https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> we have custom login site and we us...
# ory-copilot
g
@chilly-king-10285 we have custom login site and we use self hosted ory hydra an kratos. How to implement the signin with google in this setup ?
c
A message from kapa.ai
To implement "Sign in with Google" in your custom login site using self-hosted Ory Kratos and Hydra, follow these steps: ### 1. Configure Google OAuth - Go to the [Google Cloud Console](https://console.developers.google.com/). - Create a new OAuth 2.0 client ID under APIs & Services > Credentials. - Set the Authorized redirect URI to:
Copy code
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/google
Replace 
<domain-of-ory-kratos>
and 
<public-port>
with your actual Kratos public endpoint and port. - Save the Client ID and Client Secret for later use. ### 2. Configure Ory Kratos for Google OIDC Edit your Kratos configuration (e.g., 
kratos.yml
) to add Google as an OIDC provider:
Copy code
yaml selfservice:   methods:     oidc:       config:         providers:           - id: google             provider: google             client_id: <GOOGLE_CLIENT_ID>             client_secret: <GOOGLE_CLIENT_SECRET>             issuer_url: <https://accounts.google.com>             mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"             scope:               - openid               - email               - profile       enabled: true
- The 
mapper_url
is a [Jsonnet](https://www.ory.sh/docs/kratos/social-signin/data-mapping) snippet (Base64-encoded) that maps Google claims to your identity schema. See the [data mapping example](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping) for details. Example Jsonnet mapping:
Copy code
jsonnet local claims = { email_verified: false, } + std.extVar('claims'); {   identity: {     traits: {       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,       first_name: claims.given_name,       last_name: claims.family_name,       [if 'hd' in claims && claims.email_verified then 'hd' else null]: claims.hd,     },   }, }
Encode this with Base64 and use it in `mapper_url`<br> [More on data mapping](https://www.ory.sh/docs/kratos/social-signin/google#data-mapping). ### 3. (Optional) Add the Session Hook To ensure users are logged in immediately after registration, add the session hook:
Copy code
yaml selfservice:   flows:     registration:       after:         oidc:           hooks:             - hook: session
[See details](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc) ### 4. Update Your Custom Login UI - When rendering the login form, fetch the login flow from Kratos. - For each OIDC provider (e.g., Google), render a button that submits a POST request to the Kratos login flow endpoint with the provider value set to 
google
. Example HTML:
Copy code
html <form action="http://<kratos-public>/self-service/login?flow=<flow-id>" method="POST">   <input type="submit" name="provider" value="google" /> </form>
[See UI integration details](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login) ### 5. Test the Flow - When a user clicks "Sign in with Google," they are redirected to Google for authentication. - After successful authentication, Google redirects back to Kratos, which then creates or logs in the user and issues a session. --- Note: Ory Hydra is not directly involved in the social login flow with Kratos, unless you are using OAuth2 flows for your own APIs. Kratos handles the user authentication and session management, while Hydra is used for OAuth2 authorization for your APIs. For more details, see: - [Self-hosted OIDC configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc) - [Google social sign-in setup](https://www.ory.sh/docs/kratos/social-signin/google) - [Custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login)
g
@chilly-king-10285 after successful sign in with google where does it redirect the request ?
c
A message from kapa.ai
After a successful sign-in with Google (using OIDC) in a self-hosted Ory Kratos setup, the redirection behavior depends on your configuration: - If you have set a 
return_to
parameter when initializing the login flow, and the URL is whitelisted in your Kratos config, the user will be redirected to that URL after successful login. - If no 
return_to
is set, Kratos will use the configured redirect URLs in your 
kratos.yml
file. The order of precedence is: 1. 
selfservice.flows.login.after.oidc.default_browser_return_url
(for OIDC logins) 2. 
selfservice.flows.login.after.default_browser_return_url
3. 
selfservice.default_browser_return_url
For example:
Copy code
yaml selfservice:   default_browser_return_url: <https://always-end-up-here-per-default/>   flows:     login:       after:         default_browser_return_url: <https://end-up-here-after-login/>         oidc:           default_browser_return_url: <https://end-up-here-after-login-with-oidc/>
If you set 
oidc.default_browser_return_url
, the user will be redirected there after a successful Google sign-in. If not, the next available configured URL is used. If none are set, the default is used. If you use the 
return_to
parameter, it takes precedence but must be whitelisted in 
selfservice.allowed_return_urls
 [Redirection configuration](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) [Redirect flows](https://www.ory.sh/docs/concepts/redirects#redirect-flows). Summary: After successful Google sign-in, the user is redirected to the URL specified by your Ory Kratos configuration or the 
return_to
parameter, following the precedence described above.
