To set up Ory Hydra (OAuth2 & OpenID Connect provider) and configure it as the OAuth2 provider for Ory Kratos within Ory Network, you generally follow these steps: 1. Create an Ory Network Project and OAuth2 Client (Hydra): - Use the Ory Console or Ory CLI to create a project that will act as your OAuth2/OIDC provider (Hydra). - Create an OAuth2 client within this project. You will need the Client ID, Client Secret, and the Issuer URL (the URL of your Ory Network project or Hydra instance) for later steps. - Example CLI command to create a client:

ory create oauth2-client --project "$PROJECT_ID" \        --name "Example Corp" \        --grant-type authorization_code,refresh_token \        --response-type code \        --scope openid,offline_access,email \        --redirect-uri <https://your-project-slug.projects.oryapis.com/self-service/methods/oidc/callback/H1o_k--i>

- The SSO provider project manages user identities and provides OAuth2/OIDC endpoints for authentication and authorization. Apps can now use this provider for sign-in via the OAuth2 authorization code flow [Setting up the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory). 2. Configure Ory Kratos to Use the OAuth2 Provider: - In the Ory Console, go to Authentication → Social Sign-In. - Click Add new OpenID Connect provider. - Enter the Client ID, Client Secret, and Issuer URL from the OAuth2 client you created above. - Copy the Redirect URI provided by the Console and add it to your OAuth2 client configuration in the SSO provider project. - Save the configuration [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). 3. (Optional) Adjust Scopes and Data Mapping: - You can define which OAuth scopes Ory requests from the provider (e.g.,

openid

,

offline_access

,

email

). - You can also set up custom data mappings for user traits [Scopes and Data Mapping](https://www.ory.sh/docs/kratos/social-signin/ory#scopes). Summary: - Ory Hydra (OAuth2/OIDC) is set up as a project in Ory Network. - Ory Kratos is configured to use this project as an OIDC provider for social sign-in. - All configuration can be managed via the Ory Console or Ory CLI. If you need to customize login and consent UIs, you can also configure custom URLs in your OAuth2 project settings [Configure Ory Network](https://www.ory.sh/docs/hydra/guides/custom-ui-oauth2#configure-ory-network). If you need more detailed, step-by-step instructions, please specify which part of the setup you need help with.

In Ory Network, you do not configure the

oauth2_provider

section in the Kratos config as you would in a self-hosted setup. The Ory Network platform manages the integration between Ory Identities (Kratos) and Ory OAuth2 & OpenID Connect (Hydra) for you. This means: - The connection between Kratos and Hydra is handled internally by Ory Network. - You do not need (and cannot) set the

oauth2_provider.url

or

override_return_to

in your Kratos config. - Instead, you configure OAuth2/OIDC flows, social sign-in, and identity provider integrations through the [Ory Console](https://console.ory.sh/) or the Ory CLI. For advanced use cases, such as overriding the return URL after identity flows, Ory Network provides a setting called Always Return to OAuth2 provider. This can be enabled in the Ory Console under OAuth 2 → Identity integration settings. When enabled, it ensures users are always redirected back to the OAuth2 flow after completing identity-related actions, similar to what

override_return_to: true

did in self-hosted setups. You can also enable this via the CLI:

bash ory patch project <your-project-id> \   --replace '/services/identity/oauth2_provider/override_return_to=true'

[Identity Provider Integration Settings](https://www.ory.sh/docs/oauth2-oidc/identity-provider-integration-settings#overview) Summary: - In Ory Network, you do not set

oauth2_provider

in the Kratos config. - Use the Ory Console or CLI to manage OAuth2/OIDC integration and advanced settings. If you need to connect Kratos to an external OIDC provider, use the Social Sign-In section in the Console, not the config file directly [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). If you have a specific use case that is not covered by these settings, please provide more details.

A message from kapa.ai

In Ory Network, you no longer configure the

oauth2_provider

section directly in the Kratos config as you did in self-hosted setups. The integration between Ory Identities (Kratos) and Ory OAuth2 & OpenID Connect (Hydra) is managed by the Ory Network platform itself. Instead of setting

oauth2_provider.url

and

override_return_to

in your config file, you should use the Ory Console or CLI to manage these integrations and advanced settings. For example, to achieve the same effect as

override_return_to: true

, you can enable the Always Return to OAuth2 provider setting in the Ory Console under OAuth 2 → Identity integration settings. This ensures users are redirected back to the OAuth2 flow after completing identity-related actions. You can also enable this via the CLI:

bash ory patch project <your-project-id> \   --replace '/services/identity/oauth2_provider/override_return_to=true'

This approach replaces the need for the

oauth2_provider

block in your Kratos config when using Ory Network. If you need to connect to an external OIDC provider, use the Social Sign-In section in the Console instead of editing the config file directly [Identity Provider Integration Settings](https://www.ory.sh/docs/oauth2-oidc/identity-provider-integration-settings#overview) [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). If you have a specific scenario that is not covered by these settings, please provide more details.

