https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Is it possible to create a session ...
# ory-copilot
g
@chilly-king-10285 Is it possible to create a session for an existing email-user from our server without logging in with their email/password?
c
A message from kapa.ai
Based on the provided knowledge sources, it is not possible to create a session for an existing email-user from your server without the user logging in with their email and password, except in specific scenarios: - Social Sign-In (OIDC) and Registration Hooks: You can automatically sign in a user after registration by enabling the 
session
hook, which issues a session immediately after successful registration. This is also automatically done for social sign-in providers. However, this does not apply to existing users who have not just registered or signed in via OIDC; it is specifically for the registration flow or social sign-in flow, not for arbitrary session creation for existing users without authentication steps [Sign in after registration](https://www.ory.sh/docs/actions/session). - Passwordless/One-Time Code: If you have enabled passwordless authentication (e.g., via email or SMS one-time code), the user can authenticate without a password, but they still need to complete the authentication flow by entering the code sent to them. The server cannot create a session for the user without this user interaction [Email and SMS one-time-code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code). - No Direct Session Creation API: There is no documented API or method in Ory Kratos or Ory Network that allows a server to arbitrarily create a session for an existing user without some form of user authentication (password, code, or social login). This is by design, to prevent security risks such as account takeover. Summary: You cannot programmatically create a session for an existing email-user from your server without the user authenticating through a supported login method (password, code, or social login). This is a security measure enforced by Ory's architecture. If you have a specific use case (such as migration from another system), you may need to look into account linking or migration flows, but these still require some form of user authentication or verification [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). If you need further clarification or have a unique scenario, please provide more details.
g
~We plan on offering swedish BankId as an alternative login method to email/password. How could that be done using Ory Kratos? Ideally we would still like to create an Ory session after logging in with BankId. BankId do not provide any OIDC / OAuth2.0 endpoints~
@chilly-king-10285 We plan on offering swedish BankId as an alternative login method to email/password. How could that be done using Ory Kratos? Ideally we would still like to create an Ory session after logging in with BankId. BankId do not provide any OIDC / OAuth2.0 endpoints
c
A message from kapa.ai
Based on the provided knowledge sources, Ory Kratos supports social sign-in and external authentication primarily through OpenID Connect (OIDC) and OAuth2.0 providers. The documented approach for integrating external identity providers (such as Google, Facebook, or even custom providers) relies on these standards. Ory Kratos does not natively support direct integration with authentication providers that do not expose OIDC/OAuth2.0 endpoints, such as Swedish BankId, out of the box [Get started with social sign-in](https://www.ory.sh/docs/kratos/social-signin/overview) [Generic provider](https://www.ory.sh/docs/kratos/social-signin/generic). What does this mean for BankId? - Since BankId does not provide OIDC/OAuth2.0 endpoints, you cannot configure it as a social sign-in provider using the standard Ory Kratos configuration. - Ory Kratos does not document a built-in way to create a session after authenticating with a non-OIDC provider. Possible (but undocumented) approaches: - The knowledge sources do not describe a supported or recommended way to integrate non-OIDC providers like BankId directly. - There is no documented API to programmatically create a session for a user after authenticating them with an external, non-OIDC provider. Summary: I'm sorry, but the knowledge sources do not contain information about integrating Swedish BankId (without OIDC/OAuth2.0) as a login method in Ory Kratos, nor about creating a session after such an authentication. Ory Kratos currently supports external authentication via OIDC/OAuth2.0 providers only. If BankId or a third-party service eventually offers an OIDC/OAuth2.0 bridge, you could integrate it as a generic provider. Otherwise, custom integration would require unsupported or undocumented approaches not covered in the official documentation.
g
@chilly-king-10285 Would it be possible for us to create our own OIDC-provider for BankId?
