BE-476: Add Google OIDC SSO support via Ory Kratos

[TimDiekmann]

🌟 What is the purpose of this PR?

Add SSO (Single Sign-On) support to HASH via Google OIDC. This sets up the foundation for external identity provider login — Google first, more providers to follow.

🔗 Related links

• BE-476: Set up Google OIDC SSO (internal)
• BE-477: Set up Microsoft/Azure AD OIDC SSO (internal)

🔍 What does this change?

Kratos OIDC Configuration:

• Add OIDC method with Google provider config (kratos.yml)
• Add OIDC registration webhook — reuses existing HASH user creation hook
• Add Jsonnet claims mapper (oidc.google.jsonnet) for Google → Kratos trait mapping
• Route OIDC callbacks through API proxy via base_redirect_uri
• OIDC disabled by default — enable via KRATOS_OIDC_ENABLED=true + credentials in .env.local

Frontend:

• Add SsoProviderButtons component to sign-in page (right sidebar)
• Component dynamically renders OIDC providers from Kratos login flow
• Add brand icons: Google (multi-color), Apple, Microsoft, GitHub, GitLab

Docker Compose:

• Add OIDC env vars with ${KRATOS_OIDC_ENABLED:-false} default
• Add OIDC registration hook env vars (same pattern as password hooks)

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are in a state where docs changes are not yet required but will be
  • this is tracked in: BE-476

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

🐾 Next steps

• Add Microsoft/Azure AD as second provider (BE-477)
• Consider automatic account linking mode for Google consumer accounts

🛡 What tests cover this?

• Manual testing: local OIDC flow with Google (login, registration, account linking)
• Staging deployment for integration testing

❓ How to test this?

1. Add to .env.local:

   KRATOS_OIDC_ENABLED=true
   KRATOS_OIDC_GOOGLE_CLIENT_ID=<client-id>
   KRATOS_OIDC_GOOGLE_CLIENT_SECRET=<client-secret>
   

2. Rebuild Kratos: docker compose -f apps/hash-external-services/docker-compose.yml build kratos
3. Start services: yarn dev
4. Go to http://localhost:3000/signin
5. Click "Google" button on the right side
6. Confirm Google OAuth flow completes and user is signed in

🎥 Demo

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	Mar 25, 2026 6:30pm

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign	Ignored	Preview	Mar 25, 2026 6:30pm
hashdotdesign-tokens	Ignored	Preview	Mar 25, 2026 6:30pm
petrinaut	Skipped		Mar 25, 2026 6:30pm

[cursor]

PR Summary

High Risk
Introduces and configures OIDC-based login/registration and upgrades the Kratos version, touching authentication and identity provisioning paths where misconfiguration could affect account security and sign-in behavior.

Overview
Adds Google OIDC SSO support to the local Kratos setup: upgrades oryd/kratos to v26.2, introduces an OIDC provider config (with a Google claims mapper), and wires post-registration hooks for OIDC signups (OIDC remains disabled by default via env vars in docker-compose.yml).

Updates the sign-in UI to surface OIDC providers from the Kratos login flow via new SsoProviderButtons, improves Kratos message rendering (notably account-linking guidance) with formatKratosMessage, and pre-fills the email field from the flow’s identifier when present. Also adds new provider SVG icons (Google/Apple/Microsoft/GitHub/GitLab) for the SSO buttons.

^{Written by Cursor Bugbot for commit d4c797b. This will update automatically on new commits. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Adds Google OIDC SSO support to HASH via Ory Kratos, plus UI affordances to sign in with configured OIDC providers.

Changes:

• Configure Kratos OIDC method with a Google provider, including a Jsonnet claims mapper and required scopes/claims.
• Route OIDC callback URLs through the API proxy via `base_redirect_uri`.
• Add an OIDC registration “after” webhook to reuse the existing post-registration user creation flow.
• Wire Docker Compose env vars to enable/disable OIDC and provide Google client credentials.
• Add `SsoProviderButtons` to render OIDC providers from the Kratos login flow and handle the redirect initiation.
• Introduce brand icons (Google/Apple/Microsoft/GitHub/GitLab) and render the SSO buttons on the sign-in sidebar.

Technical Notes: OIDC is disabled by default and is enabled via KRATOS_OIDC_ENABLED=true plus provider credentials; registration skips the verification UI, relying on provider-verified email claims.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[lunelson]

Is it possible to get e2e test coverage on this?

[TimDiekmann]

@lunelson Not for the full OAuth flow, no. Google/Microsoft have bot detection that prevents automated browser login. What we could test:

• Kratos API: verify OIDC nodes appear in login flows
• Jsonnet mappers: unit test claims transformation
• Frontend: buttons render and click handler fires

The actual OAuth redirect -> provider login -> callback chain requires manual testing or a mock OIDC provider (e.g. Dex). For now this was manually tested on local + staging (the infra is already prepared by now) with both Google and Microsoft accounts. However, to test this, we need OIDC to be set up in CI, which we currently don't have. I would defer that to another task. We also surprisingly don't have unit testing set up for the frontend, which would be out of scope of this PR.

[TimDiekmann]

• BE-477: Add Microsoft/Azure AD OIDC SSO provider #8578
• BE-476: Add Google OIDC SSO support via Ory Kratos #8576 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.