Skip to main content

Overview

Thanks to social sign-in, users can use their existing accounts from providers such as Google, Slack, or Facebook for sign-up and sign-in in your application.

The Ory Network provides convenient, GUI-based flows for adding new social sign-in providers through the Ory Console. Each flow is custom-tailored to accommodate configuration requirements of the specific identity provider. Alternatively, you can use the Ory CLI to add and configure social sign-in providers.

By signing up with external identity providers, users give Ory access to the profile data of the account created in the external identity provider. This data is used to create an Ory identity and a user account in your application

Allowing users to use their existing accounts with your application removes the friction that comes with having to remember another set of credentials and makes the decision to sign up much easier.

Adding social sign-in providers relies on OAuth2 and OpenID Connect.

Preventing account linking

If you enable multiple registration methods, users can link their existing accounts to social sign-in provider accounts after email verification.

Linking accounts is an operation that users must perform manually from their account settings.

info

Automatic account linking is not available in Ory as it creates an attack vector that hackers can use to steal user accounts. Read this section to learn more.

To disable account linking, add the session hook after one of the registration methods (for example password):

selfservice:
flows:
registration:
after:
password:
hooks:
- hook: session

Dangers of automatic account linking

While convenient for users, automatic account linking creates an attack vector that can allow malicious actors to steal user accounts.

To better understand the danger, consider the following scenario:

  • Your application allows users to create new accounts or sign in with ACME - a well-known social sign-in provider.
  • John creates a new account in your application using his john@doe.com email.
  • Malicious actors know that John uses john@doe.com to sign in to his account in your app.
  • Malicious actors create an ACME account for john@doe.com.
  • Malicious actors sign up in your application using the ACME account created for the john@doe.com account.
  • Your system uses the default behavior and when it detects two accounts with the same identifier, malicious actors are asked to link the accounts.
  • Malicious actors link the accounts.
  • Malicious actors get access to the account that John created manually using his john@doe.com email.
danger

Since it constitutes a security threat, automatic account linking is not available in Ory.

Prevent having to log in after sign-up

When adding social sign-in providers manually, remember to add the session hook to after/oidc/hooks. If you don't add this hook, users will have to log in again after signing up to get a session.

selfservice:
flows:
registration:
after:
oidc:
hooks:
- hook: session