CookbookSocial login

Add Facebook as a social login provider

Configure Facebook OAuth as an alternate login method

Step 1: Register Facebook App

Facebook Developers → Create App → Consumer.
Add Facebook Login product.
Settings → Basic → note App ID, App Secret.
Facebook Login → Settings → Valid OAuth Redirect URIs: https://ciam.your-domain/self-service/methods/oidc/callback/facebook.

Step 2: Configure Kratos

selfservice:
  methods:
    oidc:
      config:
        providers:
          - id: facebook
            provider: facebook
            client_id: <facebook-app-id>
            client_secret: <facebook-app-secret>
            scope: [email, public_profile]
            mapper_url: file:///etc/config/kratos/oidc.facebook.jsonnet

oidc.facebook.jsonnet:

local claims = std.extVar('claims');
{
  identity: {
    traits: {
      email: claims.email,
      name: { first: claims.given_name, last: claims.family_name },
    },
  },
}

App review

For production, Facebook requires an App Review to grant email scope to non-test users. Plan for this, it can take days.

For internal-org / test use, add specific test users in the Facebook app dashboard.

Caveats

Some Facebook users have no email, they signed up with a phone number. The OIDC flow will return no email claim. Handle by prompting for email post-login.
email_verified is not trusted by Olympus, Kratos always runs its own verification.

Add Discord as a social login provider

Configure Discord OAuth as an alternate login method

Add a generic OIDC provider

Any standards-compliant OIDC provider Kratos doesn't have built-in support for

On this page

Step 1: Register Facebook App Step 2: Configure Kratos App review Caveats Related