Yes, it is possible to configure SSO (Single Sign-On) providers using the Ory CLI. The CLI allows you to manage social sign-in providers, including generic OIDC providers and popular platforms like Google, GitHub, Auth0, and more. The general workflow involves: 1. Downloading your current Ory Identities configuration using the CLI. 2. Editing the configuration file to add or modify SSO/OIDC provider settings. 3. Applying the updated configuration back to your Ory project using the CLI. For example, to add a social sign-in provider, you would: - List workspaces and projects:

ory list workspaces   ory list projects --workspace <workspace-id>

- Download the current identity config:

ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

- Edit the

identity-config.yaml

file to add your provider under the

providers

array. - Update the configuration:

ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

You can also patch specific configuration keys directly using the CLI. This approach works for both generic OIDC providers and pre-configured providers like Google, GitHub, and others. The documentation provides detailed, provider-specific instructions and code snippets for these workflows [Ory Identities CLI](https://www.ory.sh/docs/guides/cli/identity-cli), [Social sign-in](https://www.ory.sh/docs/identities/get-started/social-sign-in). In summary, the Ory CLI fully supports configuring SSO providers for your Ory project.

@chilly-king-10285 i want to patch the providers into the config, give me an example json for google and a generic provider

Certainly! Here are example JSON payloads for patching both a Google and a generic OIDC provider into your Ory Identities configuration using the Ory CLI. ### Example JSON for Google Provider

json [   {     "op": "add",     "path": "/selfservice/methods/oidc/config/providers/-",     "value": {       "id": "google",       "provider": "google",       "client_id": "YOUR_GOOGLE_CLIENT_ID",       "client_secret": "YOUR_GOOGLE_CLIENT_SECRET",       "issuer_url": "<https://accounts.google.com>",       "mapper_url": "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}",       "scope": ["openid", "email", "profile"],       "requested_claims": {         "id_token": {           "email": { "essential": true },           "email_verified": { "essential": true },           "given_name": { "essential": true },           "family_name": null,           "hd": null         }       }     }   } ]

You must replace

YOUR_GOOGLE_CLIENT_ID

,

YOUR_GOOGLE_CLIENT_SECRET

, and

{YOUR_BASE64_ENCODED_JSONNET_HERE}

with your actual values. The

mapper_url

should contain your base64-encoded Jsonnet mapping snippet as described in the documentation [Google Data Mapping](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping). --- ### Example JSON for Generic OIDC Provider

json [   {     "op": "add",     "path": "/selfservice/methods/oidc/config/providers/-",     "value": {       "id": "generic",       "provider": "generic",       "client_id": "YOUR_GENERIC_CLIENT_ID",       "client_secret": "YOUR_GENERIC_CLIENT_SECRET",       "issuer_url": "<https://your-oidc-provider.com>",       "mapper_url": "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}",       "scope": ["openid", "email"],       "claims_source": "id_token"     }   } ]

Again, replace the placeholders with your actual values. The

mapper_url

should point to your base64-encoded Jsonnet mapping snippet or a URL accessible to Ory Network [Generic Provider Example](https://www.ory.sh/docs/kratos/social-signin/generic). --- You can use these JSON payloads with the Ory CLI's patch command, for example:

sh curl -X PATCH --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY" \      -H "Content-Type: application/json" \      -d @your-patch-file.json

For more details, see the official documentation on [patching identity config](https://www.ory.sh/docs/kratos/organizations#create-sso-connections-for-an-organization).

Based on the available knowledge sources, Ory does not natively support enabling or restricting specific social sign-in (OIDC) providers for only certain OAuth2 clients. The configuration for OIDC/social providers is global for the Ory Identities project, meaning all configured providers are available to all users and clients within that project. However, there is a mention of organization-specific SAML and OIDC connections, where you can specify the organization a user belongs to and associate SAML or OIDC credentials with that organization. This allows for some level of scoping, but it is based on organizations and user identities, not directly on OAuth2 clients: > When importing SAML or OIDC connections that are only available for certain organizations, you can use the

organization

field to specify the organization that the user belongs to. > ... > "credentials": { > "oidc": { > "config": { > "providers": [ > { > "provider": "github", > "subject": "12345", > "organization": "9ed50339-d6b9-47ef-9610-194773f3bfbf" > } > ] > } > } > } [Organization-specific SAML and OIDC connections](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#organization-specific-saml-and-oidc-connections) There is no documentation indicating that you can restrict OIDC providers to specific OAuth2 clients directly. If you need this level of granularity, you may need to implement custom logic outside of Ory or use organizations as a workaround. Summary: It is not possible, according to the current documentation, to enable a provider only for certain OAuth2 clients in Ory. The knowledge sources do not describe such a feature.