https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how can I include the information f...
# ory-copilot
f
@chilly-king-10285 how can I include the information from the OIDC (like name, oidc identity id, etc) in my claims?
b
A message from kapa.ai
To include information from the OIDC provider (such as name, OIDC identity ID, etc.) in your claims when using Ory, you need to use a Jsonnet data mapping script. This script maps the claims received from the OIDC provider to your Ory identity traits or metadata fields. ### How to Map OIDC Claims 1. Access OIDC Claims in Jsonnet The OIDC claims are available in your Jsonnet script as `std.extVar('claims')`<br> Example:
Copy code
jsonnet    local claims = std.extVar('claims');
2. Map Claims to Identity Traits or Metadata You can map any claim (like 
name
, 
sub
for OIDC identity ID, etc.) to your identity traits or metadata fields. For example:
Copy code
jsonnet    local claims = std.extVar('claims');     {      identity: {        traits: {          name: claims.name,          oidc_id: claims.sub,          email: claims.email,        },        metadata_public: {          // Store additional info, e.g., OIDC provider          oidc_provider: claims.iss,        },      }    }
- 
claims.name
maps the OIDC name claim. - 
claims.sub
is the OIDC subject (unique user ID). - You can add any other claim as needed. 3. Set Metadata Fields (Optional) If you want to store OIDC data in metadata (not modifiable by the user), use 
metadata_public
or `metadata_admin`:
Copy code
jsonnet    {      identity: {        traits: {          email: claims.email        },        metadata_public: {          oidc_id: claims.sub,          oidc_name: claims.name,        },      }    }
[Set identity metadata](https://www.ory.sh/docs/kratos/social-signin/data-mapping#set-identity-metadata) 4. Optionality and Defaults If a claim might not always be present, use optional fields:
Copy code
jsonnet    {      identity: {        traits: {          [if "name" in claims then "name" else null]: claims.name,          [if "sub" in claims then "oidc_id" else null]: claims.sub,        },      }    }
[Data mapping with Jsonnet](https://www.ory.sh/docs/kratos/reference/jsonnet) ### Where to Configure - In the Ory Console or CLI, add your Jsonnet mapping in the "Data Mapping" section when configuring your OIDC/social sign-in provider. ### Notes - The structure of the claims object depends on the OIDC provider and the scopes you request. - For more advanced scenarios (like merging data from multiple providers), see the discussion on using both 
claims
and the existing 
identity
in your mapping logic, but note that OIDC data is typically only set at registration, not during account linking flows [Github Issue #164](https://github.com/ory/network/issues/164). For more details and examples, see the official documentation on [Jsonnet data mapping](https://www.ory.sh/docs/kratos/reference/jsonnet) and [social sign-in data mapping](https://www.ory.sh/docs/kratos/social-signin/data-mapping).
f
@chilly-king-10285 how can I save profile data from oidc in user traits and public metadata?
b
A message from kapa.ai
To save profile data from OIDC in user traits and public metadata in Ory, you need to use a Jsonnet data mapper. This mapper allows you to map claims from the OIDC provider to both the identity traits and the metadata fields. Here’s how you can do it: 1. Access OIDC Claims in Jsonnet The OIDC claims are available as 
std.extVar('claims')
in your Jsonnet script. 2. Map Claims to Traits and Metadata You can assign any claim to a trait or to public metadata. For example:
Copy code
jsonnet    local claims = std.extVar('claims');     {      identity: {        traits: {          email: claims.email,          name: claims.name,          // Add more traits as needed        },        metadata_public: {          oidc_id: claims.sub,          oidc_profile_url: claims.profile,          // Add more public metadata as needed        },      }    }
In this example: - 
traits
will store user-editable fields (like 
email
, 
name
). - 
metadata_public
will store non-editable, public fields (like 
oidc_id
, 
oidc_profile_url
). 3. Apply the Mapper - In the Ory Console, go to Authentication → Social Sign-In, pick your provider, and paste your Jsonnet code into the data mapper input form. - Or, if using the CLI, encode your Jsonnet and update your identity config as described in the documentation. 4. Reference - The official documentation provides an example of setting both traits and public metadata using OIDC claims. See the section on [setting identity metadata](https://www.ory.sh/docs/kratos/social-signin/data-mapping#set-identity-metadata). - For more on writing Jsonnet mappers, see [Write a Jsonnet data mapper](https://www.ory.sh/docs/kratos/social-signin/data-mapping#write-a-jsonnet-data-mapper). Note: - Only include fields in your traits that are defined in your identity schema. - Do not store sensitive data in 
metadata_public
as it is visible to the user. This approach ensures that profile data from OIDC is saved in both user traits and public metadata as required by your application’s needs.
f
@chilly-king-10285 I added the fields in the google data mapper. Do I need to add the fields somewhere else? like the identity schema json?
b
A message from kapa.ai
Yes, you must add the fields you use in your Google data mapper to your identity schema JSON. The identity schema defines which traits (fields) are valid for your identities. If you map claims (like 
first_name
, 
last_name
, etc.) from Google to traits that are not present in your identity schema, Ory will reject the data as invalid. For example, if your data mapper includes:
Copy code
jsonnet {   identity: {     traits: {       email: claims.email,       first_name: claims.given_name,       last_name: claims.family_name,     },   }, }
Then your identity schema JSON must define 
first_name
and 
last_name
as valid traits:
Copy code
json {   "$schema": "<http://json-schema.org/draft-07/schema#>",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email"         },         "first_name": {           "type": "string"         },         "last_name": {           "type": "string"         }       },       "required": ["email", "first_name", "last_name"]     }   } }
If you do not add these fields to your identity schema, users will be prompted to fill in the missing data, or the registration will fail if the schema validation does not pass. This requirement is explicitly mentioned in the documentation: > If you want to use this data mapping, you must include the 
first_name
and 
last_name
fields in your Identity Schema [Google Social Sign-In Data Mapping](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping) So, always ensure your identity schema JSON matches the fields you use in your data mapper.
f
@chilly-king-10285 do I need to define the metadata_admin and metadata_public in there as well?
b
A message from kapa.ai
No, you do not need to define 
metadata_admin
and 
metadata_public
in your identity schema JSON. According to the Ory documentation, metadata fields (
metadata_admin
and 
metadata_public
) are not validated using the identity's JSON schema. You can store any data in these fields, but you must ensure that the data you store is valid for your use case and keep your schema up to date if you want to reference these fields elsewhere. The documentation states: > Metadata is not validated using the identity's JSON schema. You must ensure that the metadata you store is valid according to your schema and you must keep the schema up to date to accommodate changes in the data. [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata) So, only the fields in 
traits
need to be defined in your identity schema JSON. Metadata fields are managed separately and do not require schema definitions.
Open in Slack
PreviousNext
Powered by