We're running a proof-of-concept with Ory (self-hosted) at Volvo Cars and we are trying to understand the best way to customize the login flow. We have two specific use cases that we aim to realize: 1. During the login flow we want to check if the user has accepted our latest terms and conditions. If the terms have been changed since the user's last login and the user has not accepted the latest version, we want to present an approval screen. If the user does not accept the terms, the login is expected to fail (i.e. the user should not get an SSO session and Hydra should not issue a token). 2. We want to implement the concept of progressive profiling. Specifically, we want to allow clients to provide specific scopes that will require certain attributes to be present on the user profile. If the user is missing one of the required claims (traits) the login flow should be interrupted and the user should be prompted to complete their profile before the login succeeds. For context, all our clients are using OAuth/OIDC to integrate and it is not considered a viable alternative to require the clients to trigger the terms and conditions and progressive profiling flows after a successful authentication. We have tried implementing the first use case using a webhook toward a Next.js login application and we've tried realizing it by forcing Kratos to redirect back to the login application after a successful authentication, but neither approach was completely satisfactory yet. We're keen on hearing from the community if anyone has had similar challenges and how you've solved it. It would also be great to hear from Ory if you have any recommendations on how to approach these use cases.

Are you planning to use authorization_code flow as the only user-facing flow for this use case? I ask because there is the possibility you could work this custom logic into the consent stage of the process. This happens after the authorize step, but before the token step, so you could perform any additional verification you need there without issuing a token, then accept consent at the end.

As mentioned there are several possibilities, Ory Actions is a good solution here especially for the T&Cs check. If you already have something tried out we can take a look what the best solution is. As we also have a private channel set up now @green-lion-61254, can you maybe share your trial code so I can take a look with my colleagues how to best implement it? edit: actually seems the channel is not completely set up atm.