native apps in Ory Kratos. This feature is planned for a future release, but is not available as of now.
w
@chilly-king-10285 Any way to pass the idp token to Kratos for account linking?
b
A message from kapa.ai
Based on the knowledge sources, there is currently no supported way to pass an IDP (identity provider) token (such as an OIDC 
id_token
) directly to Ory Kratos for account linking in the settings flow. - The documentation and GitHub discussions confirm that while you can pass an 
id_token
for login and registration using native SDKs, this is not yet supported for the settings/account linking flow. The settings flow for account linking (linking a social account to an existing identity) only supports browser-based flows, not API/native flows, and does not accept an 
id_token
for linking [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20), [Discussion: How to link Apple provider using native auth?](https://github.com/ory/kratos/discussions/4356), [Github Issue: Settings flow does not have 
link
option with OIDC & Password methods enabled](https://github.com/ory/kratos/issues/4185). Summary: At this time, you cannot pass an IDP token to Kratos for account linking in the settings flow. This feature is not yet implemented for API/native flows; only browser-based flows are supported for account linking.
w
@chilly-king-10285 So no way to link account in native app?
b
A message from kapa.ai
Based on the knowledge sources, there is currently no supported way to perform account linking (linking a social/OIDC account to an existing identity) in a native app (API flow) with Ory Kratos. Account linking via the settings flow is only available in browser-based flows, and native/API flows do not support this feature yet. This limitation is confirmed in both the official documentation and multiple GitHub discussions and issues [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20), [Discussion: How to link Apple provider using native auth?](https://github.com/ory/kratos/discussions/4356), [Github Issue: Settings flow does not have 
link
option with OIDC & Password methods enabled](https://github.com/ory/kratos/issues/4185). If you need this functionality, you will need to wait for a future release where native account linking is supported, as it is not available at this time.
w
@chilly-king-10285 Can we use the login flow instead to achieve it?
b
A message from kapa.ai
You cannot reliably use the login flow as a substitute for account linking in native apps. According to the knowledge sources, Ory Kratos supports account linking during login only in specific scenarios—primarily when a user attempts to log in with a social provider and the email matches an existing account. In this case, Kratos may prompt the user to enter their password to confirm the link. However, this is a browser-based flow and is not supported for API/native flows (such as those used in native apps) [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). For native apps, the knowledge sources do not document a supported way to use the login flow for account linking, nor do they provide a method to pass an IDP token for linking in the login flow. The limitation is that account linking (including via login) is not available for API/native flows at this time [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#link-and-unlink-from-google-facebook-github--openid-connect--oauth-20), [Discussion: How to link Apple provider using native auth?](https://github.com/ory/kratos/discussions/4356). Summary: No, you cannot use the login flow in native apps to achieve account linking. This functionality is only available in browser-based flows, and native/API flows are not supported for account linking at this time.
w
@chilly-king-10285 How to check the account has password or not?
b
A message from kapa.ai
To check if an account (identity) has a password set in Ory, you can use the Ory Admin API endpoint 
GET /admin/identities/{id}
with the 
include_credential=password
query parameter. This will return the identity's credentials, including the password credential if it exists. Example request:
Copy code
GET /admin/identities/{id}?include_credential=password
If the response includes a 
password
credential object, the account has a password set. If the 
password
credential is missing, the account does not have a password. The response will look like this if a password is present:
Copy code
json "password": {   "type": "password",   "identifiers": [     "<mailto:example@ory.sh|example@ory.sh>"   ],   "config": {     "hashed_password": "$2a$12$...."   },   "version": 0,   "created_at": "...",   "updated_at": "..." }
If the password credential is not present, the account does not have a password set [Ory API Reference: getIdentity](https://www.ory.sh/docs/reference/api), [Github Issue: include_credential query parameter](https://github.com/ory/network/issues/425). Summary: Use the Admin API to fetch the identity with 
include_credential=password
and check if the 
password
credential exists in the response.
