Get social sign-in provider tokens
You can get the OIDC / OAuth 2.0 access, refresh, and ID tokens issued for the identity by social sign-in providers.
These tokens are issued only when the Identity:
- Signs up with a social sign-in provider.
- Links a new social sign-in provider to their account.
Run this command to get the Identity details that include the social sign-in provider tokens:
- Ory CLI
- cURL
- JavaScript
- Go
ory get identity "{identity.id}" --project "{project.id}" \
-i oidc --format yaml
curl --request GET -sL \
--header "Content-Type: application/json" \
--header "Authorization: Bearer {ORY_API_KEY}" \
'https://{project.slug}.projects.oryapis.com/admin/identities/<identity_id>?include_credential=oidc'
// Copyright © 2022 Ory Corp
// SPDX-License-Identifier: Apache-2.0
import { Configuration, IdentityApi } from "@ory/client"
const identity = new IdentityApi(
new Configuration({
basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
accessToken: process.env.ORY_API_KEY,
}),
)
export async function getTokens(identityId: string) {
return await identity
.getIdentity({ id: identityId, includeCredential: ["oidc"] })
.then(({ data }) => data)
}
// Copyright © 2022 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package main
import (
"context"
"fmt"
"github.com/ory/client-go"
"os"
)
var ory *client.APIClient
var authed = context.WithValue(context.Background(), client.ContextAccessToken, os.Getenv("ORY_API_KEY"))
func init() {
cfg := client.NewConfiguration()
cfg.Servers = client.ServerConfigurations{
{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
}
ory = client.NewAPIClient(cfg)
}
func getTokens(identityId string) (cl client.IdentityCredentials, err error) {
identity, _, err := ory.IdentityApi.
GetIdentity(authed, identityId).
IncludeCredential([]string{"oidc"}).Execute()
if err != nil {
return cl, err
}
return (*identity.Credentials)["oidc"], nil
}
When the call is successful, the system returns the Identity details with the available social sign-in provider tokens:
{
"id": "IDENTITY_ID",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"google:some-user"
"github:another-user"
],
"config": {
"providers": [
{
"subject": "some-user",
"provider": "google",
"initial_access_token": "********************",
"initial_refresh_token": "********************",
"initial_id_token": "********************",
},
{
"subject": "another-user",
"provider": "github",
"initial_access_token": "********************",
"initial_refresh_token": "********************",
"initial_id_token": "********************",
}
]
},
"created_at": "2022-10-08T12:17:18.834351+02:00",
"updated_at": "2022-10-08T12:17:18.834351+02:00"
}
},
"schema_id": "default",
"schema_url": "SCHEMA_URL",
"state": "active",
"state_changed_at": "2022-10-08T12:17:18.83324+02:00",
"traits": {
"subject": "foo.oidc@bar.com"
},
"verifiable_addresses": [
{
"id": "88da96df-0457-4d69-832d-5e70ef25055c",
"value": "foo.oidc@bar.com",
"verified": false,
"via": "",
"status": "",
"verified_at": null,
"created_at": "2022-10-08T12:17:18.83324+02:00",
"updated_at": "2022-10-08T12:17:18.834202+02:00"
}
],
"created_at": "2022-10-08T12:17:18.834043+02:00",
"updated_at": "2022-10-08T12:17:18.834043+02:00"
}
Encryption
The Ory Network encrypts these tokens per default at rest using XChaCha20 Poly1305.