Add a generic OIDC provider
Any standards-compliant OIDC provider Kratos doesn't have built-in support for
Kratos supports many providers natively (Google, GitHub, Microsoft, etc.). For anything else with a standard .well-known/openid-configuration, use the generic provider type.
Step 1: Confirm the provider speaks OIDC
curl https://your-provider.example/.well-known/openid-configurationShould return JSON with authorization_endpoint, token_endpoint, userinfo_endpoint, jwks_uri, issuer.
If not, the provider isn't standards-compliant OIDC and you'd need a more involved bridge.
Step 2: Register your app with the provider
Provider-specific. Usually:
- Application type: web.
- Redirect URI:
https://ciam.your-domain/self-service/methods/oidc/callback/myprovider. - Allowed scopes:
openid,email,profile, plus anything specific.
Get the Client ID and Client Secret.
Step 3: Configure Kratos
selfservice:
methods:
oidc:
config:
providers:
- id: myprovider
provider: generic
issuer_url: https://your-provider.example
client_id: <client-id>
client_secret: <client-secret>
scope: [openid, email, profile]
mapper_url: file:///etc/config/kratos/oidc.myprovider.jsonnetStep 4: Claim mapping
local claims = std.extVar('claims');
{
identity: {
traits: {
email: claims.email,
name: {
first: if 'given_name' in claims then claims.given_name else null,
last: if 'family_name' in claims then claims.family_name else null,
},
},
},
}Adjust based on what claims your provider actually returns. Test with a sample login.
Step 5: Test
Initiate a flow:
GET https://ciam.your-domain/self-service/login/browser?provider=myproviderYou should redirect to your provider's authorize URL.
Custom claim mapping
For providers returning unusual claims (e.g. nested account.email), use Jsonnet expressions:
email: claims.account.primary_emailOr fall back to userinfo if the ID token doesn't have everything:
- id: myprovider
provider: generic
scope: [openid, email]
requested_claims:
userinfo:
email:
essential: true