Set up social sign-in and connect with OAuth2 and OpenID Connect providers
Thanks to social sign-in, users can use their existing accounts from providers such as Google, Slack, or Facebook for sign-up and sign-in in your application.
The Ory Network provides convenient, GUI-based flows for adding new social sign-in providers through the Ory Console. Each flow is custom-tailored to accommodate configuration requirements of the specific identity provider.
Alternatively, you can use the Ory CLI to add and configure social sign-in providers.
This feature is being actively developed. New provider-specific flows are added to the Ory Console with new releases.
By signing up with external identity providers, users give Ory access to the profile data of the account created in the external identity provider. This data is used to create an Ory identity and a user account in your application
Allowing users to use their existing accounts with your application removes the friction that comes with having to remember another set of credentials and makes the decision to sign up much easier.
Adding social sign-in providers relies on OAuth2 and OpenID Connect.
Preventing account linking
If you enable multiple registration methods, users can link their existing accounts to social sign-in provider accounts after email verification.
Linking accounts is an operation that users must perform manually from their account settings.
Automatic account linking is not available in Ory as it creates an attack vector that hackers can use to steal user accounts. Read this section to learn more.
To disable account linking, add the session
hook after one of the registration methods (for example password
):
selfservice:
flows:
registration:
after:
password:
hooks:
- hook: session
Dangers of automatic account linking
While convenient for users, automatic account linking creates an attack vector that can allow malicious actors to steal user accounts.
To better understand the danger, consider the following scenario:
- Your application allows users to create new accounts or sign in with ACME - a well-known social sign-in provider.
- John creates a new account in your application using his
john@doe.com
email. - Malicious actors know that John uses
john@doe.com
to sign in to his account in your app. - Malicious actors create an ACME account for
john@doe.com
. - Malicious actors sign up in your application using the ACME account created for the
john@doe.com
account. - Your system uses the default behavior and when it detects two accounts with the same identifier, malicious actors are asked to link the accounts.
- Malicious actors link the accounts.
- Malicious actors get access to the account that John created manually using his
john@doe.com
email.
Since it constitutes a security threat, automatic account linking is not available in Ory.
Prevent having to log in after sign-up
When adding social sign-in providers manually, remember to add the session
hook to after/oidc/hooks
. If you don't add this
hook, users will have to log in again after signing up to get a session.
selfservice:
flows:
registration:
after:
oidc:
hooks:
- hook: session