Closed fenech closed 4 months ago
Thinking some more about this, another way to achieve the sync would be to pass through the OIDC claims in the ctx
object that can be accessed by the web hooks. Then a post-login hook could be written to update the identity in Kratos.
Duplicate of https://github.com/ory/kratos/issues/2898
Please let me know if I am mistaken.
OK, thanks. I have opened a PR referring to that issue, since it is a potential solution.
Preflight checklist
Ory Network Project
No response
Describe your problem
We enable OIDC login/self-registration, which connects to Dex using the
generic
provider. Dex in turn connects to an LDAP instance, and returns OIDC claims based on the user's LDAP attributes. For example, the user's email address and group memberships are defined in LDAP, and we want that to remain the source of truth.At registration time, we map these OIDC claims to traits/metadata in Kratos.
The problem is after registration, if the user's details are modified in LDAP (e.g. their group memberships are modified). How can we trigger the data mapping again, so that the user is also updated in Kratos?
Describe your ideal solution
Ideally, the mapping would occur on every login, rather than only happening once at registration. It would make sense for this to be "opt-in", possibly by making it a type of "after OIDC login" hook.
Workarounds or alternatives
Alternatively, if we had access to the latest ID token in Kratos (currently we only have the initial one from registration), then we could set up a web hook and trigger it to:
GET /admin/identities/$ID?include_credential=oidc
/userinfo
endpoint using the ID tokenAlternatively, I guess there are security concerns, but including the ID token directly in the
ctx
object passed to the web hook would be more convenient.Version
v0.11.0
Additional Context
In the docs https://www.ory.sh/docs/kratos/social-signin/data-mapping#set-identity-metadata it says (emphasis mine):
But I didn't find any explicit reference to when this happens exactly. It appears to be only at registration time.