w
@chilly-king-10285 Can it do it in frontend side?
b
A message from kapa.ai
No, you cannot check if an account has a password set from the frontend side using Ory’s public APIs. The ability to include credentials (such as checking for a password) is only available through the Ory Admin API with the 
include_credential=password
parameter, which requires privileged access and an API key. This endpoint is not accessible from the frontend for security reasons [Export identities](https://www.ory.sh/docs/kratos/manage-identities/export-user-accounts-identities). In summary, checking if an account has a password must be done server-side using the Admin API, not from the frontend.
w
@chilly-king-10285 Can we use passkey in native app?
b
A message from kapa.ai
Based on the knowledge sources, passkeys (WebAuthn-based passwordless authentication) are not supported in native mobile apps with Ory Kratos or Ory Network at this time. WebAuthn and passkey authentication are browser standards and require browser APIs and JavaScript, which are not available in native app environments. The documentation explicitly states: > WebAuthn is a browser standard. It does not work in native mobile apps ([Passkeys & WebAuthn Constraints](https://www.ory.sh/docs/kratos/passwordless/passkeys#constraints)). Additionally, a GitHub issue confirms: > As for the Ory Network - I believe that we do not support WebAuthN on native devices for now. The current implementation of it is pretty browser focused and requires JS and browser APIs (as you mentioned) ([GitHub Issue: Flutter native app and biometric authentication](https://github.com/ory/network/issues/284)). Summary: You cannot use passkey authentication in native apps with Ory at this time. Passkey/WebAuthn support is limited to browser-based applications.
w
@chilly-king-10285 What is the flow of registration with google?
b
A message from kapa.ai
The flow of registration with Google in Ory (using OIDC) is as follows: 1. User initiates registration: The user visits your application's registration page and chooses "Sign up with Google." The registration flow is started, and the UI presents a button for Google sign-up if OIDC is enabled and Google is configured as a provider [Registration with Google, Facebook, GitHub, ..., OpenID Connect / OAuth 2.0](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-with-google-facebook-github--openid-connect--oauth-20). 2. Redirect to Google: When the user clicks the Google sign-up button, they are redirected to Google’s OAuth2/OpenID Connect authorization endpoint. 3. User authenticates with Google: The user logs in to their Google account and consents to share their profile information with your application. 4. Google redirects back to Ory: After successful authentication, Google redirects the user back to the Ory callback URL with an authorization code. 5. Ory exchanges the code for tokens: Ory exchanges the authorization code for tokens (ID token, access token) and retrieves the user’s profile information from Google. 6. Ory creates a new identity: Ory uses the information from Google (such as email, name) to create a new identity in your system. The user is now registered. 7. User is signed in (if session hook is enabled): If the 
session
hook is configured for the OIDC registration flow, the user is automatically signed in after registration. Otherwise, they may need to log in again [Social sign-in configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). 8. User is redirected to your application: The user is redirected to the post-registration URL configured in your Ory settings. What the user sees: - A registration page with a "Sign up with Google" button. - Google’s login and consent screens. - After successful registration, they are redirected back to your app, signed in as a new user [Social sign-in overview](https://www.ory.sh/docs/kratos/social-signin/overview). Example payload for registration flow with Google:
Copy code
json {   "id": "c1f4dfd1-3559-4cd3-b6f6-4a83689a41bd",   "ui": {     "nodes": [       {         "type": "input",         "group": "oidc",         "attributes": {           "name": "provider",           "type": "submit",           "value": "google"         },         "meta": {           "label": {             "text": "Sign up with google"           }         }       }     ]   } }
[Registration with Google, Facebook, GitHub, ..., OpenID Connect / OAuth 2.0](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-with-google-facebook-github--openid-connect--oauth-20) For more details and setup instructions, see the [Ory social sign-in documentation](https://www.ory.sh/docs/kratos/social-signin/overview).
2 Views
Open in Slack
PreviousNext
Powered by