To correctly handle a client OAuth2 login with your own UI using Ory, you need to implement the custom login and consent flow. Here’s a high-level overview of the steps, based on the official Ory documentation: 1. Configure Ory to Use Your Login UI Set the login and consent URLs in your Ory Network project configuration to point to your custom UI endpoints. For example:

yaml    oauth2:      urls:        login: <http://localhost:3000/login>        consent: <http://localhost:3000/consent>

Update your project configuration using the Ory CLI after editing the config file [Try out custom OAuth2 login and consent](https://www.ory.sh/docs/hydra/guides/custom-ui-oauth2#configure-ory-network). 2. OAuth2 Authorization Flow - The OAuth2 client initiates the flow by redirecting the user to the Ory

/oauth2/auth

endpoint. - If the user is not authenticated, Ory redirects the user to your configured login UI with a

login_challenge

parameter [User login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). 3. Handle the Login Challenge in Your UI - Your login UI should extract the

login_challenge

from the query parameters. - Use the Ory SDK to fetch the login request details:

js      import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(new Configuration({ basePath: "https://{project-slug}.<http://projects.oryapis.com|projects.oryapis.com>", accessToken: process.env.ORY_API_KEY }))      const { data: loginRequest } = await ory.getOAuth2LoginRequest({ loginChallenge: challenge })

- If

loginRequest.skip

is true, you can immediately accept the login request without showing the UI. - Otherwise, render your login form [Login endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example). 4. Authenticate the User - When the user submits the login form, authenticate their credentials against your user database. - If authentication fails, show an error. If successful, accept the login request:

js      await ory.acceptOAuth2LoginRequest({        loginChallenge: challenge,        acceptOAuth2LoginRequest: {          subject: user.id,          remember: Boolean(request.body.remember),          remember_for: 3600,          context: {},        },      }).then(({ data }) => response.redirect(data.redirect_to))

- This will redirect the user back to Ory, which will then proceed to the consent step [Login endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example). 5. Handle Consent - Ory will redirect the user to your consent UI with a

consent_challenge

. - Repeat a similar process: fetch the consent request, show your UI, and accept or reject the consent as appropriate. Reference Implementation: Ory provides a [Node.js example app](https://github.com/ory/hydra-login-consent-node) that demonstrates this flow in detail. Summary: - Configure Ory to use your custom login and consent UIs. - Implement endpoints that handle the

login_challenge

and

consent_challenge

. - Use the Ory SDK to fetch, accept, or reject login and consent requests. - Authenticate users and handle redirects as specified by Ory. This approach gives you full control over the user experience while ensuring secure OAuth2 flows with Ory as the backend [User login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps).

Yes, your understanding is correct for Ory Network (Ory Cloud): When handling an OAuth2 login with your own UI, you typically need to start a self-service login or registration flow (using Ory Identities/Kratos) to authenticate or register the user. Once the user has successfully completed the login or registration flow, you then call

acceptOAuth2LoginRequest

to inform Ory OAuth2 (Hydra) that the user is authenticated and to continue the OAuth2 flow. Here’s how the process works, based on Ory Network documentation: 1. User is redirected to your login UI with a

login_challenge

Ory OAuth2 sends the user to your login UI with a

login_challenge

parameter in the URL. 2. Start a self-service login or registration flow - If the user already has an account, start a [self-service login flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). - If the user needs to register, start a [self-service registration flow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json) (using the

/self-service/registration/browser

endpoint and passing the

login_challenge

as a query parameter). 3. User completes the flow - The user submits their credentials (login) or registration data. - On success, you have an authenticated user session. 4. Call

acceptOAuth2LoginRequest

- After successful authentication or registration, use the Ory SDK or API to call

acceptOAuth2LoginRequest

, passing the original

login_challenge

and the user’s subject (user ID). - This step tells Ory OAuth2 that the user is authenticated and allows the OAuth2 flow to continue (e.g., to the consent screen or directly to the client, depending on your setup). Key points from the knowledge sources: - The login UI is responsible for authenticating the user, typically by starting a self-service login or registration flow. - After authentication, you must call

acceptOAuth2LoginRequest

to complete the OAuth2 login step and redirect the user back to Ory OAuth2, which will then proceed with the consent step or finalize the flow [User login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example). - When starting the registration flow, you can pass the

login_challenge

as a query parameter so the flow is properly linked to the OAuth2 process [

createBrowserRegistrationFlow

](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). Summary: - Start the appropriate self-service flow (login or registration) in your UI. - On successful completion, call

acceptOAuth2LoginRequest

with the

login_challenge

and user info. - This is the correct approach for Ory Network/Cloud custom UIs in OAuth2 scenarios. If you need a code example or more details on the API calls, let me know!

The

login_challenge

parameter in the API for creating a browser registration flow is used to link the registration process to an ongoing OAuth2/OpenID Connect login flow. When your application receives a request to register a new user as part of an OAuth2 flow (for example, when a user tries to log in to a client app via "Sign up" during an OAuth2 login), the

login_challenge

value is included in the URL as a query parameter (e.g.,

/registration?login_challenge=abcde

). By passing this

login_challenge

to the registration flow, Ory can keep track of the OAuth2 login process and ensure that, after registration, the user is properly returned to the OAuth2 flow (e.g., to the consent screen or back to the client app). Important note: The documentation states: > This feature is compatible with Ory Hydra when not running on the Ory Network. This means that the

login_challenge

parameter is specifically supported for self-hosted Ory Hydra setups. On Ory Network (Ory Cloud), the OAuth2 integration is managed differently, and you typically do not need to handle the

login_challenge

parameter manually in the registration flow. The Ory Network manages the OAuth2/OpenID Connect flow internally, so this parameter is relevant mainly for self-hosted environments using Ory Hydra and Kratos together. Source: [Ory API Reference – createBrowserRegistrationFlow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)

