Get social sign-in provider tokens

You can get the OIDC / OAuth 2.0 access, refresh, and ID tokens issued for the identity by social sign-in providers.

These tokens are issued only when the Identity:

• Signs up with a social sign-in provider.
• Links a new social sign-in provider to their account.

Run this command to get the Identity details that include the social sign-in provider tokens:

Ory CLI

ory get identity "{identity.id}" --project "{project.id}" \
  -i oidc --format yaml

cURL

curl --request GET -sL \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer {ORY_API_KEY}" \
  'https://{project.slug}.projects.oryapis.com/admin/identities/<identity_id>?include_credential=oidc'

JavaScript

import { Configuration, IdentityApi } from "@ory/client"

const identity = new IdentityApi(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function getTokens(identityId: string) {
  return await identity
    .getIdentity({ id: identityId, includeCredential: ["oidc"] })
    .then(({ data }) => data)
}

Go

package main

import (
	"context"
	"fmt"
	"github.com/ory/client-go"
	"os"
)

var ory *client.APIClient
var authed = context.WithValue(context.Background(), client.ContextAccessToken, os.Getenv("ORY_API_KEY"))

func init() {
	cfg := client.NewConfiguration()
	cfg.Servers = client.ServerConfigurations{
		{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
	}

	ory = client.NewAPIClient(cfg)
}

func getTokens(identityId string) (cl client.IdentityCredentials, err error) {
	identity, _, err := ory.IdentityApi.
		GetIdentity(authed, identityId).
		IncludeCredential([]string{"oidc"}).Execute()
	if err != nil {
		return cl, err
	}
	return (*identity.Credentials)["oidc"], nil
}

When the call is successful, the system returns the Identity details with the available social sign-in provider tokens:

{
  "id": "IDENTITY_ID",
  "credentials": {
    "oidc": {
      "type": "oidc",
      "identifiers": [
        "google:some-user"
        "github:another-user"
      ],
      "config": {
        "providers": [
          {
            "subject": "some-user",
            "provider": "google",
            "initial_access_token": "********************",
            "initial_refresh_token": "********************",
            "initial_id_token": "********************",
          },
          {
            "subject": "another-user",
            "provider": "github",
            "initial_access_token": "********************",
            "initial_refresh_token": "********************",
            "initial_id_token": "********************",
          }
        ]
      },
      "created_at": "2022-10-08T12:17:18.834351+02:00",
      "updated_at": "2022-10-08T12:17:18.834351+02:00"
    }
  },
  "schema_id": "default",
  "schema_url": "SCHEMA_URL",
  "state": "active",
  "state_changed_at": "2022-10-08T12:17:18.83324+02:00",
  "traits": {
    "subject": "foo.oidc@bar.com"
  },
  "verifiable_addresses": [
    {
      "id": "88da96df-0457-4d69-832d-5e70ef25055c",
      "value": "foo.oidc@bar.com",
      "verified": false,
      "via": "",
      "status": "",
      "verified_at": null,
      "created_at": "2022-10-08T12:17:18.83324+02:00",
      "updated_at": "2022-10-08T12:17:18.834202+02:00"
    }
  ],
  "created_at": "2022-10-08T12:17:18.834043+02:00",
  "updated_at": "2022-10-08T12:17:18.834043+02:00"
}

Encryption

The Ory Network encrypts these tokens per default at rest using XChaCha20 Poly1305.