g
@chilly-king-10285 how to set return_to when initiating login flow ?
c
A message from kapa.ai
To set the 
return_to
parameter when initiating a login flow with Ory Kratos, you include it as a query parameter in the URL you use to start the login flow. For example:
Copy code
https://<kratos-public-endpoint>/self-service/login/browser?return_to=<https://your-app.com/dashboard>
This tells Kratos to redirect the user to 
<https://your-app.com/dashboard>
after a successful login, provided that this URL is allow-listed in your Kratos configuration. If the URL is not allow-listed, the request will fail for security reasons [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#redirect-flows) [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). Example with curl:
Copy code
sh curl -X GET 'https://<kratos-public-endpoint>/self-service/login/browser?return_to=<https://your-app.com/dashboard>'
Note: Make sure to add your desired return URLs to the 
selfservice.allowed_return_urls
in your Kratos config to prevent open redirect attacks. For more details, see the [Ory documentation on redirects](https://www.ory.sh/docs/concepts/redirects#redirect-flows).
g
@chilly-king-10285 will kratos redirect to this return_to value after the google login completes ?
c
A message from kapa.ai
Yes, if you set the 
return_to
parameter when initiating the login flow, and the URL is included in the 
selfservice.allowed_return_urls
whitelist in your Kratos configuration, Ory Kratos will redirect the user to the specified 
return_to
URL after a successful Google login (OIDC flow). This is the documented and intended behavior for browser-based flows [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) [Advanced integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration). If the 
return_to
parameter is not set or the URL is not whitelisted, Kratos will use the default redirect URLs configured in your 
kratos.yml
file. > It's also possible to redirect someone back to the original URL. ... To achieve that, you append 
?return_to=<https://www.myapp.com/blog/write>
when initializing the Login / Registration /Settings flow. ... you need to whitelist the domain in your Ory Identities config when using the 
?return_to=
query parameter. > — [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) So, after a successful Google login, Kratos will redirect to the 
return_to
value if it is properly set and allowed.
g
@chilly-king-10285 if this sign-in with google process starts with invoking the hydra /oauth2/auth api, how the end to flow works
c
A message from kapa.ai
When the sign-in with Google process starts by invoking the Hydra 
/oauth2/auth
API, the flow works as follows: 1. User is redirected to Hydra's 
/oauth2/auth
endpoint The OAuth2 client (your app) initiates the flow by redirecting the user to Hydra's 
/oauth2/auth
endpoint with the appropriate parameters (e.g., 
client_id
, 
redirect_uri
, 
scope
, etc.). 2. Hydra checks for an authenticated session If the user is not already authenticated, Hydra redirects the user to the login provider (in this case, your custom login UI backed by Kratos) with a 
login_challenge
parameter in the URL [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). 3. Your login UI (using Kratos) presents login options The login UI fetches the login flow from Kratos and presents options, including "Sign in with Google." - If the user chooses Google, the Kratos OIDC flow is started. 4. User authenticates with Google The user is redirected to Google, authenticates, and is redirected back to Kratos. 5. Kratos completes the login flow After successful authentication, Kratos creates a session for the user. 6. Kratos notifies Hydra of the successful login Your login UI (or backend) must accept the Hydra login request by calling Hydra's 
/admin/oauth2/auth/requests/login/accept
endpoint, passing the 
login_challenge
and the authenticated user's subject (ID). Hydra responds with a redirect URL [Hydra API reference](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json). 7. User is redirected back to Hydra The user is redirected to the URL provided by Hydra, which continues the OAuth2 flow (typically to the consent screen). 8. Consent flow (if required) If consent is required, the user is shown a consent screen. After consent, the flow continues and the user is finally redirected to the original 
redirect_uri
of the OAuth2 client, completing the sign-in process. Key Points: - The 
return_to
parameter in Kratos is not the final app URL, but should point back to the next step in the OAuth2 flow (usually the consent screen or the 
/oauth2/auth
endpoint), not directly to the client app [Github issue discussion](https://github.com/ory/network/issues/264). - The flow must ensure that after Google login, the user is returned to Hydra to complete the OAuth2 process, not directly to the application. Summary: The end-to-end flow is: OAuth2 client → Hydra 
/oauth2/auth
→ Kratos login UI (with Google) → Google → Kratos → Accept Hydra login request → Hydra (consent) → OAuth2 client redirect. If the user is redirected directly to the client app after Google login (bypassing Hydra), the OAuth2 flow will not complete correctly. The correct approach is to return the user to Hydra after authentication so the flow can continue as designed [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps) [Github issue discussion](https://github.com/ory/network/issues/264).