On Ory Network (Ory Cloud), the handling of OAuth2 login and registration flows is streamlined and managed internally by the platform. When a user initiates an OAuth2 login and needs to register, the Ory Network automatically links the registration and subsequent verification flows to the original OAuth2 process. This means you do not need to manually pass or handle the

login_challenge

parameter in your registration flow as you would in a self-hosted Ory Hydra setup. Instead, Ory Network ensures that after registration (and any required verification), the user is returned to the correct step in the OAuth2 flow (such as consent or redirect to the client), maintaining a seamless experience. This is achieved through internal mechanisms and settings like "Always Return to OAuth2 provider," which is enabled by default for new projects. This setting ensures that users are always redirected back to the OAuth2 provider within an OAuth2 login flow, overriding the

return_to

parameter if necessary. You can manage this behavior in the Ory Console under OAuth 2 → Identity integration settings by enabling "Override Return To" [Overview: Identity Provider Integration Settings](https://www.ory.sh/docs/oauth2-oidc/identity-provider-integration-settings#overview). In summary, on Ory Network, you do not need to handle the

login_challenge

parameter yourself—the platform manages the flow chaining and redirection for you. If you want to customize the behavior, you can use the provided settings in the Ory Console.

When an OAuth 2.0 client initiates an authorization request to Ory Network, the following happens: - The client redirects the user to the Ory Network

/oauth2/auth

endpoint with the required parameters (such as

client_id

,

redirect_uri

, etc.). - If the user is not authenticated, Ory Network redirects the user to the login UI, appending a

flow

ID as a query parameter (e.g.,

/login?flow=<flow_id>

). This flow ID is used to track the login process and is required for the UI to fetch the flow details and render the appropriate form. This is the same mechanism used for both login and registration flows in Ory Network [Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow), [Browser flows for server-side apps](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-). For registration: - If the user chooses to register instead of logging in, your UI should start a registration flow by calling the

/self-service/registration/browser

endpoint. - Ory Network will then redirect the user to the registration UI, again appending a

flow

ID as a query parameter (e.g.,

/registration?flow=<flow_id>

). - The registration flow is tracked using this flow ID, and after successful registration (and any required verification), Ory Network will automatically continue the OAuth2 flow, returning the user to the appropriate next step (such as consent or redirecting back to the client) [Initialize registration flow](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#initialize-registration-flow), [SPA flows do not continue with OAuth flow after registration](https://github.com/ory/network/issues/352). Key points: - You do not need to manually handle or pass a

login_challenge

parameter in Ory Network; the platform manages the flow chaining internally. - The

flow

ID is used to track both login and registration flows. - After registration, Ory Network ensures the user is returned to the correct step in the OAuth2 process. This approach provides a seamless experience for both login and registration during OAuth2 flows on Ory Network.

Certainly! Here’s how registration is handled on Ory Network when an OAuth 2.0 client initiates an authorization flow, based on the available knowledge sources: --- ### 1. OAuth2 Client Initiates Authorization The OAuth2 client redirects the user to the Ory Network

/oauth2/auth

endpoint with the required parameters (such as

client_id

,

redirect_uri

, etc.) [User login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). --- ### 2. Ory Network Redirects to Login UI If the user is not authenticated, Ory Network redirects the user to the configured login UI, appending a

flow

ID as a query parameter (e.g.,

/login?flow=<flow_id>

). This

flow

ID is used by your UI to fetch the login flow details and render the login form [Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow). --- ### 3. User Chooses Registration If the user does not have an account and chooses to register, your UI should start a registration flow by calling the

/self-service/registration/browser

endpoint. Ory Network will redirect the user to the registration UI, again with a

flow

ID (e.g.,

/registration?flow=<flow_id>

) [Create registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-registration-flow). --- ### 4. User Completes Registration The user completes the registration form. Ory Network tracks the registration flow using the

flow

ID. After successful registration (and any required verification), Ory Network automatically continues the OAuth2 flow, returning the user to the next step (such as consent or redirecting back to the client) [SPA flows do not continue with OAuth flow after registration](https://github.com/ory/network/issues/352). --- ### 5. No Manual Handling of

login_challenge

On Ory Network, you do not need to manually handle or pass a

login_challenge

parameter during registration. The platform manages the flow chaining and redirection internally, ensuring the user is returned to the correct step in the OAuth2 process [SPA flows do not continue with OAuth flow after registration](https://github.com/ory/network/issues/352). --- Summary: - The OAuth2 client starts the flow. - Ory Network redirects to login; user can switch to registration. - Registration is tracked with a

flow

ID. - After registration, Ory Network continues the OAuth2 flow automatically. If you need a code example for the registration flow endpoint, see the [official documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-registration-flow). If you need more technical details or a specific code snippet, let me know!

On Ory Network, you do not need to manually handle the

acceptOAuth2LoginRequest

if you are using the default Ory Account Experience (the built-in UI and flows). Ory Network manages the OAuth2 login and registration flow chaining internally, including accepting the login request and redirecting the user to the next step in the OAuth2 process automatically. However, if you are building your own custom UI and handling the login flow yourself, you are responsible for calling

acceptOAuth2LoginRequest

after the user has successfully authenticated. This is necessary to inform Ory that the user has logged in and to continue the OAuth2 flow (e.g., to the consent screen or redirecting back to the client) [Login endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example). Summary: - Default Ory Account Experience: Ory Network handles

acceptOAuth2LoginRequest

for you. - Custom UI: You must call

acceptOAuth2LoginRequest

yourself after successful authentication. If you are using a custom UI, refer to the [official guide and code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#login-endpoint-code-example) for how to implement this step.