When a login attempt fails during the OAuth2 flow, you indeed inform Ory Hydra about the failure by using the

/oauth2/auth/requests/login/reject

endpoint as you mentioned. This endpoint tells Ory that the subject has not authenticated and includes a reason why the authentication was denied. The response from this endpoint contains a redirect URL which your login provider should redirect the user-agent to ([source](https://www.ory.sh/docs/reference/api)). The reason for this redirection is to maintain the integrity of the OAuth2 flow. Ory Hydra manages the flow and needs to be aware of its state at all times, including when a login attempt fails. By redirecting back to Hydra, you allow it to properly handle the failed login attempt and take the necessary next steps. As for communicating the reason for the login failure to the invoking client, the details of the failure reason would typically be included in the response from the

/oauth2/auth/requests/login/reject

endpoint. This allows the invoking client to handle the failure appropriately. Remember, the OAuth2 flow involves multiple parties (the user, your service, Ory Hydra, and the invoking client), and it's important to keep all parties in sync about the state of the flow. This is why even in the event of a failure, the flow continues to involve all parties.