In a perfect world, I'd be able to use Kratos for social sign-in with the following features: 1. Trivial linking of multiple social logins 2. Able to link social logins that use different emails a. e.g. github with abc@gmail.com and google with xyz@gmail.com linked to the same Kratos identity 3. Able to have different identities for different social logins with the same email a. e.g. github with abc@gmail.com and google with abc@gmail.com linked to different Kratos identities 4. Able to link social logins of the same site with different emails a. e.g. github with abc@gmail.com and github with xyz@gmail.com linked to the same Kratos identity 5. Able to link already-registered social logins a. Implies being able to merge existing Kratos identities 6. Able to register with a social login without reading user email at all Can someone from Ory chime in on how realistically I can achieve each of these with Kratos now or in the foreseeable future?

I am also looking for the same answers.

Hey folks, apologies for the late answer.

Can someone from Ory chime in on how realistically I can achieve each of these with Kratos now or in the foreseeable future?

tl;dr: Yes you can achieve this with Ory Kratos right now 😉 1. Trivial linking of multiple social logins Yes that is possible, see this document. 2. Able to link social logins that use different emails a. e.g. github with abc@gmail.com and google with xyz@gmail.com linked to the same Kratos identity That should be no problem, since the primary identifier is the

sub

field (

sub

is linking the OIDC credentials to an identity), see this document.

the ID Token body (or the OAuth2 equivalent) returned by the OpenID Connect provider contains:
{
  "sub": "some-identity-id-4hA8gk",
  "email": "<mailto:foo@ory.sh|foo@ory.sh>",
  "website": "<https://www.ory.sh>"
}
which is then being used for the identity's traits.

3. Able to have different identities for different social logins with the same email a. e.g. github with abc@gmail.com and google with abc@gmail.com linked to different Kratos identities Same case as above - interesting use case, do you have a practical example for this one? 4. Able to link social logins of the same site with different emails a. e.g. github with abc@gmail.com and github with xyz@gmail.com linked to the same Kratos identity Same case as above, use the

sub

field which is going to be differen for each gh social. 5. Able to link already-registered social logins a. Implies being able to merge existing Kratos identities You cant merge them directly, but you can create and update identities: https://www.ory.sh/docs/kratos/admin/managing-users-identities#operation/getVersion 6. Able to register with a social login without reading user email at all Sure, just leave it out in the claims.

Thank you vincent, great answer! 🙂

Thank you very much for the comprehensive response!