g
@chilly-king-10285 on the "4. User authenticates with Google" step, should the front-end directly call the google ?
c
A message from kapa.ai
No, the front-end should not call Google directly. Instead, the front-end should initiate the OIDC login flow with Ory Kratos, which then handles the redirection to Google as the OIDC provider. Here’s how it works according to the Ory documentation: - The user clicks "Sign in with Google" on your custom login UI. - Your front-end submits the login flow to Ory Kratos, specifying the 
provider
as 
google
. - Ory Kratos then redirects the user to Google for authentication. - After the user authenticates with Google, Google redirects the user back to Ory Kratos, which completes the login flow and creates a session. This ensures that the OIDC flow is managed securely and that Kratos can handle session creation, data mapping, and any hooks you have configured. The front-end should only interact with Kratos, not with Google directly [Social sign-in flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-with-google-facebook-github--openid-connect--oauth-20) [Custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login) [Self-hosted OIDC configuration](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). Summary: The front-end should initiate the login with Kratos, and Kratos will handle the redirection to Google—not the front-end itself.
g
@chilly-king-10285 whats the url front-end invoke when user clicks the "Sign in with Google" button
c
A message from kapa.ai
When the user clicks the "Sign in with Google" button, the front-end should submit a POST request to the Ory Kratos login flow endpoint, using the 
action
and 
method
provided in the login flow data. The request should include the 
provider
field set to 
google
. The URL to invoke is:
Copy code
https://<kratos-public-endpoint>/self-service/login?flow=<flow-id>
- 
<kratos-public-endpoint>
is your Kratos public API endpoint. - 
<flow-id>
is the ID of the current login flow, which you obtain when initializing the login flow. Example HTML form:
Copy code
html <form action="https://<kratos-public-endpoint>/self-service/login?flow=<flow-id>" method="POST">   <input type="submit" name="provider" value="google" /> </form>
This will trigger Kratos to handle the OIDC login with Google and redirect the user accordingly [Custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login) [Login flow payloads](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-with-google-facebook-github--openid-connect--oauth-20).
g
@chilly-king-10285 whats the kratos api front-end should invoke to get the login flow id initially and whats response looks like of that api ?
c
A message from kapa.ai
To get the login flow ID initially, the front-end should invoke the following Ory Kratos API endpoint:
Copy code
GET /self-service/login/browser
This endpoint initializes a browser-based login flow and returns a flow object containing the flow ID and other relevant information. You can call it directly in the browser or via AJAX (with 
Accept: application/json
for a JSON response). Example request:
Copy code
sh curl -X GET \   -H "Accept: application/json" \   https://<kratos-public-endpoint>/self-service/login/browser
Example response:
Copy code
json {   "id": "ff0c97c4-a7bb-49a5-a8a6-ebf174877fa5",   "type": "browser",   "expires_at": "2021-07-09T11:25:12.136099226Z",   "issued_at": "2021-07-09T10:25:12.136099226Z",   "request_url": "<http://playground.projects.oryapis.com/self-service/login/browser>",   "ui": {     "action": "<https://playground.projects.oryapis.com/self-service/login?flow=ff0c97c4-a7bb-49a5-a8a6-ebf174877fa5>",     "method": "POST",     "nodes": [ /* ... */ ]   },   "created_at": "2021-07-09T10:25:12.137554Z",   "updated_at": "2021-07-09T10:25:12.137554Z",   "forced": false }
The 
id
field in the response is the login flow ID you need for subsequent login submissions [Login for client-side (AJAX) browser clients](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-for-client-side-ajax-browser-clients) [API reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). Note: - For native/mobile apps, use 
/self-service/login/api
instead. - The 
ui.action
field provides the URL for submitting the login form, including the flow ID as a query parameter.
g
@chilly-king-10285 how the front-end decide what are the supported social login providers? which api returns that from kratos ?
