Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, we have an application where we login with an Ory browser login flow via a custom login UI. The user then has a valid session cookie. We then want the user to be able to access a salesforce site using the same Ory project for SSO. We have created an OAuth client that Salesforce is using.

This works, the salesforce app redirects the user to the ory account experience and they are able to login. But the user is still being prompted to enter their password again even when they have a valid session. All of the sites involved are on the same domain and I can see a session cookie for that domain

Shouldn't the account experience login UI see the session cookie and then skip the login?

Is it because the OAuth login flow is requesting scopes that weren't requested in the browser login flow?