The difference in behavior between the OIDC and password registration flows when submitting the same registration flow twice is due to how Ory handles identity creation and error reporting for each method. ### OIDC Registration Flow When you complete the OIDC registration flow, if the user has already signed up with the given provider before, Ory simply logs the user in and does not create a new identity. This means that if you submit the same OIDC registration flow twice, both calls will succeed and return the same user identity, as Ory recognizes the user by their unique identifier from the OIDC provider and does not attempt to create a duplicate account. This is by design to support seamless social sign-in experiences and avoid duplicate accounts for the same external identity provider account [Registration with Google, Facebook, GitHub, ..., OpenID Connect / OAuth 2.0](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-with-google-facebook-github--openid-connect--oauth-20-1). ### Password Registration Flow For the password registration flow, Ory enforces uniqueness on the identifier (such as email or username). If you try to submit the same registration flow twice, the first submission will create the account, but the second submission will fail with an error like: > "An account with the same identifier (email, phone, username, ...) exists already." > (error code 4000007) [UI message codes](https://www.ory.sh/docs/kratos/concepts/ui-messages#an-account-with-the-same-identifier-email-phone-username--exists-already-4000007) This prevents duplicate accounts with the same identifier. ### Why the Difference? - OIDC: The flow is idempotent for the same external identity; Ory checks if the user already exists and logs them in. - Password: The flow is not idempotent; Ory tries to create a new user each time, but fails if the identifier is already taken. ### How to Fix or Align the Behavior This is expected behavior and aligns with best practices for identity management. If you want to ensure consistent error handling for OIDC as well (for example, to return an error if the account already exists), note that Ory is updating its behavior: - Starting April 2025, Ory Network will return a

400 Bad Request

(instead of

200 OK

) when a user signs up with Social Sign-In for an account that already exists. The error message will clearly state that the email is already used by another account and prompt the user to sign in instead [Account linking response code change](https://www.ory.sh/docs/troubleshooting/account-linking-response-code). Action: - Make sure your application can handle a

400 Bad Request

response for OIDC registration attempts with existing accounts, as this will be the new standard behavior. - For password registration, the current error handling is already correct and secure. If you need to customize the user experience further (e.g., to prevent account enumeration or to unify error messages), you may need to bring your own UI or handle the responses in your application logic [Configurable Account Enumeration protection in Account Experience](https://github.com/ory/network/issues/229). --- Summary: - OIDC registration is idempotent and logs in the user if they already exist. - Password registration enforces uniqueness and errors on duplicate identifiers. - Ory is moving towards consistent error responses for OIDC as well, so update your application to handle

400 Bad Request

for duplicate OIDC sign-ups.