Skip to main content
Version: v0.2

Social Sign In with OpenID Connect and OAuth2


OpenID Connect is undergoing active refactoring and these docs will change. See #381.

The Social Sign In Strategy enables you to use

as the Identity Provider.

Because of the nature of this flow (a browser is required) it does not work API-only flows.

Browser Clients


Sign In only works when an identity exists for that profile already. If it does not exist, a registration flow will be performed instead.


Sign Up on conflict with existing primary identifiers like email:

  • Sign Up is dis-allowed and the user is asked to instead log in and then link his/her account instead.


A user may link and unlink social profiles. Unlinking is only allowed if at least one other sign in method is enabled.

API Clients

API-based login and registration using this strategy will be addressed in a future release of ORY Kratos.

Please be aware that OpenID Connect providers always require a Browser, with the exception of "Sign in with Apple" on recent iOS versions.