Yes, this behavior can be configured in Ory. Based on the information from the knowledge sources, there are a couple of relevant settings you can adjust to require email verification before allowing login or OAuth2 authorization: 1. Require Verified Address for Login: You can enable this setting to only allow users with a verified email address to sign in. This can be configured in the Ory Console or using the Ory CLI. [Ory Docs: Allow login only with verified email](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email) 2. Show Verification After Registration: You can configure Ory to show the verification screen immediately after registration, which can help ensure users verify their email before proceeding with OAuth2 flows. [Ory Docs: Show verification after successful registration](https://www.ory.sh/docs/identities/sign-in/actions#show-verification-after-successful-registration) 3. Require Verified Address Action: You can add the

require_verified_address

action to the login flow, which will check if the user's email address has been verified before allowing them to sign in. [Ory Docs: Require verified address](https://www.ory.sh/docs/actions/require-verified-address) By combining these settings, you can ensure that users cannot complete the OAuth2 flow without verifying their email address first. However, it's important to note that if you enable "Sign In After Registration" along with requiring email verification, users might be temporarily logged in after registration but unable to perform further actions until they verify their email. For the most secure setup, you may want to disable "Sign In After Registration" if you're requiring email verification for login: [Github Issue: Sign In After Registration should be disabled if Require Verified Address for Login is selected](https://github.com/ory/network/issues/107) Remember to test your configuration thoroughly to ensure it behaves as expected in your specific OAuth2 flow.