c
A message from kapa.ai
Yes, it is possible to create your own OIDC provider for BankId and then integrate it with Ory Kratos. Ory Kratos supports any OpenID Connect-compliant provider, including custom-built ones, through its "Generic Provider" option. To do this, you would need to implement an OIDC server that acts as a bridge between Ory Kratos and BankId. This OIDC server would handle the BankId authentication flow and expose standard OIDC endpoints for Ory Kratos to consume. Once your custom OIDC provider is in place, you can add it to Ory Kratos by configuring it as a generic OIDC provider, supplying the Client ID, Client Secret, and Issuer URL of your OIDC server [Generic provider](https://www.ory.sh/docs/kratos/social-signin/generic). This allows Ory Kratos to treat BankId logins like any other OIDC-based social sign-in, and sessions will be created as usual after successful authentication. In summary, while Ory Kratos cannot integrate directly with BankId, you can build an OIDC bridge for BankId and connect it to Ory Kratos using the documented generic OIDC provider flow.
g
@chilly-king-10285 We're using Ory Network, and when setting up a custom OIDC-provider you mention that Ory works with any "OpenID Connect-certified provider". We would not be certified in this case. Would this approach still work for us?
c
A message from kapa.ai
Yes, you can use a custom OIDC provider with Ory Network even if it is not officially OpenID Connect-certified, as long as it implements the OIDC specification correctly. The documentation for Ory Kratos and Ory Network refers to adding any "OpenID Connect-certified provider," but the actual requirement is that the provider supports the OIDC protocol and exposes the necessary endpoints (such as authorization, token, and userinfo endpoints) as expected by Ory [Generic provider](https://www.ory.sh/docs/kratos/social-signin/generic). When configuring a generic OIDC provider in Ory, you need to provide the Client ID, Client Secret, and Issuer URL. Ory will interact with your provider using the standard OIDC flows. Certification is not technically enforced by Ory; it is more about ensuring interoperability and compliance with the OIDC standard. As long as your implementation is compatible, it should work with Ory Network [Get started with social sign-in](https://www.ory.sh/docs/kratos/social-signin/overview). If your provider does not fully comply with the OIDC specification, you may encounter integration issues, but certification itself is not a strict requirement for the integration to function.
g
@chilly-king-10285 We have tried to implement our own OIDC provider and we see some progress. We use NextJs for our frontend, and have also implemented the OIDC provider within the NextJs project. We use @ory/nextjs and the components it provides. The OIDC provider has been configured in Ory Network We now see BankId as an authentication option, the redirect works and the OIDC config file is fetched. After authenticating we will redirect back to the 
redirect_uri
we get from Ory. We are then presented with a page that says: What happened? no resumable session found The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! Is there a common pitfall here? Is this CORS-related or something else? Are we forgetting to do something on our end?
c
A message from kapa.ai
The error message "no resumable session found" typically means that the browser does not have the required continuity cookie set by Ory Kratos during the authentication flow. This cookie is essential for resuming the login/registration flow after returning from an external provider (like your custom OIDC for BankId). Common pitfalls and causes based on the knowledge sources: 1. Cookie Domain Mismatch: If your OIDC provider and Ory Network are running on different domains or subdomains, the continuity cookie may not be accessible after the redirect. Ory requires that its APIs and your frontend run on the same domain (or properly configured subdomains) so cookies can be set and read correctly. For local development, Ory recommends using [Ory Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-tunnel) to ensure cookies are set on the correct domain [Cookie-based security model](https://www.ory.sh/docs/security-model). 2. CORS or Cross-Origin Issues: If your frontend and Ory Network are not on the same domain, or CORS is not configured correctly, cookies may not be sent or received as expected. Ory has a "deny by default" CORS policy, so you must ensure your domains are added in the Ory Console [Custom UI CORS](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug). 3. Missing or Misconfigured Continuity Cookie: The 
ory_kratos_continuity
cookie must be set and available to Ory after the redirect. If your OIDC provider is implemented within your Next.js app and the redirect does not preserve this cookie (e.g., due to domain or path issues), Ory cannot resume the session [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). 4. Redirect URI Handling: Ensure that after authenticating with BankId, your OIDC provider redirects the user back to the exact 
redirect_uri
provided by Ory, without any intermediate redirects that could lose cookies. What you should check: - Make sure your frontend, Ory Network, and OIDC provider are all on the same (sub)domain, or that cookies are set for the correct domain. - Verify that the 
ory_kratos_continuity
cookie is present in the browser before and after the redirect. - Check your CORS and cookie settings, especially if you are using custom domains or running locally. - Avoid any extra redirects between the OIDC provider and the Ory redirect URI. Summary: This is most likely a cookie domain or continuity cookie issue, not a CORS problem per se. Double-check your domain setup and ensure the continuity cookie is preserved throughout the flow [Cookie-based security model](https://www.ory.sh/docs/security-model) [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). If you continue to have issues, reviewing the browser's cookie storage and network requests (using browser dev tools) can help pinpoint where the cookie is lost.