In Ory Network, the integration between the identity service (Ory Identities/Kratos) and the OAuth2 service (Ory OAuth2 & OpenID Connect/Hydra) is managed internally by the platform. This means that, unlike in a self-hosted setup where you would see explicit network requests from your application to both Kratos and Hydra, in Ory Network these services are tightly integrated and the communication between them happens within the Ory Network infrastructure. As a result, when you initiate an OAuth2 flow, you may only see network requests from your client to the identity service, and not direct calls to the OAuth2 service (Hydra), because the Ory Network handles the necessary backend communication for you. This is by design and is part of the abstraction and simplification that Ory Network provides compared to self-hosting, where you would manually orchestrate the flow between Kratos and Hydra and see those network requests in your logs or browser dev tools. If you need to customize or debug the flow, you should use the Ory Console or CLI, as direct configuration and visibility into the internal service-to-service calls are not exposed in the same way as in self-hosted environments [Ory Network or self-hosted?](https://www.ory.sh/blog/ory-network-or-self-hosting-explained-use-cases). If you have a specific use case that requires visibility into these internal calls, or if you believe the flow is not working as expected, please provide more details so we can assist further.

For Ory Network, the recommended and streamlined setup for your use case—signing in with Google, issuing JWT tokens, and supporting custom claims (like groups) and machine-to-machine (M2M) API calls—differs from the traditional self-hosted Kratos + Hydra integration. ### 1. Sign in with Google - Use Ory Network’s built-in social sign-in feature. You can add Google as a provider via the Ory Console or CLI. This handles the OAuth2/OpenID Connect flow for you, mapping Google user data to your Ory identities. You configure scopes and data mapping using Jsonnet snippets, so you can control which Google claims are mapped to your identity traits (e.g., email, first/last name, etc.) [Google Social Sign-In Setup](https://www.ory.sh/docs/kratos/social-signin/google#additional-configuration). ### 2. Issue JWT Tokens - Ory Network allows you to convert user sessions into JWTs. You can define custom claims in the JWT using a Jsonnet template, which gives you flexibility to include additional data (such as groups or roles) in the token. This is done by configuring a tokenizer template and then requesting a session as a JWT [Convert Ory Sessions to JWT](https://www.ory.sh/docs/identities/session-to-jwt-cors). ### 3. Add Custom Claims (e.g., Groups) - To add custom claims like groups, you can use a Jsonnet claims mapper when generating the JWT. The claims mapper can pull data from the session or identity traits and inject it into the JWT payload. However, if your group data is managed outside of identity traits (e.g., in Ory Keto), you would need to ensure it’s available in the session or fetched via a custom integration, as Ory Network does not automatically inject Keto relationships into tokens. For more advanced use cases, you can use Ory Actions or custom consent endpoints to enrich tokens with additional data [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh) [Custom consent UI and custom claims](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#custom-consent-ui-and-custom-claims-for-jwt-access-token). ### 4. Machine-to-Machine (M2M) API Calls - For M2M authentication, Ory Network supports the OAuth2 client credentials flow. You can create service accounts (OAuth2 clients) and issue access tokens for them, which can be JWTs if you configure the project accordingly [Connect service accounts](https://www.ory.sh/docs/oauth2-oidc/client-credentials). --- Summary: - Use Ory Network’s social sign-in for Google (no need to manually wire Kratos to Hydra). - Use session-to-JWT conversion with a custom claims mapper for user tokens. - Use OAuth2 client credentials for M2M tokens. - For custom claims (like groups), use Jsonnet mapping or Ory Actions, but note that automatic injection of Keto relationships into tokens is not currently supported out-of-the-box [Github Issue: Getting Groups claims via OIDC](https://github.com/ory/network/issues/267). This approach is simpler and more integrated than the self-hosted Kratos + Hydra setup, and leverages Ory Network’s managed features. If you need to enrich tokens with external data, consider using Ory Actions or a custom consent endpoint.

