Using email + password flow and social networks

[Amarantine84]

Hi!
Tried to find an answer in docs and discussions, but no luck.

In our project we try to implement the following architecture:

1. SSO (Kratos) with options to register/login via email/password and via social networks (FB, VK and Google).
2. Several projects (web, same domain, Go and PHP as a backend, React as a frontend) that use SSO to authorize and keep auth status while switching between projects.

And we faced some difficulties during implementation that we cannot resolve.

1. Everything's fine with email/password flow. And we can retrieve email when user registers via Google (because it's required). But Facebook and VK don't require email (phone number may be used instead). How to implement registration/login in this case? Registration fails if there's no email in fb or vk profile.
2. After a new SSO-based architecture is implemented we need to migrate users from previously implemented architecture to a new one. So we need to map new Kratos IDs with ones of our previous architecture.
   Everything's rather clear with email/password accounts. But how to migrate accounts registered via social networks (we have social network numeric ID for each user in a previous implementation)?
3. We don't need any rbac or something (keto?). But our users are admins or just users. And we need just a simple boolean user property (isAdmin?) that we could read or update. Is there any way to do it without Keto?
4. After email/password based registration we need to verify emails. But as I previously mentioned we have several projects with an SSO. How can we redirect a user to a proper project after verification? I mean, if we initiated registration process from project 2 web-page we would like a user to return to the same project 2 web-page after verification and not to project 1 or 3 web-page.

[vinckr]

I could not find anything directly related to this in the docs either. It does say:
// It is assumed that Facebook requires an email to be verified before accessible via Oauth (because they don't provide an email_verified field).

I thought this means that all FB accounts that are accessible via OAuth require an email. But apparently, you can use OAuth without having an email added to your profile, is that correct?
Could you use phone_number in claims if they don't have an email set?
PhoneNumber stringjson:"phone_number,omitempty"``

The identity would look like
{ "sub": "some-identity-id-4hA8gk", "phone_number": "123456576567", "website": "https://www.ory.sh"}
instead of
{ "sub": "some-identity-id-4hA8gk", "email": "[email protected]", "website": "https://www.ory.sh"}
?

How does the social login identity look like?
Like this:
{ "sub": "some-identity-id-4hA8gk", "email": "[email protected]", "website": "https://www.ory.sh"} ?

There is probably multiple ways to solve this, you could include a boolean trait isAdmin on your identity schema that you can read with /whoami. Or you can use multiple identity schemas and employ a switch as outlined in the docs:

Ory Kratos validates the Identity Traits against the corresponding schema on all writing operations (create / update). The employed business logic must be able to distinguish these three types of identities. You might use a switch statement like in the following example:

// This is an example program that can deal with all three types of identities
session, err := ory.SessionFromRequest(r)
// some error handling
switch (session.Identity.SchemaID) {
    case "customer":
        // ...
    case "employee":
        // ...
    case "default":
        fallthrough
    default:
        // ...
}

from here

It is also possible to redirect someone back to the original URL. For example, if a user requests https://www.myapp.com/blog/write but is not logged in, we want the user to end up at that page after login. To achieve that, you append ?return_to=https://www.myapp.com/blog/write when initializing the Login / Registration /Settings flow.

[Amarantine84]

I could not find anything directly related to this in the docs either. It does say:
// It is assumed that Facebook requires an email to be verified before accessible via Oauth (because they don't provide an email_verified field).

I thought this means that all FB accounts that are accessible via OAuth require an email. But apparently, you can use OAuth without having an email added to your profile, is that correct?
Could you use phone_number in claims if they don't have an email set?

Actually, here we have 3 cases:

1. A user with email only
2. A user with phone number only
3. A user with both email and phone number
   And we need all of them to be able to register via fb, vk or google.

How would the identity schema look like to cover all cases? And what should we use as identifier?

How does the social login identity look like?
Like this:
{ "sub": "some-identity-id-4hA8gk", "email": "[email protected]", "website": "https://www.ory.sh"} ?

I should have mentioned it before, but the previous system is based on different (not Kratos) solution.
So it has database with internal_system_id; fb_id (openid?); email (may be empty), phone_number (may be empty), first_name; last_name etc. And we need to create all these users in Kratos and provide them ability to recover password and continue using their accounts.

There is probably multiple ways to solve this, you could include a boolean trait isAdmin on your identity schema that you can read with /whoami. Or you can use multiple identity schemas and employ a switch as outlined in the docs:

Ory Kratos validates the Identity Traits against the corresponding schema on all writing operations (create / update). The employed business logic must be able to distinguish these three types of identities. You might use a switch statement like in the following example:

// This is an example program that can deal with all three types of identities
session, err := ory.SessionFromRequest(r)
// some error handling
switch (session.Identity.SchemaID) {
    case "customer":
        // ...
    case "employee":
        // ...
    case "default":
        fallthrough
    default:
        // ...
}

Thanks for that, we'll try it.

from here

It is also possible to redirect someone back to the original URL. For example, if a user requests https://www.myapp.com/blog/write but is not logged in, we want the user to end up at that page after login. To achieve that, you append ?return_to=https://www.myapp.com/blog/write when initializing the Login / Registration /Settings flow.

Thanks for the link