c
A message from kapa.ai
The front-end can determine the supported social login providers by inspecting the login flow payload returned from Ory Kratos when initiating a login flow. Specifically, the response includes a list of UI nodes under the 
ui.nodes
field. Each node with the group 
"oidc"
represents a configured social login provider (such as Google, GitHub, etc.). For example, after calling the login flow initialization endpoint (
/self-service/login/browser
), the response might include:
Copy code
json "ui": {   "action": "<http://127.0.0.1:4455/self-service/login?flow=<flow-id>>",   "method": "POST",   "nodes": [     {       "type": "input",       "group": "oidc",       "attributes": {         "name": "provider",         "type": "submit",         "value": "github",         "disabled": false       },       "meta": {         "label": {           "text": "Sign in with github"         }       }     },     {       "type": "input",       "group": "oidc",       "attributes": {         "name": "provider",         "type": "submit",         "value": "google",         "disabled": false       },       "meta": {         "label": {           "text": "Sign in with google"         }       }     }   ] }
The front-end should look for nodes where 
group
is 
"oidc"
and use the 
value
and 
label
fields to display the available social login options to the user. This approach is documented in the Ory Kratos login flow payloads and custom UI integration guides [Login flow payloads](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-with-google-facebook-github--openid-connect--oauth-20) [Custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration). There is no separate API to list providers; the information is always included in the login (or registration) flow response.
g
@chilly-king-10285 whats the recommended way to preserve hydra login challenge we received at very beginning, until social login completes and kratos returns success to the front-end
c
A message from kapa.ai
The recommended way to preserve the Hydra 
login_challenge
throughout the social login process is to pass it along as a query parameter in your application's URLs and forms during the entire authentication flow. This ensures that after the social login (e.g., with Google) completes and Kratos returns success, your front-end or backend can use the original 
login_challenge
to accept the login request with Hydra and continue the OAuth2 flow. This approach is discussed in Ory community discussions and issues, where it is noted that the 
login_challenge
should be kept in the flow and used to retrieve or accept the OAuth2 login request after authentication is complete. For example, when the login UI is first loaded (after Hydra redirects to your login page with 
?login_challenge=...
), you should store this value—commonly by including it as a hidden field in your forms or as a query parameter in your redirect URLs. This way, after the social login completes, you can use the preserved 
login_challenge
to call Hydra's 
/admin/oauth2/auth/requests/login/accept
endpoint and finish the flow [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps) [Github issue discussion](https://github.com/ory/kratos/issues/4024). Key points: - Do not store the 
login_challenge
in cookies or local storage, as this can introduce security issues and is not recommended by Ory. - Always pass the 
login_challenge
explicitly through your application's URLs, forms, or state management as the user moves through the login and social login process. This method ensures the 
login_challenge
is available when you need to notify Hydra of a successful login, as required by the OAuth2 flow.
g
@chilly-king-10285 after user successfully login in to google and redirect back to kratos. does the kratos create user in kratos db ?
c
A message from kapa.ai
Yes, after the user successfully logs in to Google and is redirected back to Ory Kratos, Kratos will create a new user (identity) in its database if this is the user's first time signing in with that Google account. The profile data received from Google is used to create the Ory identity according to your configured identity schema and data mapping. If the user has already signed up with that Google account before, Kratos will not create a new identity but will log the user into their existing account instead [Registration with Google, Facebook, GitHub, ..., OpenID Connect / OAuth 2.0](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-with-google-facebook-github--openid-connect--oauth-20-1) [Social sign-in overview](https://www.ory.sh/docs/kratos/social-signin/overview). > If the user has already sign up with the given provider before, the user will simply be logged in and no new Ory Identities Identity will be created. > ...users give Ory access to the profile data of their account created in an external identity provider. This data is used to create an Ory identity and a user account in your application. So, Kratos creates a user in its database on the first successful Google login, and reuses the existing identity for subsequent logins with the same Google account.
g
@chilly-king-10285 after successfully login in to google and creation of user in kratos, how does kratos decide which url to redirect ?
c
A message from kapa.ai
After a user successfully logs in with Google and an identity is created in Kratos, the URL to which Kratos redirects the user is determined by the following precedence in the Kratos configuration: 1. 
