ory · vinckr · Oct 23, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
@@ -0,0 +1,145 @@
+---
+id: amazon
+title: Add Amazon as a social sign-in provider in Ory
+sidebar_label: Amazon
+---
+
+# Amazon
+
+:::note
+
+To add Amazon as a social sign-in provider, you need a Amazon Developer account. Go to
+[Amazon Developers](https://developer.amazon.com/) to create one.
+
+:::
+
+````mdx-code-block
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+<Tabs>
+<TabItem value="console" label="Ory Console" default>
+
+Follow these steps to add Amazon as a social sign-in provider for your project, using the Ory Console.
+
+1. Go to <ConsoleLink route="project.socialSignIn" />.
+1. Enable the **Enable OpenID Connect** toggle, then click **Add new OpenID Connect provider**.
+1. Click the Amazon logo to open the **Configure Amazon** screen. You may need to click **Show more providers** to see the full list of providers.
+1. Copy the Redirect URI and save it for later use.
+1. Follow the [official steps](https://developer.amazon.com/docs/login-with-amazon/register-web.html) to create a security profile.
+1. Once you've created the security profile, click **Show Client Secret** and copy the Client ID and Client secret. Then paste them into the corresponding fields in the Ory Console's **Configure Amazon** screen.
+1. In the Ory Console, click **Save Configuration** to enable Amazon as a social sign-in provider.
+1. On Amazon Developers, click **Save Changes**.
+1. Open the Amazon **Security Profile Management** screen, select the **Web Settings** tab, click **Edit**, and paste the redirect URI into the **Allowed Return URLs** field. Click **Save**.
+
+:::note
+
+These steps cover the basic configuration of a social sign-in provider integration. At this point, the user experience is
+incomplete. To complete the configuration and ensure a smooth and secure user experience, configure the [scopes](#scopes) and
+[data mapping](#data-mapping) as described in the next section.
+
+:::
+
+## Additional configuration
+
+When adding a social sign-in provider, you can customize the integration by defining the OAuth scopes Ory requests from the
+provider and by setting up custom data mappings.
+
+### Scopes
+
+In the **Scopes** field, you can define the OAuth (access) scopes that Ory requests from the sign-in provider. Defining access scopes enables you to
+interact with the provider's APIs on behalf of the user, or to access additional user data, which is exposed as claims for data
+mapping.
+
+For a basic setup, follow these steps to add the profile access scope:
+
+- In Ory Console's **Configure Amazon** screen, click **Show advanced settings**.
+- In the **Scopes** field, enter `profile` and click **Add**.
+
+To learn more about the scopes available for Amazon, read the
+[related documentation](https://developer.amazon.com/docs/login-with-amazon/customer-profile.html).
+
+### Data mapping
+
+In the **Data mapping** field, you can map the data returned by the sign-in provider to traits as defined in the identity
+schema.
+
+To define the mapping, create a Jsonnet code snippet. Read [this document](./data-mapping) to learn more about Jsonnet data
+mapping.
+
+In this sample Jsonnet snippet, the user's `email`, is mapped to `email` in the identity schema.
+
+```jsonnet
+local claims = std.extVar('claims');
+{
+  identity: {
+    traits: {
+      // The email might be empty if the user hasn't granted permissions for the email scope.
+      [if 'email' in claims then 'email' else null]: claims.email,
+    },
+  },
+}
+```
+
+
+</TabItem>
+<TabItem value="cli" label="Ory CLI">
+Follow these steps to add Amazon as a social sign-in provider to your project using the Ory CLI:
+3. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or host it under an URL accessible to Ory Network.
+
+  ```shell
+  cat your-data-mapping.jsonnet | base64
+  ```
+
+4. Download the Ory Identities config from your project and save it to a file:
+
+   ```shell
+   ## List all available workspaces
+   ory list workspaces
+
+   ## List all available projects
+   ory list projects --workspace <workspace-id>
+
+   ## Get config
+   ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml
+   ```
+
+5. Add the social sign-in provider configuration to the downloaded config. Add the Jsonnet snippet with mappings as a Base64
+   string or provide an URL to the file.
+
+   ```yaml
+   selfservice:
+   methods:
+     oidc:
+       config:
+         providers:
+           - id: amazon # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
+             provider: amazon
+             client_id: .... # Replace this with the OAuth2 Client ID provided by Amazon app
+             client_secret: .... # Replace this with the OAuth2 Client Secret provided by Amazon app
+             mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
+             # Alternatively, use an URL like this example
+             # mapper_url: https://storage.googleapis.com/example-example-prd/example-file
+             scope:
+               - profile
+             pkce: "force"
+       enabled: true
+   ```
+
+6. Update the Ory Identities configuration using the file you worked with:
+
+   ```shell
+   ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
+   ```
+
+</TabItem>
+</Tabs>
+````
+
+## Troubleshooting
+
+```mdx-code-block
+import SocialSigninTroubleshooting from '../_common/social-sign-in-troubleshooting.mdx'
+
+<SocialSigninTroubleshooting />
+```
@@ -58,6 +58,7 @@ const oidcSSO: SidebarItemConfig = {
         "kratos/social-signin/linkedin",
         "kratos/social-signin/x-twitter",
         "kratos/social-signin/line",
+        "kratos/social-signin/amazon",
       ],
     },
     "kratos/social-signin/data-mapping",