Automatically link identities same provider

[nzapponi]

Hi,
I have a challenge I'm facing with automatically linking OIDC identities.

I have a mobile & web project with Google Sign In enabled. On mobile, I have an iOS and an Android app, with their respective native libraries, while on web I'm using the standard OIDC flow.

This means that my setup (if I understand Kratos correctly) is made of 3 providers: google (for web), google_ios and google_android. Each is configured with the client ID and secret required by Google.

Now, the challenge is that if a user signs in with Google on iOS and then tries again on web, it fails, since according to Kratos it's two different providers. And I can't even prompt the user to link them, as they wouldn't have access to native clients on web (and vice versa).

I'm looking for a way to either automatically link identities across the same underlying provider, or alternatively configure one provider such that it supports all three platforms (web, iOS and Android).

Any suggestions? Thanks

[jonas-jonas]

This means that my setup (if I understand Kratos correctly) is made of 3 providers

It shouldn't be necessary to define 3 different providers. If you're using the native OIDC sign in using id_tokens, you can specify the identifier of your app in the additional_id_token_audiences config option of the provider. See https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps

[nzapponi]

Thanks! But isn't the Client ID supposed to match each of the native platforms? That's why I created three providers in the first place.
The instructions say

Configure a Google social sign-in provider in Ory using the same client_id as used in your native app.

Which Client ID should I use? A sample setup would be very helpful! Thanks

[vinckr]

Hey @nzapponi

At the top of the document is a step-by-step guide for adding Google as OIDC.
You want to use the client_id that you get in step 6. As far as I know you can use that one for everything.

[nzapponi]

Thanks! It worked.
To clarify the solution, I had to do the following:

1. Create a web app, an iOS app and an Android app in Google Cloud
2. Set up the OIDC provider in Kratos using the web client credentials
3. Add both the app bundle IDs and the iOS and Android client IDs under additional_id_token_audiences

Not sure if all of them need to be added, but at least for iOS the ID token I was getting after implementing the @react-native-google-signin/google-signin package had the audience set to the iOS client ID, not the app's bundle ID.

It may be worth improving the documentation on this one?

Thanks a lot for the help!

[vinckr]

Thanks for sharing your solution!
It would definitely be good to document this. I am a bit out of the topic, but if you feel up to it I would be happy to guide you. Otherwise putting it on the backlog for docs, probably to be adressed next quarter.