I'm experimenting with different OAuth IdPs and have a question about Ory's Google sign-in integration.... I've tested Google sign-in using Ory, AWS Cognito, and Auth0. My work uses G Suite, and I use GMail, so I have Google accounts for both personal and work use. My work account uses Okta for authentication. When I try creating an identity in Ory using a Google account, I can sign up just fine using my personal GMail account, but I get stuck in a loop when I try to use my work one. After selecting which Google account I want to sign up with, I'll be redirected back to Ory to a page like in the screenshot, only to click the "Continue" button and be presented with Google's account selection UI again. I don't have this issue with Auth0 or Cognito (identities are created without problem if I use my work account), but I can't find anything in the respective consoles to see what might be different about Ory or if there's a setting I need to adjust. Any ideas? I think Okta uses SAML if that makes a difference.

@limited-computer-64782 Can you please check your Google workplace account security settings? There is likely a policy blocking your login request

I'll follow up with our IT folks who control that, thanks 👍

Ok I thought you might be using OIDC for the login. How are you sending the SAML from Ory Kratos to google ws?

I'm not sure. I'm using the Ory Console and set up the Google sign-in with that. So just plugged in the id/secret, made sure I had something set up in the Google console for Ory, and copied the jsonnet snippet from the Ory docs

Hi @limited-computer-64782 Could you send me a har file recording the requests? please make sure to start the recording in a fresh incognito tab so that there aren't any cookies etc set.

If company google account = Google Workspace then I think you’d need to configure the connector a bit differently? I’m talking about the

hd

claim mentioned in the green note at the end of the doc. Maybe that’s something you could investigate when troubleshooting? https://www.ory.sh/docs/kratos/social-signin/google

I do see the

hd

value being set as I expect in the network traffic. I also tried updating the yaml config to set the

hd

claim to essential but that didn't resolve the issue

hey @limited-computer-64782 i think if you dig in to the flow response, you might see something like this. I’m following the google sign in tutorial as well, and while the jsonnet requests storage of the

hd

the default quickstart schema sets a property called

additionalProperties: false

which…i think because the default schema doesnt explicitly define an

hd

property, is just by default rejecting it because of this property…do you have this prop set in your schema too? I’m stuck here as well, going to try and remove the

hd

claim from my jsonnet next EDIT: yup removing the

hd

from my jsonnet fixed things, now, would love to know the best way to store the

hd

since it only applies to the google signin and wouldnt want to muddy up my schema 🤔

@boundless-insurance-60355 thanks for the pointer! I removed the

hd

property from my jsonnet as well and now it works!