Delete OIDC credential resulting "You can't remove first factor credentials."

[luanfrv0]

I'm implementing a dashboard that enables admins to unlink an associated social sign in (made by the user through /public/self-service).

Tried using the endpoint DELETE /admin/identities/{id}/credentials/oidc?identifier={identifier} (doc link) but it fails with the reason message in the title.

Is it not possible to implement OIDC remotion by this way?

[vinckr]

Hey @luanfrv9
you should be able to remove OIDC credentials if there are other credentials (e.g. password) present on the identity using that API.

Could you provide a simple reproducible test case, maybe in a repo that I could clone to confirm?

Alternatively you could maybe start a settings flow on behalf of the user to unlink a social sign-in

[luanfrv0]

@vinckr thanks for your attention!
For sure. I'll you replicate the exactly configs used in a new repo and send it there as fast as possible. I may find some point of my configuration that is turning admin prohibited from doing this tho.

cheers

[vinckr]

Sure, also see this PR #4304 - but its not really related to OIDC which should already be possible.

[icamys]

Hi team! In the latest stable version as of this day (v25.4.0), I experience the same issue when both the password and OIDC are configured, but the password is configured to use the migration hook. Does it mean that the password is not considered an enabled authentication factor?

Here's the credentials configuration:

"credentials": {
    "code": {
      "type": "code",
      "identifiers": [
        "test@test.com"
      ],
      "version": 1,
      "created_at": "2025-11-13T20:49:24.301748Z",
      "updated_at": "2025-11-13T20:49:24.301748Z"
    },
    "oidc": {
      "type": "oidc",
      "identifiers": [
        "google:106492765437156840313"
      ],
      "version": 0,
      "created_at": "2025-11-13T20:49:27.508603Z",
      "updated_at": "2025-11-13T20:49:27.508603Z"
    },
    "password": {
      "type": "password",
      "identifiers": [
        "test@test.com"
      ],
      "config": {
        "hashed_password": "",
        "use_password_migration_hook": true
      },
      "version": 0,
      "created_at": "2025-11-13T20:49:24.301727Z",
      "updated_at": "2025-11-13T20:49:24.301727Z"
    },
    "webauthn": {
      "type": "webauthn",
      "identifiers": [
        "test@test.com"
      ],
      "version": 1,
      "created_at": "2025-11-13T20:49:24.301739Z",
      "updated_at": "2025-11-13T20:49:24.301739Z"
    }
  }

[vinckr]

hey @icamys
the password migration hook is for migration, so when the account is not yet migrated the password hash is empty, so removing the OIDC credential would leave the identity without any credentials - at least that is how I understand this, did not try to reproduce it.
does that make sense?

[jonas-jonas]

This should work, are you sure the password migration is active and configured in your configuration?

			if len(strings.Join(c.Identifiers, "")) > 0 &&
				((s.d.Config().PasswordMigrationHook(ctx).Enabled && conf.UsePasswordMigrationHook) ||
					len(conf.HashedPassword) > 0) {
				count++
			}

[icamys]

Thanks for a quick response! I confirm that it actually works. The error occurred because I had not enabled password migration in the Kratos config.