The error

OperationProcessingError: "response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)

typically indicates that Auth.js (or the underlying OpenID Connect client) is trying to fetch the OIDC discovery document (the

.well-known/openid-configuration

endpoint) from your Ory project, but is receiving an unexpected HTTP status code instead of the expected 200 OK and JSON metadata. Based on the official Ory integration guide, here are some things to check: 1. Correct Ory Project URL: Make sure your

.env.local

file contains the correct Ory SDK URL for your project. This should be the base URL for your Ory Network project, which you can find in the [Get started](https://console.ory.sh/projects/current/get-started) section of the Ory Console. If this URL is incorrect, Auth.js will not be able to fetch the OIDC metadata and will throw this error. 2. OAuth2 Client Configuration: Double-check that your OAuth2 client is set up correctly in the Ory Console, including the redirect URIs and scopes as described in the guide. The redirect URI must exactly match what is registered in Ory, or you may encounter errors during the OIDC flow. Use your browser’s network tab to inspect requests made to

/oauth2/auth

to verify this if needed [Resolve redirect URL mismatch errors](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js#resolve-redirect-url-mismatch-errors). 3. Ory Project Availability: Ensure your Ory project is active and accessible from your development environment. If the project is not reachable, the discovery endpoint will not return the expected metadata. 4. Check for HTTP Errors: If the Ory endpoint returns a 4xx or 5xx error (such as 404 Not Found or 401 Unauthorized) instead of the expected 200 OK, Auth.js will not be able to process the response as valid OIDC metadata. If you have verified all of the above and the issue persists, please provide the exact URL being called for the OIDC discovery document and the HTTP status code returned. This will help further diagnose the problem. The knowledge sources do not contain a direct mention of this specific error message, but the integration steps and troubleshooting advice above are based on the official Ory documentation for Auth.js and OIDC integration [Integrate authentication into Auth.js and NextAuth](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js).

@chilly-king-10285 how does this work with Kratos & Hydra ? I am requesting Kratos.

When integrating Auth.js (or any OIDC client) with Ory Kratos and Hydra, the typical setup is as follows: - Ory Kratos handles identity management (user registration, login, etc.). - Ory Hydra acts as the OAuth2 & OpenID Connect (OIDC) provider, issuing tokens and handling the OIDC protocol. How it works: 1. OIDC Discovery: Auth.js expects to communicate with an OIDC provider. In the Ory ecosystem, this is Hydra, not Kratos. The OIDC discovery endpoint (

/.well-known/openid-configuration

) must be served by Hydra, not Kratos. Kratos does not implement the OIDC provider endpoints; it only supports acting as an OIDC client (for social sign-in) or as an identity provider for Hydra. 2. Login Flow: When a user initiates login via Auth.js, the flow is: - Auth.js redirects the user to Hydra's authorization endpoint. - Hydra, in turn, delegates authentication to Kratos (using Kratos' self-service login flow). - After successful authentication, Kratos redirects back to Hydra, which then issues the OIDC tokens and redirects back to your application. 3. Configuration: Your OIDC client (Auth.js) must be configured to use Hydra's endpoints (not Kratos). If you point Auth.js to Kratos, you will get errors like the one you described, because Kratos does not serve the OIDC discovery document or endpoints required by OIDC clients. Summary: - Auth.js (or any OIDC client) should be configured to use Ory Hydra as the OIDC provider. - Hydra will use Kratos for user authentication in the background. - Do not point OIDC clients directly at Kratos; use Hydra's endpoints instead. This architecture is described in the Ory documentation and ecosystem overview, which clarifies that Hydra is the OIDC provider and Kratos is the identity management backend. Hydra connects to Kratos for authentication, but all OIDC/OAuth2 flows go through Hydra, not Kratos [Ory Ecosystem Introduction](https://www.ory.sh/docs/ecosystem/projects). If you want to use Ory as an OIDC provider for Auth.js, ensure you are using Hydra's endpoints, not Kratos'. If you are using Ory Network, the OIDC endpoints are provided by the Ory project itself, which combines these services under the hood [Integrate authentication into Auth.js and NextAuth](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js). If you need to add social sign-in (e.g., "Sign in with Google") to Kratos, Kratos acts as an OIDC client, not a provider [Login with Google, Facebook, GitHub, ..., OpenID Connect / OAuth 2.0](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-with-google-facebook-github--openid-connect--oauth-20). If you are pointing Auth.js to Kratos, it will not work as an OIDC provider. You must use Hydra (or Ory Network's OIDC endpoints) for this purpose.

