I am a bit confused with what I am seeing with

identifier_first

running locally. I am setup with password and multiple oidc providers I have added in both configs from https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication. On the React Frontend I use

oryClient.createBrowserLoginFlow

to create a flow which returns with the UI Nodes with the identifier input and submit input grouped with

identifier_first

which makes sense but also returns back all of the "buttons" for all of the oidc providers. Which was surprising. I then try to update the flow with the below using an identifier that has Google oidc as its only credential

oryClient.updateLoginFlow({
          flow: currentFlow.data.id,
          updateLoginFlowBody: {
            method: 'identifier_first',
            identifier: identifier,
            csrf_token: csrfToken || undefined,
          },
        })

And surprisingly get a http 400 response with the body now having a top level property of "active": "identifier_first", and within the UI Nodes I still have all of the oidc providers and a password field as well. The documentation from the link does not go into detail on what should have changed by changing to the

identifier_first

flow so I was not sure what to expect but this was not it.

but I have no clue why it is not finding the identifier

are you referring to the 400 error here? It seems like it's working correctly. If you have account enumeration mitigation turned on, we return all configured authentication methods. If it's turned off only the user's configured methods are returned.

I was referring to the fact that I was getting the message on the identifier field of "This account does not exist or has no login method configured." when I am updating the login flow with an identifier that exists, with a single oidc credential

Oh I see. I assume the identity schema is set up to have email addresses as a credential, the data mapping in the OIDC provider definition correctly returns the email address, and the OIDC provider does return the email address?

I believe I have the identity schema setup correctly as it is pretty standard.

{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          }
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string"
            },
            "last": {
              "title": "Last Name",
              "type": "string"
            }
          }
        },
        "mobile_phone": {
          "type": "string",
          "title": "Mobile Phone"
        },
        "image": {
          "type": "string",
          "title": "Avatar",
          "format": "string"
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}

And yes the jsonnet is properly parsing the claims and pulling the email address from the response as the traits on my

identities

table record are correct with the email address associated with the OIDC provider that was used to login. I have never worked in Go but I took a look at the code base and it seems like the query in the idfirst strategy_log to find the identity is func FindIdentityByCredentialIdentifier with the native query.

SELECT ic.identity_id
FROM identity_credentials ic
INNER JOIN identity_credential_identifiers ici
	ON ic.id = ici.identity_credential_id
WHERE ici.identifier = ?
AND ic.nid = ?
AND ici.nid = ?
LIMIT 1

But when I look in the

identity_credential_identifiers

table at OIDC credentials the record that it should be matching on does not have the email address as the identifier.. In this case it is

Google:999999999999999999999

so is it not possible to have identifier_first find existing credentials for OIDC providers??

The Identifier First strategy tries to resolve the identity via any existing identifier. As you have accurately summarized, in case of OIDC the only credential identifier available seems to be the subject returned by the OIDC provider, and thus no match can be found when the user enters their email address. A workaround is to enable the

selfservice.methods.code.passwordless_enabled

configuration option, as that actually creates a credential identifier with the user's email address. An additional benefit is that the user can also login with a code that is sent to their email address. I would still consider this a bug. We'd love to take a look at this, and since you already made the relevant findings, could I ask you to create a bug report in ory/kratos on GitHub? Thank you and thanks for being an active community member ❤️