g
@chilly-king-10285 Since we use Ory Network, how do we make sure that the domain is consistent through the entire flow when testing locally? The continuity cookie is created on our domain (which is localhost in this case), but the failure happen on the Ory side of things
c
A message from kapa.ai
To ensure the domain is consistent throughout the entire authentication flow when testing locally with Ory Network, you should use the Ory Tunnel. The Ory Tunnel mirrors Ory APIs on your local machine, making them available on the same domain (e.g., 
localhost
) as your frontend application. This setup ensures that cookies—including the continuity cookie—are set and read on the same domain, which is required for the flow to work correctly. How to use Ory Tunnel for local development: 1. Start your frontend app on 
<http://localhost:3000>
(or your chosen port). 2. Start the Ory Tunnel with the following command (replace 
<project-id>
with your Ory project ID):
Copy code
ory tunnel --project <project-id> <http://localhost:3000>
This will expose Ory APIs at 
<http://localhost:4000>
. You should now access your app via 
<http://localhost:4000>
instead of 
<http://localhost:3000>
. 3. Configure your Ory SDK (e.g., 
@ory/client-fetch
) to use 
<http://localhost:4000>
as the base URL for Ory API calls. 4. **Always use either 
localhost
or 
127.0.0.1
consistently**—do not mix them, as browsers treat them as different domains and cookies will not be shared between them. By following this approach, both your app and Ory Network will operate under the same domain (
localhost
), and the continuity cookie will be available throughout the authentication flow, preventing the "no resumable session found" error [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development) [Ory Tunnel](https://www.ory.sh/docs/cli/ory-tunnel#ory-tunnel) [Ory Proxy and Ory Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel). Summary: Use Ory Tunnel and access your app through the tunnel's port to ensure domain consistency and proper cookie handling during local development with Ory Network.
g
@chilly-king-10285 How would that work when running the OIDC-provider locally as well. I currently expose it using ngrok, so that Ory Network can access it.
c
A message from kapa.ai
When running your OIDC provider locally and exposing it via ngrok for Ory Network to access, you introduce a split between local (
localhost
) and public (ngrok) domains. This can cause issues with cookies, especially the continuity cookie, because Ory Network and your frontend (running on 
localhost
via Ory Tunnel) expect all parts of the flow—including redirects—to happen on the same domain. Key points from the knowledge sources: - Ory's security model and session management require that all services involved in the authentication flow (frontend, Ory APIs, and OIDC provider) operate under the same domain for cookies to be set and read correctly. Mixing domains (e.g., 
localhost
and an ngrok URL) can break the flow, resulting in errors like "no resumable session found" [Cookie-based security model](https://www.ory.sh/docs/security-model) [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development). - For local development, Ory recommends using Ory Tunnel to ensure both your app and Ory APIs are available on the same domain (
localhost
). However, the knowledge sources do not provide a documented solution for running a local OIDC provider that must be accessible both to Ory Network (via a public URL like ngrok) and to your local frontend (via 
localhost
) in a way that preserves cookies across the entire flow. Summary: The knowledge sources do not describe a supported or recommended way to run a local OIDC provider exposed via ngrok while maintaining domain consistency for cookies with Ory Network and your local frontend. This split-domain setup is likely to cause the continuity cookie issue you are experiencing. For local development, all components should ideally run under the same domain, but exposing a local OIDC provider to Ory Network via ngrok breaks this requirement. If you need to test with Ory Network (not self-hosted), you may need to deploy your OIDC provider to a public environment where it can share a domain or subdomain with your frontend and Ory APIs, or wait until you can use a production-like setup with custom domains as described in the documentation [Set up custom domains](https://www.ory.sh/docs/guides/custom-domains). If you must use ngrok: Be aware that this setup is not fully supported for cookie/session flows, and you may continue to encounter issues until all services are on the same domain or subdomain.
