Hello, I have Microsoft OAuth2 working. Is there a way to update traits after the user has already authenticated? I need to do another OAuth2 request with a different scope to update the token for IMAP.

sure check this in the REST API reference: https://www.ory.sh/docs/kratos/reference/api#operation/adminUpdateIdentity

@User Thanks for your quick reply. So I will have to implement the OAuth2 with the different scope myself (not using Ory Kratos)? I want to send a second OAuth2 request for the token (IMAP) which requires a different scope, after the user has authenticated with Microsoft via the first scope (to get their email).

I am not sure about OAuth2.0 scopes and so on, but you can use the above to update traits in an Ory Kratos identity. So you • update traits • send another OAuth20 request with different scope to Azure?

@User What I'm wanting to do is that Ory Kratos handles the second OAuth2 request for me after registration/login then Ory Kratos updates the traits. Otherwise I will have to implement the OAuth2 endpoints in Golang myself and redirect the user to my API endpoint which then does the OAuth2 and finally updates the traits via the endpoint you linked.

I see, I am not entirely clear how the flow would look. You would do a second login flow to a different OIDC provider? Maybe I am misunderstanding what the use of this second flow is (the user is already authenticated at this point, right?) , but using scopes for access control / permissions is not going to be smooth.

@User The provider is Microsoft, it's the same endpoint but with a different scope so I need to define another (same) Microsoft provider in Ory Kratos configuration. I want to be able to call this flow to update the user traits with the IMAP token.

I see. You can try with the generic provider? Or a second Kratos instance (which shares the DB with the first instance) with the different scopes for MS. But I am not 100% sure if this is the best solution…

@User The provider is not my problem, the OAuth2 works. But there is no method to send a second OAuth2 request with a different scope using Ory Kratos.

Yea thats why I meant you use 2 Kratos instances configured with different scopes. But I will do some digging into what other solutions might be possible.

You can define a second Microsoft provider with a different ID and the different scope that works. But I need a way to call this provider in React.

Ok I see now your problem. What about a second login flow with the different provider?

@User The user is already logged in, I just need to update the traits, is that possible by submitting another login?

Since you need to do a second flow to the same provider I think a second login flow would be a good option. (is there some way to do this in one flow? that would eliminate the problem IMO)