Currently, Ory Kratos does not provide a built-in configuration option to block automatic registration when a user attempts to log in with an SSO (OIDC/social) account that does not already exist in Kratos. By default, if a user tries to log in with an SSO provider and their account does not exist, Kratos will initiate the registration flow for that user. There is a feature request to allow disabling self-service registration entirely, which would prevent new users from registering themselves—including via SSO—but as of now, this is not natively supported. The suggested workaround is to provide a custom registration UI that blocks or hides the registration option, but this is not a true backend enforcement and can be bypassed if someone knows the registration endpoint URL. The Ory team has acknowledged this feature request and indicated it is on their roadmap, but there is no indication it has been implemented yet [Ability to disable self-service registration flow](https://github.com/ory/network/issues/49). In summary: - There is no direct, built-in way to block auto-registration after an SSO login attempt for unregistered users. - Workarounds involve custom UI or logic, but these are not foolproof. - The feature is on the roadmap, but not yet available. If you need strict enforcement, you would need to implement additional logic outside of Kratos or wait for this feature to be officially supported.