Add optional env-activated Kratos OIDC/SSO providers (todo §3); off by default, committed claims mapper, SAML via OIDC bridge note

ory/kratos/kratos.yml

@@ -20,6 +20,19 @@ selfservice:
       enabled: true
     code: # email one-time code — powers recovery + verification (not login)
       enabled: true
+    # Social sign-in (Google, Microsoft, or SAML via an OIDC bridge like Ory Polis —
+    # OSS Kratos has no native SAML). OFF by default → a clean clone is password-only.
+    # Activate WITHOUT code changes by supplying env (the whole-array form is the only
+    # env-settable one Kratos offers); providers reference the committed claims mapper,
+    # and §4 derives the buttons from this list:
+    #   SELFSERVICE_METHODS_OIDC_ENABLED=true
+    #   SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":"google","provider":"google",
+    #     "client_id":"…","client_secret":"…","scope":["openid","email","profile"],
+    #     "mapper_url":"file:///etc/config/kratos/oidc/claims.jsonnet"}]
+    oidc:
+      enabled: false
+      config:
+        providers: []
   flows:
     error:
       ui_url: http://127.0.0.1:3000/error

ory/kratos/oidc/claims.jsonnet

@@ -0,0 +1,16 @@
+// OIDC claims → identity traits mapper (Kratos exposes the provider's claims as
+// `claims`). Shared by every social provider (Google, Microsoft, OIDC/SAML bridges):
+// they all expose email + given_name/family_name. Email is required by the schema.
+local claims = std.extVar('claims');
+
+{
+  identity: {
+    traits: {
+      email: claims.email,
+      name: {
+        first: if std.objectHas(claims, 'given_name') then claims.given_name else '',
+        last: if std.objectHas(claims, 'family_name') then claims.family_name else '',
+      },
+    },
+  },
+}