The error message from Hydra: > The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls. means that the

redirect_uri

you are sending in your Auth.js/OIDC request does not exactly match any of the URIs registered for your OAuth2 client in Hydra. How to resolve: 1. Check your OAuth2 client configuration in Hydra: Use the Hydra CLI to inspect your client and see which redirect URIs are registered. For example:

ory get oauth2-client <client-id>

Look for the

redirect_uris

field in the output and ensure it matches exactly (including protocol, port, and path) the

redirect_uri

being sent by Auth.js or your application. Even a small difference (like a missing slash or different port) will cause this error [Resolve redirect URL mismatch errors](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js#resolve-redirect-url-mismatch-errors), [Refresh Token flow fails](https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails). 2. Update the client if needed: If the redirect URI is missing or incorrect, update your OAuth2 client in Hydra to include the correct URI. You can do this with the CLI:

ory update oauth2-client <client-id> --redirect-uri <http://your-app/callback>

You can register multiple redirect URIs if needed [Example OAuth2 clients](https://www.ory.sh/docs/hydra/guides/oauth2-clients#example-oauth2-clients). 3. Verify the request: Use your browser’s network tab or logs to see the exact

redirect_uri

being sent in the request to Hydra, and ensure it matches one of the registered URIs. Note: - The error page also mentions that

urls.error

is not set in your Hydra config. While this does not cause the redirect URI error, you can set this to a user-friendly error page if desired. Summary: This is a strict matching requirement from the OAuth2/OIDC spec and enforced by Hydra. The

redirect_uri

in your request must exactly match one of the URIs registered for your client in Hydra, or you will see this error. For more details, see the official troubleshooting guide: [Resolve redirect URL mismatch errors](https://www.ory.sh/docs/getting-started/integrate-auth/auth-js#resolve-redirect-url-mismatch-errors).

The error message: > The OAuth 2.0 Client is not allowed to request scope 'profile'. means that your OAuth2 client in Hydra does not have the

profile

scope registered. To update the allowed scopes for your client, you need to update the client configuration in Hydra to include the

profile

scope. You can do this using the Hydra CLI:

sh hydra update oauth2-client <client-id> --scope openid --scope profile --scope email

This command replaces the client's scopes with the ones you specify. Make sure to include all scopes your application needs (for example,

openid

,

profile

,

email

, etc.) [Manage OAuth 2.0 and OpenID Connect clients](https://www.ory.sh/docs/hydra/guides/oauth2-clients#update-oauth2-client). Note: - The

--scope

flag can be used multiple times to add multiple scopes. - If you use the CLI to update the client, all previous scopes will be replaced by the ones you specify. You can also update the client using the Ory Console or the REST API if you prefer a UI or programmatic approach [Manage OAuth 2.0 and OpenID Connect clients](https://www.ory.sh/docs/hydra/guides/oauth2-clients#update-oauth2-client). After updating, retry your authentication flow and the error should be resolved.

Certainly! You can create a simple consent page in Next.js using Ory Elements. Ory Elements provides a

<Consent />

React component that you can use to render the consent flow for Ory OAuth2. Below is a minimal mockup for a consent page in a Next.js app, based on the official documentation:

tsx // app/consent/page.tsx  import { Consent } from "@ory/elements-react" import { getConsentRequest, submitConsent } from "../your-consent-api" // You need to implement these helpers  export default async function ConsentPage({ searchParams }) {   // Fetch the consent challenge from the query string   const consent_challenge = searchParams.consent_challenge    // Fetch consent request details from your backend or Ory SDK   const consentRequest = await getConsentRequest(consent_challenge)    // You should also fetch a CSRF token and session info as needed   const csrfToken = consentRequest.csrf_token   const session = consentRequest.session    // The URL to submit the consent form to   const formActionUrl = "/api/consent"    // Ory client configuration (replace with your config)   const config = {     basePath: process.env.ORY_SDK_URL,   }    return (     <Consent       config={config}       consentChallenge={consentRequest}       csrfToken={csrfToken}       formActionUrl={formActionUrl}       session={session}     />   ) }

Notes: - You need to implement the

getConsentRequest

and

submitConsent

helpers to interact with the Ory Network or your Hydra instance. - The

<Consent />

component from Ory Elements will render a default consent UI, which you can customize as needed. - Make sure to handle CSRF protection and session management as described in the Ory documentation. For more details on the

<Consent />

component and its props, see the [Ory Elements Consent reference](https://www.ory.sh/docs/elements/reference/@ory/elements-react/theme/functions/Consent). This approach allows you to build a consent screen in Next.js, replacing the simple Express app from the example with a modern React-based UI using Ory Elements.