Overview
Thanks to social sign-in, users can use their existing accounts from providers such as Google, Slack, or Facebook for sign-up and sign-in in your application.
Ory Cloud provides convenient, GUI-based flows for adding new social sign-in providers through the Ory Cloud Console. Each flow is custom-tailored to accommodate configuration requirements of the specific identity provider.
Alternatively, you can use the Ory CLI to add and configure social sign-in providers.
info
This feature is being actively developed. New provider-specific flows are added to the Ory Cloud Console with new releases.
By signing up with external identity providers, users give Ory access to the profile data of the account created in the external identity provider. This data is used to create an Ory identity and a user account in your application
Allowing users to use their existing accounts with your application removes the friction that comes with having to remember another set of credentials and makes the decision to sign up much easier.
Adding social sign-in providers relies on OAuth2 and OpenID Connect.
OIDC Token Handling
Ory Identity Service (Kratos) doesn't save the OIDC tokens it gets from social sign-in providers. The tokens are exchanged for Ory Sessions. The tokens are used in the following way:
- Ory Identity Service starts the OIDC flow with a social sign-in provider.
- Upon successful authentication, the social sign-in provider issues an
id_token. - Ory Identity Service gets user information from the
id_tokenclaims. - The Identity service checks if a matching identity exists.
✅ The user gets a Session.
❌ Identity Service creates a new identity and issues a Session. - The system discards of the
id_tokenwhen the flow is completed.
Preventing Account Linking
If you enable multiple registration methods, users can link their existing accounts to social sign-in provider accounts after email verification.
Linking accounts is an operation that users must perform manually from their account settings.
info
Automatic account linking is not available in Ory as it creates an attack vector that hackers can use to steal user accounts. Read this section to learn more.
To disable account linking, add the session hook after one of the registration methods (for example password):
selfservice:
flows:
registration:
after:
password:
hooks:
- hook: session
Dangers of Automatic Account Linking
While convenient for users, automatic account linking creates an attack vector that can allow malicious actors to steal user accounts.
To better understand the danger, consider the following scenario:
- Your application allows users to create new accounts or sign in with ACME - a well-known social sign-in provider.
- John creates a new account in your application using his
john@doe.comemail. - Malicious actors know that John uses
john@doe.comto sign in to his account in your app. - Malicious actors create an ACME account for
john@doe.com. - Malicious actors sign up in your application using the ACME account created for the
john@doe.comaccount. - Your system uses the default behavior and when it detects two accounts with the same identifier, malicious actors are asked to link the accounts.
- Malicious actors link the accounts.
- Malicious actors get access to the account that John created manually using his
john@doe.comemail.
warning
Since it constitutes a security threat, automatic account linking is not available in Ory.
Prevent Having to Login after Sign-Up
When adding social sign-in providers manually, remember to add the session hook to after/oidc/hooks. If you don't add this
hook, users will have to login again after signing up to get a session.
selfservice:
flows:
registration:
after:
oidc:
hooks:
- hook: session