To configure an Ory Network project to authenticate users with Google and then issue a JWT token (with custom traits) via OAuth2 (Hydra), you would: 1. Enable Google as a Social Sign-In Provider 2. Configure Data Mapping for Custom Traits 3. (If needed) Configure JWT Token Claims Below is an example of what the relevant parts of your project configuration might look like, based on the knowledge sources: --- ### 1. Enable Google as a Social Sign-In Provider You can do this via the Ory Console under Authentication → Social Sign-In. You’ll need to provide: -

client_id

and

client_secret

from your Google OAuth app - The appropriate scopes (e.g.,

email

,

profile

) - A data mapping (Jsonnet) snippet to map Google claims to your identity traits Example YAML snippet for the identity config:

yaml selfservice:   methods:     oidc:       config:         providers:           - id: google             provider: google             client_id: <YOUR_GOOGLE_CLIENT_ID>             client_secret: <YOUR_GOOGLE_CLIENT_SECRET>             mapper_url: "base64://<YOUR_BASE64_ENCODED_JSONNET>"             scope:               - email               - profile             requested_claims:               id_token:                 email:                   essential: true                 email_verified:                   essential: true                 given_name:                   essential: true                 family_name: null       enabled: true

[Google Social Sign-In Data Mapping](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping) Example Jsonnet for data mapping:

jsonnet local claims = {     email_verified: false,   } + std.extVar('claims');  {   identity: {     traits: {       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,       first_name: claims.given_name,       last_name: claims.family_name,       // Add custom traits here, e.g.:       // group: claims.hd,  // For Google Workspace domain     },   }, }

[Google Data Mapping Example](https://www.ory.sh/docs/kratos/social-signin/google#additional-configuration) --- ### 2. Issue JWT Tokens with Custom Traits Ory Network allows you to convert sessions to JWTs, and you can use a claims mapper (Jsonnet) to include custom traits in the JWT. The specific configuration for JWT claims mapping is not detailed in the provided sources, but the general approach is to use a Jsonnet template to map identity traits to JWT claims. Note: The knowledge sources do not provide a full example of the JWT claims mapping configuration for Ory Network. They do show how to map identity traits from Google, which would then be available for inclusion in JWTs. --- ### 3. OAuth2 (Hydra) Integration In Ory Network, the OAuth2 (Hydra) service is managed for you. You do not need to manually configure the

oauth2_provider

block as in self-hosted setups. Instead, after social sign-in, the user session can be exchanged for a JWT via the OAuth2 flow, and the custom traits you mapped will be available in the identity/session. --- Summary: - Configure Google as a social sign-in provider with the required scopes and a Jsonnet data mapping for custom traits. - The mapped traits will be available in the user's identity and can be included in JWTs issued by Ory Network. - You do not need to manually configure Hydra integration; Ory Network handles this internally. If you need to include additional custom claims in the JWT, you would use a claims mapper, but the exact configuration for this in Ory Network is not detailed in the provided sources. If you need more details on JWT claims mapping, please specify, and I can help further if more information is available. [Google Social Sign-In Setup](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping) [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider)

Certainly! Here’s how the flow should go for a public app using OAuth2 and Google login with Ory Network: --- ### 1. User Initiates Login - The user visits your app and clicks “Sign in with Google.” ### 2. App Starts OAuth2 Authorization Code Flow - Your app redirects the user to the Ory Network OAuth2 authorization endpoint, specifying your app’s client ID, redirect URI, and requested scopes (e.g.,

openid

,

email

,

profile

) [Authorization Code Grant](https://www.ory.sh/docs/getting-started/ory-network-oauth2#authorization-code-grant). ### 3. Ory Network Presents Login UI - Ory Network displays the login page, which includes a “Sign in with Google” button (assuming you have configured Google as a social sign-in provider in your Ory project) [Social sign-in](https://www.ory.sh/docs/identities/get-started/social-sign-in). ### 4. User Authenticates with Google - The user clicks the Google button and is redirected to Google’s authentication page. - The user logs in and consents to share their profile information. ### 5. Google Redirects Back to Ory Network - After successful authentication, Google redirects the user back to Ory Network with an authorization code. ### 6. Ory Network Maps Google Data to Identity - Ory Network uses your configured data mapping (Jsonnet) to map Google claims (like email, name, etc.) to the user’s identity traits in Ory [Google Data Mapping](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping). ### 7. Ory Network Issues OAuth2 Tokens - Ory Network completes the OAuth2 flow, issuing an

id_token

and

access_token

(and optionally a

refresh_token

) to your app’s redirect URI [Authorization Code Grant](https://www.ory.sh/docs/getting-started/ory-network-oauth2#authorization-code-grant). ### 8. App Receives Tokens - Your app receives the tokens and can use the

id_token

to identify the user and the

access_token

to access APIs on behalf of the user. --- Summary: - The user authenticates via Google through Ory Network’s login UI. - Ory Network handles the OAuth2 flow and token issuance. - Your app never directly handles Google credentials; it only receives tokens from Ory Network. This flow leverages Ory Network’s managed integration between identity, social sign-in, and OAuth2, so you do not need to manually orchestrate between Kratos and Hydra as in self-hosted setups [Social sign-in](https://www.ory.sh/docs/identities/get-started/social-sign-in).