|
| 1 | +--- |
| 2 | +id: dingtalk |
| 3 | +title: DingTalk |
| 4 | +--- |
| 5 | + |
| 6 | +## Configuration using the Ory CLI |
| 7 | + |
| 8 | +Follow these steps to add DingTalk as a social sign-in provider to your Ory Cloud project using the Ory CLI: |
| 9 | + |
| 10 | +1. [Create a DingTalk OAuth app](https://open-dev.dingtalk.com/fe/app#/corp/app). |
| 11 | +2. In the created app, set the redirect URI to: |
| 12 | + |
| 13 | +```shell |
| 14 | +https://<ory-cloud-project-slug>.projects.oryapis.com/self-service/methods/oidc/callback/dingtalk |
| 15 | +``` |
| 16 | + |
| 17 | +<a name="mapping"></a> |
| 18 | +3. Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema. |
| 19 | +Specific information [DingTalk's User API](https://open.dingtalk.com/document/orgapp-server/dingtalk-retrieve-user-information) can be viewed. |
| 20 | + |
| 21 | +```json |
| 22 | +local claims = std.extVar('claims'); |
| 23 | +{ |
| 24 | + identity: { |
| 25 | + traits: { |
| 26 | + // Allowing unverified email addresses enables account |
| 27 | + // enumeration attacks, especially if the value is used for |
| 28 | + // e.g. verification or as a password login identifier. |
| 29 | + // |
| 30 | + // Therefore we only return the email if it (a) exists by DingTalk. |
| 31 | + [if "email" in claims then "email" else null]: claims.email, |
| 32 | + }, |
| 33 | + }, |
| 34 | +} |
| 35 | +``` |
| 36 | + |
| 37 | +```mdx-code-block |
| 38 | +import JsonnetWarning from '../../_common/jsonnetwarning.mdx' |
| 39 | +
|
| 40 | +<JsonnetWarning format="Jsonnet code snippets" use="data mapping" /> |
| 41 | +``` |
| 42 | + |
| 43 | +4. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or host it under an URL accessible to Ory Cloud. |
| 44 | +5. Download the Identity Service config from your Ory Cloud project and save it to a file: |
| 45 | + |
| 46 | +```shell |
| 47 | +## List all available projects |
| 48 | +ory list projects |
| 49 | + |
| 50 | +## Get config |
| 51 | +ory get identity-config <project-id> --format yaml > identity-config.yaml |
| 52 | +``` |
| 53 | + |
| 54 | +<a name="config"></a> |
| 55 | +6. Add the social sign-in provider configuration to the downloaded config. Add the Jsonnet snippet with mappings as a Base64 |
| 56 | + string or provide an URL to the file. |
| 57 | + |
| 58 | +```yaml |
| 59 | +selfservice: |
| 60 | + methods: |
| 61 | + oidc: |
| 62 | + enabled: true |
| 63 | + config: |
| 64 | + providers: |
| 65 | + - id: dingtalk # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET! |
| 66 | + provider: dingtalk |
| 67 | + client_id: .... # Replace this with the OAuth2 Client ID provided by DingTalk |
| 68 | + client_secret: .... # Replace this with the OAuth2 Client Secret provided by DingTalk |
| 69 | + mapper_url: 'base64://<YOUR_BASE64_ENCODED_JSONNET_HERE>' |
| 70 | + # Alternatively, use an URL: |
| 71 | + # mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4 |
| 72 | + scope: |
| 73 | + # DingTalk supports only the `openid` or `openid corpid` scopes. For a basic setup, use the `openid` scope. |
| 74 | + # To learn more about the scopes available for DingTalk, read the [related documentation](https://open.dingtalk.com/document/orgapp-server/tutorial-obtaining-user-personal-information). |
| 75 | + - openid |
| 76 | +``` |
| 77 | +
|
| 78 | +7. Update the Ory Cloud Identity Service configuration using the file you worked with: |
| 79 | +
|
| 80 | +```shell |
| 81 | +ory update identity-config <project-id> --file updated_config.yaml |
| 82 | +``` |
| 83 | + |
| 84 | +## Configuration for Self-hosted Instances |
| 85 | + |
| 86 | +Follow these steps to add DingTalk as a social sign-in provider when self-hosting Ory Kratos: |
| 87 | + |
| 88 | +1. [Create a DingTalk OAuth app](https://open-dev.dingtalk.com/fe/app#/corp/app). |
| 89 | +2. Set the redirect URI to URL that follows this pattern: |
| 90 | + |
| 91 | +```shell |
| 92 | +http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/dingtalk |
| 93 | +``` |
| 94 | + |
| 95 | +3. Create a [Jsonnet code snippet to map the desired claims to the Ory Identity schema](#mapping). |
| 96 | +4. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or store it in a location available to your Ory Kratos |
| 97 | + instance. |
| 98 | +5. Add the social [sign-in provider configuration to the Ory Kratos configuration](#config). Add the Jsonnet snippet with mappings |
| 99 | + as a Base64 string or provide a path or an URL of the file. |
| 100 | + |
| 101 | +```mdx-code-block |
| 102 | +import ConfigAsEnv from '../_common/config_as_env.mdx' |
| 103 | +
|
| 104 | +<ConfigAsEnv /> |
| 105 | +``` |
| 106 | + |
| 107 | +## Prevent Having to Login after Sign-Up |
| 108 | + |
| 109 | +```mdx-code-block |
| 110 | +import OidcSessionHook from '../_common/oidc_session_hook.mdx' |
| 111 | +
|
| 112 | +<OidcSessionHook /> |
| 113 | +``` |
0 commit comments