is there a way to get the user logged in right after consent when integrating hydra & kratos?

I believe consent can only happen after login/authentication. Otherwise, how can you tell hydra who is consenting to what?

Right, after Hydra accepts the user consent it redirects back to Kratos, and a new user is created. However that new user is not logged in (no session cookie got created). Only when going through the flow again the user is logged in. I'm wondering why that's happenning.

session cookies (or whatever is used for auth) should already be set before consent. your app needs to accept the login request with hydra so I don't know how you could get to the consent phase without performing authentication first

Looking at the requests, that's incorrect. The redirects go something like this: app's /login -> /oauth2/auth -> /consent -> oauth2/auth -> ../callback/hydra -> back to app The set-cookie header for ory_kratos_session is found in the response for ../callback/hydra and not prior to that.

hydra sets hydra cookies, it doesn't set kratos cookies, and you may want to review the guide for Hydra's login flow. you can see that authentication with the "Login Endpoint" (the IdP, kratos, in this case) must come before consent

I appreciate you're trying to help but I don't think you're focusing on the issue. I'm aware of the flow and when a user of mine uses OIDC they go through login and consent, one after the other, like it shows in the diagram. The session cookie, created by Kratos, is set only after consent is made, which is okay. What I've found out that when a new user is using OIDC, they go through the login and consent, then redirected back to my app, and while Kratos created a new identity for them, it didn't set a session cookie. When the user then tries to sign in a second time, they go through exactly the same flow, but then Kratos sets a session cookie and the user is logged in. This is not the expected behavior, I expect the user to be signed in after the first time they go through the flow, and I'm trying to understand why it doesn't work.

Kratos is the Login Endpoint and it has absolutely nothing to do with OAuth consent 🙂 Kratos is the Identity Provider and it should be setting session cookies after successful authentication, if it isn't then you might have some sort of configuration problem do you have the session hook enabled for registration?

selfservice:
  flows:
    registration:
      after:
        password:
          hooks:
            - hook: session

Thanks! That actually solved it (adding another session hook, but under "oidc" instead of "password" )

...
      after:
        oidc:
          hooks:
            - hook: session

🙂