return_to
Query Parameter: If the login flow was initiated with a 
return_to
parameter (and the URL is whitelisted in 
selfservice.allowed_return_urls
), Kratos will redirect the user to this URL after successful login. 2. OIDC-Specific Redirect URL: If no 
return_to
is set, Kratos checks for an OIDC-specific redirect URL in the configuration:
Copy code
yaml    selfservice:      flows:        login:          after:            oidc:              default_browser_return_url: <https://end-up-here-after-login-with-oidc/>
This URL is used for successful OIDC (e.g., Google) logins. 3. General Login Redirect URL: If the OIDC-specific URL is not set, Kratos uses the general login redirect:
Copy code
yaml    selfservice:      flows:        login:          after:            default_browser_return_url: <https://end-up-here-after-login/>
4. Global Default Redirect URL: If neither of the above are set, Kratos falls back to the global default:
Copy code
yaml    selfservice:      default_browser_return_url: <https://always-end-up-here-per-default/>
This precedence is documented in the Ory Kratos documentation: > Post-login redirection considers the following configuration keys: > - 
selfservice.flows.login.after.oidc.default_browser_return_url
> - 
selfservice.flows.login.after.default_browser_return_url
> - 
selfservice.default_browser_return_url
> If you append 
?return_to=...
when initializing the Login flow, and the URL is whitelisted, it takes precedence over the config values > [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) So, Kratos decides the redirect URL after Google login based on the 
return_to
parameter (if present and allowed), otherwise it uses the OIDC-specific, general login, or global default redirect URL in that order.
g
@chilly-king-10285 can we specify our backend api endpoint to kratos to redirect ?
c
A message from kapa.ai
You can specify your backend API endpoint as the 
return_to
parameter or as a redirect URL in the Kratos configuration, but there are important considerations: - Kratos is designed to redirect to browser-accessible URLs (i.e., web pages), not to API endpoints that expect non-browser clients. The redirect is performed as an HTTP 303 (See Other) or similar, which is intended for browsers to follow. If you specify an API endpoint, the browser will be redirected there, and unless your API endpoint is prepared to handle browser requests (including cookies, CSRF, etc.), this may not work as intended [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). - Security: The 
return_to
URL must be whitelisted in your Kratos configuration under 
selfservice.allowed_return_urls
to prevent open redirect attacks. If your backend API endpoint is not whitelisted, Kratos will reject the redirect [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). - Intended Use: The typical use case is to redirect to a frontend route (e.g., a dashboard or home page), not a backend API. If you need to pass information to your backend after login, consider redirecting to a frontend page that then communicates with your backend API as needed. Summary: Technically, you can set your backend API endpoint as a redirect target if it is whitelisted, but this is not the recommended or typical pattern for Ory Kratos, and may not work as expected for browser-based flows [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection).
g
@chilly-king-10285 during this whole redirection how do we make sure login_challenge values preserve and front-end get it back once the above redirection done to the front-end ?
c
A message from kapa.ai
To ensure the 
login_challenge
value is preserved throughout the OAuth2/OIDC flow (Hydra + Kratos + social login) and is available to the front-end after redirection, you should explicitly pass the 
login_challenge
as a query parameter in all relevant URLs and forms during the authentication process. How to preserve and retrieve `login_challenge`: 1. Initial Redirect from Hydra: When Hydra redirects the user to your login UI, it appends the 
login_challenge
as a query parameter (e.g., 
/login?login_challenge=...
). Your front-end should extract and store this value (e.g., in the URL, in a hidden form field, or in application state). 2. Pass Along During Social Login: When the user chooses "Sign in with Google," ensure that any redirects or form submissions to Kratos (and subsequently to Google) include the 
login_challenge
as a query parameter or hidden field. This way, after the social login completes and the user is redirected back to your app, the 
login_challenge
is still available. 3. After Kratos Login Completion: Once Kratos completes the login (after Google authentication), it will redirect the user to the URL specified by the 
return_to
parameter or your configured redirect. To ensure the front-end receives the 
login_challenge
, include it in the 
return_to
URL when initiating the login flow. For example:
Copy code
/self-service/login/browser?return_to=<https://your-frontend.com/oauth/callback?login_challenge=>...
