Hello dear kratos fellows ( kratows ? ) I need some guidance on how to implement the following scenario : - A user could link an external directory identity ( Azure AD ) to his main kratos identity - Then he could get SSO from Sharepoint Online to Oathkeeper My investigations from now on show that - I can get a JWT with my Sharepoint webpart to send to the backend - Then I should verify that JWT upon Azure AD from Oathkeeper - which I guess is possible ? - Then I want to authenticate to kratos using the linked account id to get the kratos user Is it possible out of the box ? Or should I fork kratos to implement it ? Can I implement a specific kratos identity through some kind of plugin ? Thanks

Hello Pierre, interesting use case, can you help me with some of the details? - Then he could get SSO from Sharepoint Online to Oathkeeper Do you mean the user gets a session usable for Sharepoint? Or the session previously acquired through Azure AD to use in Sharepoint? Cant quite wrap my head around it. Does Sharepoint offer OIDC ? Or how is it connected to AzureAD? Can the AzureAD session be used in Sharepoint? I would advise you to not fork Ory Kratos if there is any other way, as it is a lot of work to maintain forks longer-term. There is not really a plugin system for Ory Kratos (as that usually leads to security issues, see Wordpress), but we offer webhooks for all flows: https://www.ory.sh/docs/kratos/hooks/configure-hooks

Hi Vincent, Yes, Sharepoint Online authentication is based on Azure AD. When a user opens a session in SP, and you get a webpart component running on his site, this webpart can get a token of the current user with a piece of javascript like

const provider =
        await this.context.aadTokenProviderFactory.getTokenProvider();

      this._token = (await provider.getToken(
        _spPageContextInfo.spfx3rdPartyServicePrincipalId
      )) as string;

On the backend, the token can be verified with Azure AD javascript MSAL library like

const cca = new msal.ConfidentialClientApplication(msalConfig);

export class MyAuthenticationProvider implements AuthenticationProvider {
  /**
   * This method will get called before every request to the msgraph server
   * This should return a Promise that resolves to an accessToken (in case of success) or rejects with error (in case of failure)
   * Basically this method will contain the implementation for getting and refreshing accessTokens
   */

  async getAccessToken() {
    const authResponse = await cca.acquireTokenByClientCredential(tokenRequest);
    if (authResponse.accessToken && authResponse.accessToken.length !== 0) {
      return authResponse.accessToken;
    } else {
      throw new UnauthorizedException('cannot obtain access token');
    }
  }
}

So the backend is confident that it gets a valid token from an Azure AD authenticated user. This user has a unique Azure AD ID, that we could store in the identity admin_metadata I suppose.

Thanks for all the details on your use case! See the documentation for account linking here: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account and document on getting access tokens from social providers: https://www.ory.sh/docs/kratos/social-signin/get-tokens Did you have any other specific questions at the moment @billions-king-90430?

oh wow thanks a lot @magnificent-energy-493 I'll have a look