diff --git a/contrib/quickstart/kratos/email-password/kratos.yml b/contrib/quickstart/kratos/email-password/kratos.yml
index bb89ab1d701..647bc57e213 100644
--- a/contrib/quickstart/kratos/email-password/kratos.yml
+++ b/contrib/quickstart/kratos/email-password/kratos.yml
@@ -55,6 +55,7 @@ selfservice:
 log:
   level: debug
   format: text
+  leak_sensitive_values: true
 
 secrets:
   cookie:
diff --git a/contrib/quickstart/kratos/oidc/identity.traits.schema.json b/contrib/quickstart/kratos/oidc/identity.traits.schema.json
new file mode 100644
index 00000000000..8de397bef1f
--- /dev/null
+++ b/contrib/quickstart/kratos/oidc/identity.traits.schema.json
@@ -0,0 +1,40 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        },
+        "website": {
+          "type": "object"
+        }
+      },
+      "required": [
+        "website",
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}
diff --git a/contrib/quickstart/kratos/oidc/oidc.github.jsonnet b/contrib/quickstart/kratos/oidc/oidc.github.jsonnet
new file mode 100644
index 00000000000..06b92bf9924
--- /dev/null
+++ b/contrib/quickstart/kratos/oidc/oidc.github.jsonnet
@@ -0,0 +1,17 @@
+local claims = {
+  email_verified: false
+} + std.extVar('claims');
+
+{
+  identity: {
+    traits: {
+      // Allowing unverified email addresses enables account
+      // enumeration attacks, especially if the value is used for
+      // e.g. verification or as a password login identifier.
+      //
+      // Therefore we only return the email if it (a) exists and (b) is marked verified
+      // by GitHub.
+      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
+    },
+  },
+}