Hello 🙂 We implemented this flow a while ago: https://www.ory.sh/docs/kratos/manage-identities/invite-users However, we received report of users who connect to the platform for the first time using SSO getting logged in even tho the SSO provider have rejected the login (ex: the application is not yet authorized in their tenant). My understanding is that by using the recovery flow, a session is generated for them, but this session is not invalidated when the user get rejected by their SSO. How could I make sure the session expires? We use a custom UI for the login page.

The session includes information on what authentication was used when. Ideally, you'd disallow sessions that don't have SSO in that list.

@steep-lamp-91158 I have been working on this to better secure our onboarding. Could you confirm my understanding is right? • I generate & all the recovery link • User click on it, choose to use MS 365 • Rejects (or get rejected) from OIDC provider • They get redirected to the URL set in Post Recovery set in Ory Console' browser redirects settings page • I receive the call and invalidate the session if auth type still recovery_code Am I understanding this right?

That is an option, but it would still have issues e.g. when the user goes back in browser history. My suggestion is to enforce this in your application/stack wherever you check sessions. Instead of solely relying on the session being valid, you can also inspect the authenticator types that were used and disallow actions based on that.