Skip to main content

Learn how to get OIDC/OAuth 2.0 access, refresh, and ID tokens issued by social sign-in providers

You can get the OIDC / OAuth 2.0 access, refresh, and ID tokens issued for the identity by social sign-in providers.

These tokens are issued only when the Identity:

  • Signs up with a social sign-in provider.
  • Links a new social sign-in provider to their account.

Run this command to get the Identity details that include the social sign-in provider tokens:

Use the Ory CLI:

ory get identity <IDENTITY_ID> --project <ORY_CLOUD_PROJECT_ID> -i oidc --format yaml

Alternatively, call the API:

curl --request GET -sL \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <ORY_PERSONAL_ACCESS_TOKEN>" \
'https://<project-slug>.projects.oryapis.com/admin/identities/<identity_id>?include_credential=oidc'
info

When calling the API directly, you must include a valid Personal Access Token (PAT) created for the project with the requested Identity in the call.

To get a PAT, sign in at console.ory.sh, select Connect from the left navigation panel, and create a new token in the Personal Access Tokens section.

When the call is successful, the system returns the Identity details with the available social sign-in provider tokens:

{
"id": "IDENTITY_ID",
"credentials": {
"oidc": {
"type": "oidc",
"identifiers": [
"google:some-user"
"github:another-user"
],
"config": {
"providers": [
{
"subject": "some-user",
"provider": "google",
"initial_access_token": "********************",
"initial_refresh_token": "********************",
"initial_id_token": "********************",
},
{
"subject": "another-user",
"provider": "github",
"initial_access_token": "********************",
"initial_refresh_token": "********************",
"initial_id_token": "********************",
}
]
},
"created_at": "2022-10-08T12:17:18.834351+02:00",
"updated_at": "2022-10-08T12:17:18.834351+02:00"
}
},
"schema_id": "default",
"schema_url": "SCHEMA_URL",
"state": "active",
"state_changed_at": "2022-10-08T12:17:18.83324+02:00",
"traits": {
"subject": "foo.oidc@bar.com"
},
"verifiable_addresses": [
{
"id": "88da96df-0457-4d69-832d-5e70ef25055c",
"value": "foo.oidc@bar.com",
"verified": false,
"via": "",
"status": "",
"verified_at": null,
"created_at": "2022-10-08T12:17:18.83324+02:00",
"updated_at": "2022-10-08T12:17:18.834202+02:00"
}
],
"created_at": "2022-10-08T12:17:18.834043+02:00",
"updated_at": "2022-10-08T12:17:18.834043+02:00"
}

Encryption

By default, tokens are stored as plain text recorded with the default Noop cipher.

To increase the security, you can choose to encode the tokens with AES or XChaCha20 Poly1305 ciphers. Read this document to learn how to choose the cipher.