Is there a document talking about the login flow for social logins? I followed the doc here for configuration: https://www.ory.sh/docs/kratos/social-signin/google And I was able to query

/self-service/login/browser

for a flowId / CSRF token As well as to

/self-service/login/flows

where I can see some input forms and a csrf token are defined However, it's not clear to me where I would be posting this data, it seems like I need to know to redirect to somewhere at the social provider's domain (google)

Hey @quick-barista-10563 no the password is never sent to kratos for a social provider. Kratos gives back UI nodes which you need to map to html elements. Please read this document first https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration In social sign in you will get back submit buttons with their value equaling the provider name. The form will have an action to Kratos which this button will trigger. Kratos will then redirect you to the provider with the correct query parameters. On the provider side, the user will enter their credentials

Ok, I understand that kratos should not handle social login credentials I also understand that based on the response from

self-service/login/flows

we need to render the nodes returned to us However, the nodes I see returned are like this:

"ui": {
    "action": "<https://kratos-754c7bc7f6-fhh57:4433/self-service/login?flow=XXXXXXXXXX>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "oidc",
        "attributes": {
          "name": "provider",
          "type": "submit",
          "value": "google",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010002,
            "text": "Sign in with google",
            "type": "info",
            "context": {
              "provider": "google"
            }
          }
        }
      },
[... CSRF]
      {
        "type": "input",
        "group": "oidc",
        "attributes": {
          "name": "provider",
          "type": "submit",
          "value": "google",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1010002,
            "text": "Sign in with google",
            "type": "info",
            "context": {
              "provider": "google"
            }
          }
        }
      },

That looks to me like kratos would like me to render 2 text inputs, one for

identifier

and one for

password

but what I'm confused about is that it seems to be having me POST them to my k8s service hostname instead of upstream social provider:

<https://kratos-754c7bc7f6-fhh57:4433/self-service/login?flow=XXXXXXXXXX>

That's why this section of the document describes creating two forms. One fo social sign in and another for password. The post url should be kratos, kratos will then redirect the browser to the oidc provider. No need to post password and identifier when clicking on the sign in with Google button ;) https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#social-sign-in

Ah ok, I think that makes sense, I'll take another stab at it tonight Thanks for your help 🙂