g
@chilly-king-10285 I might have some progress, but now I see a page with the message: What happened? oauth2: "server_error" What does this mean? Can I see more info about the error somewhere?
c
A message from kapa.ai
The message 
oauth2: "server_error"
indicates that the authorization server (Ory Network) encountered an unexpected condition that prevented it from fulfilling the request. This is a generic error and, by default, does not provide detailed information to avoid exposing sensitive details. To see more information about the error for debugging purposes, you can switch your Ory project to development mode. In development mode, the error response will include an 
error_debug
field with more details about what went wrong. For example:
Copy code
json {   "error": "error",   "error_description": "The error is unrecognizable",   "status_code": 500,   "error_debug": "Token is expired" }
This can help you identify the root cause of the issue. Remember that in production mode, detailed debug information is not included in the response for security reasons [Solutions for common OAuth2-related problems](https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails). If you are not seeing the 
error_debug
field, ensure your project is in development mode. If you still need more information, you may need to check your OIDC provider's logs or configuration for additional clues. Summary: - 
server_error
is a generic error from the authorization server. - Switch to development mode to see more detailed error information in the response. - Check your OIDC provider logs for further details if needed.
g
@chilly-king-10285 In the datamapping part of the OIDC-config, we have this currently:
Copy code
local claims = {
  email_verified: false
} + std.extVar('claims');

{
  identity: {
    traits: {
      // Map BankID data to your identity schema
      email: claims.email,
      name: claims.name,
      personal_number: claims.personal_number,
    },
  },
}
Is this looking correct? The email, name and personal_number should come from the JWT-token that is generated by the token endpoint correct? How should they be placed in the token, in the payload root?
c
A message from kapa.ai
Your Jsonnet data mapping snippet is structurally correct for mapping claims from your OIDC provider to the Ory identity schema, assuming your identity schema includes the fields 
email
, 
name
, and 
personal_number
. Regarding where the claims should be in the JWT token: Yes, the 
email
, 
name
, and 
personal_number
should be present in the payload (root) of the ID token (the JWT returned by your OIDC provider's token endpoint). Ory expects to find these claims at the top level of the decoded JWT payload, as shown in the standard OIDC example:
Copy code
json {   "iss": "<https://my-domain.projects.oryapis.com>",   "sub": "some-identity-id",   "aud": "some-client-id",   "exp": 1311281970,   "iat": 1311280970,   "nonce": "KxSty13b2L",   "name": "Jane Doe",   "email": "<mailto:jane@example.org|jane@example.org>",   "email_verified": true }
You can add custom claims (like 
personal_number
) at the root level in the same way. Your OIDC provider should include these claims in the ID token payload so that Ory can access them via 
std.extVar('claims')
in your Jsonnet mapping [The ID Token](https://www.ory.sh/docs/oauth2-oidc/overview/oidc-concepts#the-id-token) [Write a Jsonnet data mapper](https://www.ory.sh/docs/kratos/social-signin/data-mapping#write-a-jsonnet-data-mapper). Summary: - Your mapping is correct if your identity schema matches. - The claims (
email
, 
name
, 
personal_number
) should be at the root of the ID token payload. - Ory will access them as 
claims.email
, 
claims.name
, and 
claims.personal_number
in your Jsonnet code. If you need to map claims from a nested object, you would need to adjust your Jsonnet accordingly, but for standard and custom claims at the root, your current approach is correct.
