Hi all 👋 We’re running into a challenge using a single ORY Kratos instance to support two separate web applications, both of which have Google SSO enabled. Setup: One Kratos instance (

auth.test.sso

) Two frontend apps: ◦

<http://admin.test.app|admin.test.app>

◦

<http://dealer.test.app|dealer.test.app>

Both apps use Kratos for login/registration (including password and Google SSO) We use

return_to=

when initiating flows to guide successful login redirection The issue: Kratos allows setting only one

login.ui_url

in the config. When the user cancels SSO (e.g., denies Google access), Kratos falls back to this

ui_url

— so no matter which app started the flow, they are redirected to the same app (currently

<http://admin.test.app|admin.test.app>

). This causes confusion and breaks the UX in

<http://dealer.test.app|dealer.test.app>

, since we can’t detect or override the flow’s origin at this point. Is there an official or recommended approach to handle multi-frontend SSO scenarios like this, using a shared Kratos instance?

It is not possible with a single instance, but you can use multiple instances with the same database. That's kinda what we do in Ory Network. We are also able to license that feature for single-instance through Ory OEL: https://www.ory.sh/ory-enterprise-license

Thanks for reply