Follow these steps to add a social sign-in provider when self-hosting Ory Kratos.
Define the redirect URL:
Create a client at your provider to get the Client ID and Client Secret.
Set the redirect URI to URL that follows this pattern.
Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema.
Encode the Jsonnet snippet with Base64 or store it in a location available to your Ory Kratos instance.
Add the configuration for your social sign-in provider to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file.
- id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
client_id: .... # Replace this with the Client ID
client_secret: .... # Replace this with the Client secret
issuer_url: https://accounts.google.com # Replace this with the providers issuer URL
# Alternatively, use an URL:
# mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17
# supported scopes can be found in your providers dev docs
It is not recommended to use environment variables to configure OIDC providers, as the data object is complex and getting the syntax right is difficult. If you want to use environment variables, it is recommended to set the full JSON array as an environment variable:
Prevent having to log in after sign-up
When adding social sign-in providers manually, remember to add the
session hook to
after/oidc/hooks. If you don't add this
hook, users will have to log in again after signing up to get a session.
- hook: session