g
@chilly-king-10285 The token do get generated with the fields in the root of the Payload, but I am getting this error message from Ory after it fetched the token: jsonnetsecure: ERROR: RUNTIME ERROR: Field does not exist: personal_number https://storage.googleapis.com/bac-gcs-production/86cb9ff4f32a823d4378b70233f8440b108e3e94edc3f12bd588c166489d9a788e8293aa5786cebf187ab504c3c9d272654f67da9481ef10a290e1f526f4620d.jsonnet:11:24-46 object <anonymous> Field "personal_number" Field "traits" Field "identity" During manifestation The link leads to an XML file with the content:
Copy code
<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Details>
No such object: bac-gcs-production/86cb9ff4f32a823d4378b70233f8440b108e3e94edc3f12bd588c166489d9a788e8293aa5786cebf187ab504c3c9d272654f67da9481ef10a290e1f526f4620d.jsonnet:11:24-46
</Details>
</Error>
This is the token payload from the ID-token:
Copy code
{
  "sub": "a54491f1-7e7a-40c7-8c39-09a3dff3829a",
  "aud": "platzer-portal-bankid",
  "iss": "<https://platzer.ngrok.app/api/oauth2/bankid>",
  "iat": 1758888322,
  "exp": 1758891922,
  "email": "<mailto:197807075788@bankid.platzer.se|197807075788@bankid.platzer.se>",
  "personal_number": "197807075788",
  "external_account_id": "abc123",
  "name": "BankID User 197807075788"
}
Any idea why it is not finding 
personal_number
?
c
A message from kapa.ai
Based on your description and the provided token payload, your ID token does include the 
personal_number
field at the root, which matches your Jsonnet mapping. However, the error message from Ory:
Copy code
jsonnetsecure: ERROR: RUNTIME ERROR: Field does not exist: personal_number
indicates that, at runtime, the 
personal_number
field is not present in the 
claims
object as seen by the Jsonnet mapper. Possible causes and troubleshooting steps based on the knowledge sources: 1. Claims May Be Missing or Not Passed as Expected Ory passes the claims from the ID token to the Jsonnet mapper as 
std.extVar('claims')
. If the field is missing, referencing it directly will cause a runtime error. The recommended approach is to use optional field access in Jsonnet to avoid errors if a field is missing [Data mapping with Jsonnet](https://www.ory.sh/docs/kratos/reference/jsonnet):
Copy code
jsonnet    local claims = { email_verified: false } + std.extVar('claims');     {      identity: {        traits: {          email: claims.email,          name: claims.name,          [if "personal_number" in claims then "personal_number" else null]: claims.personal_number,        },      },    }
This way, if 
personal_number
is missing, it won't cause a runtime error. 2. Debugging Claims Received by Ory To debug what Ory actually receives, you can temporarily add all claims to 
metadata_public
in your Jsonnet mapping. This is suggested in the troubleshooting guide for social sign-in mapping issues [Troubleshooting social sign-in](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect-loops-after-registration):
Copy code
jsonnet    local claims = { email_verified: false } + std.extVar('claims');     {      identity: {        traits: {          email: claims.email,          name: claims.name,          [if "personal_number" in claims then "personal_number" else null]: claims.personal_number,        },        metadata_public: {          debug_claims: claims        }      },    }
After a test login, inspect the created identity in Ory to see exactly what claims are present. 3. Token Claims Source Ensure that your OIDC provider configuration in Ory is set to use the correct claims source. By default, Ory reads claims from the 
id_token
, but you can also set it to use the 
userinfo
endpoint. If your provider does not support the 
userinfo
endpoint or does not return all claims there, make sure 
claims_source
is set to 
id_token
 [Generic provider additional configuration](https://www.ory.sh/docs/kratos/social-signin/generic#additional-configuration):
Copy code
yaml    claims_source: id_token
Summary: - Use optional field access in your Jsonnet mapping to avoid runtime errors if a claim is missing. - Temporarily output all claims to 
metadata_public
to debug what Ory actually receives. - Ensure your OIDC provider config in Ory is set to use the correct claims source. If after these steps the field is still missing, it may indicate an issue with how the OIDC provider is generating or returning the ID token, or how Ory is configured to read the claims. The knowledge sources do not provide further details on debugging beyond these steps.
