Hello ! at my client we are using Hydra + Kratos (as idp provider) for Authorization Code Flow we are successfully implementing the flow, except i'm confused on what to do for previously logged in (and still active) users what happens is that no matter if logged in or not, when i start the flow, Hydra redirects me as a user to a

/auth/login

endpoint (React app acting as self service UI) appending the

login_challenge=xyz

in the query params. then we initiate a flow using the ory front sdk.

sdkMgr.getSdk().createBrowserLoginFlow({
        refresh: true,
        aal: aal2 ? 'aal2' : 'aal1',
        returnTo: returnTo || undefined,
        loginChallenge: loginChallenge || undefined,
      })

The user has to log again to complete the flow if I want to make it transparent to the user, especially who has logged before, it seems i could use:

.toSession()

from the sdk method to check if a ory kratos session already exists ? • Hydra endpoints to get/accept login challenge request seems to be admins endpoints and then not exposable to public • there could be an app to handle the login and use these former endpoints, but I thought it was already Kratos job to talk to Hydra through these endpoints to validate the login without having to redirect him to login lot of confusion, i'm sure there is something inherently wrong in the approach help appreciated! 🙂

What is the reason to use "Authorization Code Flow" ? Did you read this blogpost on when to use OAuth2?

yes !

makes sense and you do have a strong requirement for self-hosting? bc with Ory Network you get some more support, that could help you figure this out. Or you get a support agreement. If you use Ory for a commercial use case I would strongly recommend you get support from Ory as well, the scope of community support is very limited / technically companies running OSS do not get any support. Otherwise from what you shared, you're on the right track with using

.toSession()

. This is exactly how you check if a user already has a valid session. When you call

createBrowserLoginFlow

with

refresh: true

, you're explicitly telling Kratos to ignore the existing session and force a re-login. Instead, when you detect an existing session, you should: 1. Accept the login challenge directly 2. Skip showing the login UI entirely This is already solved in the built-in UI in Ory Network if that is an option for you to use.

hello @magnificent-energy-493 and thanks for the help ! but then, accepting the login challenge would be making a call from the front (after the

.toSession()

) to an

/admin

endpoint of

hydra

which is not supposed to be publicly available right ? This is where resides my issue

you can fetch the hydra login request using the

login_challenge

which should have a

Skip

value that lets you know whether you can skip showing the authentication UI for that subject. you can go straight to accepting the hydra login request

sorry if i'm repeating a bit/this might be obvious but:

you can go straight to accepting the hydra login request

from where do i accept a hydra login request? my setup: • i only have the front/ UI (and Ory frontend Sdk) • i do not have a login handler (as a login handler on a dedicated app) • i do only have kratos + hydra • I can't accept the login request from the front since it's a

/admin/...

endpoint