This way, after all redirections, the front-end receives the 
login_challenge
as a query parameter and can use it to continue the OAuth2 flow with Hydra. Key points from the knowledge sources: - The recommended way is to pass the 
login_challenge
explicitly through URLs and forms, not via cookies or local storage, to avoid security issues and ensure it is always available when needed [Github issue discussion](https://github.com/ory/kratos/issues/4024). - This approach is necessary so that, after social login, your front-end can use the preserved 
login_challenge
to call Hydra's 
/admin/oauth2/auth/requests/login/accept
endpoint and complete the OAuth2 flow [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). Summary: Always propagate the 
login_challenge
as a query parameter in your application's URLs and forms throughout the flow. When you set the 
return_to
parameter for Kratos, include the 
login_challenge
in its value so that, after all redirections, your front-end receives it and can continue the OAuth2 process with Hydra.
g
@chilly-king-10285 instead of social login, if the user login via phone number and OTP. what should be flow ?
c
A message from kapa.ai
If the user logs in via phone number and OTP (one-time code), the flow with Ory Kratos and Hydra is similar to the social login flow, but uses the passwordless code method instead of OIDC. Here’s how the flow works based on the knowledge sources: 1. User is redirected to Hydra’s 
/oauth2/auth
endpoint The OAuth2 client (your app) starts the flow by redirecting the user to Hydra’s 
/oauth2/auth
endpoint. 2. Hydra checks for authentication and redirects to your login UI If the user is not authenticated, Hydra redirects to your login UI with a 
login_challenge
parameter. 3. Your login UI starts a Kratos login flow The front-end calls Kratos’ 
/self-service/login/browser?login_challenge=...
endpoint to initialize the login flow, passing along the 
login_challenge
as a query parameter [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). 4. User enters phone number The UI presents a form for the user to enter their phone number. 5. Kratos sends an OTP via SMS Kratos sends a one-time code to the user’s phone number, using the passwordless code method. The user receives the code via SMS [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). 6. User enters the OTP The user enters the received code in the UI. The front-end submits this code to Kratos to complete the login flow. 7. Kratos authenticates the user If the code is valid, Kratos authenticates the user and creates a session. If this is the first login with that phone number, Kratos creates a new identity. 8. Front-end uses the preserved 
login_challenge
to accept the login with Hydra After successful login, the front-end uses the original 
login_challenge
(which should be preserved throughout the flow as a query parameter) to call Hydra’s 
/admin/oauth2/auth/requests/login/accept
endpoint, passing the authenticated user’s ID [Custom login and consent flow](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#flow-steps). 9. Hydra redirects to consent or the client app Hydra continues the OAuth2 flow, possibly showing a consent screen, and finally redirects the user to the OAuth2 client’s 
redirect_uri
. Important notes: - The phone number must be marked as a code login identifier in your identity schema [Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier). - The SMS channel must be configured in Kratos [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). - The 
login_challenge
must be preserved and passed through all redirects and form submissions, just as with social login [Github issue discussion](https://github.com/ory/kratos/issues/4024). Summary: The flow is: OAuth2 client → Hydra 
/oauth2/auth
→ Kratos login UI (phone/OTP) → Kratos (sends/validates OTP) → Accept Hydra login request with 
login_challenge
→ Hydra (consent) → OAuth2 client redirect. This is nearly identical to the social login flow, but uses the passwordless code method for authentication.
g
@chilly-king-10285 when login with phone number/otp, does the kratos creates user in kratos db after otp verfication done ?
c
A message from kapa.ai
Yes, when a user logs in with a phone number and OTP (one-time code), Ory Kratos will create a new user (identity) in its database if this is the first time that phone number is used. The process is similar to social login: if the phone number does not already exist as an identity, Kratos creates a new identity after successful OTP verification. If the phone number is already registered, Kratos will log the user into the existing account instead [Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). This behavior is consistent with how Kratos handles other passwordless and social login methods: a new identity is created on first successful authentication, and reused for subsequent logins with the same identifier.
g
@chilly-king-10285 should we enable session hook in phone number/ OTP flows also to auto login user after the OTP verification completed ?
c
A message from kapa.ai
Yes, you should enable the 
session
hook in the phone number/OTP (
code
method) flows if you want users to be automatically logged in (i.e., receive a session) immediately after successful OTP verification and registration. By default, Kratos does not issue a session after registration to prevent account enumeration attacks, so enabling the 
session
hook is necessary for this behavior. You can configure this in your Kratos config like this:
Copy code
yaml selfservice:   flows:     registration:       after:         code:           hooks:             - hook: session
This ensures that after a user registers using the phone number/OTP method, they are automatically signed in and receive a session cookie, just like with other methods such as password or OIDC. This is also the recommended approach for a seamless user experience [Successful registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration) [Github issue: Configure session after Registration via code in Console](https://github.com/ory/network/issues/340). If you do not enable the 
session
hook, users will need to log in again after registration to receive a session.
3 Views
Open in Slack
PreviousNext
Powered by