g
@chilly-king-10285 If I want to update the credentials of an already existing Ory user to allow auto linking for a certain oidc provier, is that possible using the update/patch API for Identities. I want to add something like this to the Identity:
Copy code
"credentials": {
    "oidc": {
      "config": {
        "providers": [
          {
            "provider": "bankid",
            "subject": "<mailto:the-email@example.org|the-email@example.org>",
            "use_auto_link": true
          }
        ]
      }
    }
  }
c
A message from kapa.ai
Based on the knowledge sources, updating the credentials of an existing Ory user to allow auto-linking for a certain OIDC provider is not supported via the PATCH (
patchIdentity
) API. The PATCH API is intended for partial updates, such as changing traits or schema, but not for modifying credentials. The documentation and community discussions explicitly state that credentials cannot be changed using a PATCH operation [Is credentials patching supported?](https://github.com/ory/kratos/discussions/4395). However, you can update credentials using the PUT (
updateIdentity
) API. The 
updateIdentity
endpoint allows you to provide the full identity payload, and if you include the 
credentials
field, the credentials will be imported and added to the existing credentials of the identity. This means you can add or update OIDC providers (including setting 
use_auto_link: true
) for an existing identity using the 
updateIdentity
endpoint [Ory API Reference – updateIdentity](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json) [Kratos API Reference – updateIdentity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). Example payload for `updateIdentity`:
Copy code
json {   "schema_id": "<preset://email>",   "traits": {     "email": "<mailto:the-email@example.org|the-email@example.org>"   },   "state": "active",   "credentials": {     "oidc": {       "config": {         "providers": [           {             "provider": "bankid",             "subject": "<mailto:the-email@example.org|the-email@example.org>",             "use_auto_link": true           }         ]       }     }   } }
Summary: - You cannot use the PATCH API to update credentials or add OIDC providers. - You can use the PUT (
updateIdentity
) API to update credentials, including adding OIDC providers with 
use_auto_link: true
 [Ory API Reference – updateIdentity](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). If you need to update credentials for multiple users, consider using the batch patch endpoint, but ensure you follow the documented structure for credentials updates.
g
@chilly-king-10285 When I do that, I get the following error:
Copy code
{
  "error": {
    "code": 409,
    "status": "Conflict",
    "request": "a2b736f5-92ce-9482-9187-4319cc664374",
    "message": "Unable to insert or update resource because a resource with that value exists already"
  }
}
Not sure exactly what value it is referring to. The Identity already have credentials, since the email account already exists. Is that what is mentioned?
c
A message from kapa.ai
The error message you are seeing:
Copy code
json {   "error": {     "code": 409,     "status": "Conflict",     "request": "a2b736f5-92ce-9482-9187-4319cc664374",     "message": "Unable to insert or update resource because a resource with that value exists already"   } }
indicates a 409 Conflict. According to the knowledge sources, this error typically occurs when you attempt to insert or update a resource with a value that must be unique, but that value already exists in the system. In the context of identities and credentials, this usually means that one of the identifiers (such as an email address or an OIDC subject) is already associated with another identity or credential in the system. For OIDC credentials, each identifier (e.g., the combination of 
provider
and 
subject
) must be unique across all identities. If you try to add an OIDC provider/subject pair that is already linked to another identity, or if the email identifier is already used in another credential type in a way that violates uniqueness, you will get this error [Docs: Credentials](https://www.ory.sh/docs/kratos/concepts/credentials) [Docs: Errors during bulk import](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#errors-during-bulk-import). Summary: - The error refers to a uniqueness conflict, most likely with the OIDC provider/subject pair or the email identifier. - This can happen if the identity already has credentials with the same identifier, or if another identity in the system does. If you need to resolve this, check if the OIDC provider/subject or email is already linked to another identity or credential. You may need to remove or update the conflicting credential before proceeding. If you need more specific details about which value is causing the conflict, the knowledge sources do not provide a way to get more granular error information from the API response.
