Jsonnet data mapping at OIDC login

[fenech]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

We enable OIDC login/self-registration, which connects to Dex using the generic provider. Dex in turn connects to an LDAP instance, and returns OIDC claims based on the user's LDAP attributes. For example, the user's email address and group memberships are defined in LDAP, and we want that to remain the source of truth.

At registration time, we map these OIDC claims to traits/metadata in Kratos.

The problem is after registration, if the user's details are modified in LDAP (e.g. their group memberships are modified). How can we trigger the data mapping again, so that the user is also updated in Kratos?

Describe your ideal solution

Ideally, the mapping would occur on every login, rather than only happening once at registration. It would make sense for this to be "opt-in", possibly by making it a type of "after OIDC login" hook.

Workarounds or alternatives

Alternatively, if we had access to the latest ID token in Kratos (currently we only have the initial one from registration), then we could set up a web hook and trigger it to:

• GET /admin/identities/$ID?include_credential=oidc
• get the new claims ourselves from the OIDC /userinfo endpoint using the ID token
• update the Kratos identity using the response

Alternatively, I guess there are security concerns, but including the ID token directly in the ctx object passed to the web hook would be more convenient.

Version

v0.11.0

Additional Context

In the docs https://www.ory.sh/docs/kratos/social-signin/data-mapping#set-identity-metadata it says (emphasis mine):

You can set public and admin metadata fields, these fields will then be populated whenever data is mapped. This is useful if you want to store data from the social sign-in provider without the user being able to modify it.

But I didn't find any explicit reference to when this happens exactly. It appears to be only at registration time.

[fenech]

Thinking some more about this, another way to achieve the sync would be to pass through the OIDC claims in the ctx object that can be accessed by the web hooks. Then a post-login hook could be written to update the identity in Kratos.

[alnr]

Duplicate of https://github.com/ory/kratos/issues/2898

Please let me know if I am mistaken.

[fenech]

OK, thanks. I have opened a PR referring to that issue, since it is a potential solution.