Sign in with WeChat

Reference pattern (not natively supported)

WeChat's "OAuth" flow is non-standard — uses appid/secret instead of client_id/client_secret, has separate authorization endpoints per surface, and never returns an id_token. Kratos cannot consume it directly. This page documents the proxy pattern. Reference: ory/integrates/social-sign-in/wechat.

WeChat (微信) is the dominant Chinese super-app. WeChat Login is effectively the default identity for products that target users in mainland China.

Recommended approach: an OIDC proxy

Stand up a small bridge that accepts the standard OIDC authorization request from Ory Identities, translates the parameters (for example, client_id to appid), and forwards them to WeChat. The bridge then validates WeChat's response, calls /sns/userinfo, and returns a normal OIDC id_token to Ory Identities. Configure Ory Identities against the proxy as a generic OIDC provider.

WeChat-specific quirks

• No email. Use unionid or openid as the credential identifier.
• unionid vs openid. Prefer unionid, which is a stable ID across apps.
• Separate flows per surface. Web (QR code), in-app, and Mini Programs each use different authorization endpoints.
• Operational prerequisites. You need a Chinese business entity for Open Platform registration, an ICP filing for the callback domain, and the ability to test from within China.

Resources

• WeChat OAuth web login
• Ory generic OIDC provider docs
• Reference: ory/integrates/social-sign-in/wechat