g
@chilly-king-10285 We use Ory/nextJs for the session management and account creation/login. Is it possible to configure that in a way that when an email-account is created, we will also set the 
autolink: true
for our own OIDC? Basically make sure this is set when the account has been created initially:
Copy code
"oidc": {
      "config": {
        "providers": [
          {
            "provider": "bankid",
            "subject": "the-email@​<http://example.org|example.org>",
            "use_auto_link": true
          }
        ]
      }
    }
c
A message from kapa.ai
Based on the provided knowledge sources, there is no documented way to automatically set 
use_auto_link: true
for your OIDC provider (e.g., BankId) at the time of email account creation using Ory/nextjs or Ory Network's standard registration flows. The knowledge sources describe how to enable auto-linking by importing or updating an identity with the 
use_auto_link
flag set for a specific OIDC provider and subject, but this is done via the admin API (such as 
updateIdentity
or during import), not as part of the self-service registration flow [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). There is no mention of a configuration option or hook in Ory/nextjs or Ory Network that would automatically add or update OIDC credentials with 
use_auto_link: true
when a new email/password account is created through the standard user-facing flows. Summary: - The knowledge sources do not describe a way to automatically set 
use_auto_link: true
for an OIDC provider during email account creation via Ory/nextjs or Ory Network self-service flows. - Setting 
use_auto_link: true
must be done via the admin API after account creation, or by importing identities with this flag set. If you require this functionality, you would need to implement a custom process that updates the identity after creation using the admin API, but this is not covered in the official documentation.
g
@chilly-king-10285 Now I have a problem with finishing the registration. I get to the registration page after using our custom OIDC. But when I click the "Continue"-button to finish the registration, I am taken back to the "authorization"-page. As in the page you get to to authorize before signing in/registering. This is the same page that is returned as the 
authorization_endpoint
-field in the openid-configuration file. Any idea why that is happening?
c
A message from kapa.ai
Based on the knowledge sources, the behavior you describe—being redirected back to the authorization page after clicking "Continue" on the registration page—can occur if the OIDC flow is not completed properly or if there is an issue with how the session or flow state is managed between your OIDC provider and Ory. Possible causes from the knowledge sources: 1. Missing or Invalid Continuity Cookie: If the continuity cookie (
ory_kratos_continuity
) is missing or not preserved throughout the flow, Ory cannot resume the registration session and may restart the OIDC authorization process. This is a common pitfall, especially when domains are not consistent or cookies are not set correctly during redirects [Cookie-based security model](https://www.ory.sh/docs/security-model) [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development). 2. Claims Mapping or Data Mapping Issues: If the data mapping (Jsonnet) fails or required traits are missing, Ory may not be able to complete the registration and could restart the flow. The troubleshooting guide suggests outputting all claims to 
metadata_public
to debug what is being received and mapped [Troubleshooting social sign-in](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect-loops-after-registration). 3. Redirect Loops Due to Incomplete Registration: If Ory cannot map all required identity traits from the OIDC provider, it may redirect the user back to the registration page, and if the issue persists, this can result in a loop or restart of the flow [Troubleshooting social sign-in](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect-loops-after-registration). 4. Session Not Created After Registration: If the session is not created after registration (e.g., missing the 
session
hook in the registration flow), the user may be sent back to the start of the flow [Successful registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration). What you can do: - Ensure the continuity cookie is present and preserved throughout the flow. - Check your Jsonnet data mapping for missing or incorrectly mapped traits. - Temporarily output all claims to 
metadata_public
to debug what Ory receives. - Make sure the 
session
hook is enabled in your registration flow configuration if you want users to be logged in immediately after registration. Summary: This issue is most likely related to a missing or invalid continuity cookie, or a problem with claims mapping/data mapping that prevents Ory from completing the registration. Double-check your cookie handling, domain setup, and data mapping configuration to resolve the issue [Cookie-based security model](https://www.ory.sh/docs/security-model) [Troubleshooting social sign-in](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect-loops-after-registration).
Open in Slack
PreviousNext
Powered by