To set up OIDC SSO (Single Sign-On) with Ory using the

@ory/client

SDK and the

createBrowserLoginFlow

method, you need to: 1. Configure OIDC Providers in Ory Console or via API First, add your OIDC provider (e.g., Google, GitHub, or a custom OIDC provider) in the Ory Console under Authentication → Social Sign-In (OIDC). Enter the required details such as Client ID, Client Secret, and set the base redirect URI to your application's login callback URL. Save the configuration. This will make OIDC login options available in your login flow UI nodes [Social sign-in](https://www.ory.sh/docs/identities/get-started/social-sign-in). 2. Initialize the Login Flow in Your App Use the

@ory/client

SDK to create a browser login flow. This flow will include OIDC providers as options if they are configured. Example using

@ory/client

in a React component:

tsx    import { Configuration, FrontendApi, LoginFlow } from "@ory/client"    import { useEffect, useState } from "react"     const frontend = new FrontendApi(      new Configuration({        basePath: "<http://localhost:4000>", // Use Ory Tunnel for local dev        baseOptions: {          withCredentials: true, // Required for cookies        },      }),    )     export const Login = () => {      const [flow, setFlow] = useState<LoginFlow>()       useEffect(() => {        frontend          .createBrowserLoginFlow({            returnTo: "/", // Redirect after login            refresh: true,          })          .then(({ data: flow }) => setFlow(flow))          .catch((err) => {            // Handle error          })      }, [])       return flow ? (        <form action={flow.ui.action} method={flow.ui.method}>          {flow.ui.nodes.map((node, idx) => {            // Render input fields and OIDC provider buttons            // OIDC providers will appear as submit buttons with group "oidc"          })}        </form>      ) : (        <div>Loading...</div>      )    }

The OIDC provider buttons will be included in the

flow.ui.nodes

array with

group: "oidc"

. When a user clicks one, the browser is redirected to the OIDC provider for authentication, and then back to your app [Create login flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). 3. Handle the OIDC Callback After successful authentication, the user is redirected back to your app (to the redirect URI you configured). Ory will complete the login flow and issue a session. Note: - For local development, use the Ory Tunnel to proxy requests to your local app and ensure cookies work correctly [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development). - The OIDC provider configuration must be completed in the Ory Console or via API before the OIDC options appear in the login flow. Summary: - Configure OIDC providers in Ory. - Use

createBrowserLoginFlow

from

@ory/client

to initialize the login flow. - Render the UI nodes, including OIDC provider buttons. - Handle the redirect after authentication. For more details and code samples, see the [Ory documentation on custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow) and [social sign-in](https://www.ory.sh/docs/identities/get-started/social-sign-in).

@chilly-king-10285 nodes are not included with group oidc even though I configured providers in ory console

New message text here

If you have configured OIDC providers in the Ory Console but do not see any nodes with

group: "oidc"

in your login flow, the knowledge sources suggest the following: - When OIDC is enabled and at least one provider is configured, the login flow's UI nodes should include entries with

group: "oidc"

. These nodes are typically submit buttons for each provider, such as GitHub or Google. This is shown in both the documentation and example API responses [Login with OIDC](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-with-google-facebook-github--openid-connect--oauth-20). - If you do not see these nodes, the most common reasons are: - The OIDC method is not enabled in your configuration. - No OIDC providers are actually configured or enabled. - You are not using a browser flow (OIDC is only available in browser flows, not API flows). - You are filtering out the

oidc

group when rendering nodes. - The Ory team has confirmed in GitHub discussions that the expected behavior is for each OIDC provider to appear as a submit button with

group: "oidc"

. If this is not happening, and you have verified your configuration and flow type, it may indicate a misconfiguration or a bug [Github Issue: Incorrect UI nodes for using OIDC and password flow together](https://github.com/ory/network/issues/143). If you have checked all of the above and still do not see OIDC nodes, the knowledge sources do not provide further troubleshooting steps or a solution for this scenario. There is no mention of additional hidden requirements or known bugs that would prevent OIDC nodes from appearing if the configuration is correct. If you are certain your configuration is correct and you are using a browser flow, but the nodes are still missing, you may need to reach out to Ory support or the community for further assistance, as the knowledge sources do not contain enough information to resolve this issue.

To implement the feature where Ory recognizes an organization email and provides a "Continue with SSO" button, you need to use Ory's B2B Organization and SSO (OIDC or SAML) connections features. Here’s what you need to do: 1. Create Organizations and Assign Domains - In the Ory Console, go to Authentication → Enterprise SSO and create an organization. - Assign one or more email domains to the organization (e.g.,

<http://my.example.com|my.example.com>

). This allows Ory to recognize when a user enters an email belonging to that organization [Organizations](https://www.ory.sh/docs/kratos/organizations). 2. Configure SSO Connections for the Organization - For each organization, add one or more SSO connections (OIDC or SAML). This is done in the same section of the Ory Console or via API. - When configuring, you’ll need the OIDC/SAML provider details (client ID, secret, issuer URL, etc.) and map the provider to the organization using its ID [Create SSO connections for an organization](https://www.ory.sh/docs/kratos/organizations#create-sso-connections-for-an-organization). 3. Enable Identifier-First Authentication - Ory requires identifier-first authentication for B2B SSO. This means the login form first asks for the user’s email. - Once the user enters their email, Ory checks if the domain matches an organization and, if so, shows the "Continue with SSO" button instead of the password field [Identifier first authentication](https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication). 4. User Experience - When a user enters an email that matches an organization’s domain, the login UI will display a "Sign in with SSO" button. Clicking this button initiates the SSO flow with the configured provider. - If the email does not match any organization, the standard login flow (e.g., password) is shown [See it live](https://www.ory.sh/docs/kratos/organizations#see-it-live). Summary of requirements: - Ory project with B2B Organizations feature enabled. - Organizations created with assigned domains. - SSO (OIDC/SAML) connections configured for each organization. - Identifier-first authentication enabled in your project. This setup ensures that users with organization emails are prompted with a "Continue with SSO" button, streamlining enterprise authentication flows.

To achieve the behavior where the password input disappears as soon as Ory recognizes the email as belonging to an SSO-enabled organization, you need to implement identifier-first authentication and use Ory's B2B SSO features. How it works: 1. Identifier-first authentication: The login form first asks for the user's email address. - As soon as the user enters an email, Ory checks if the domain matches an organization with SSO enabled. - If it matches, the UI dynamically hides the password field and shows a "Sign in with SSO" button instead. 2. Implementation steps: - Enable identifier-first authentication in your Ory project. For Ory Network, this is done in the Ory Console under Branding → Theming by enabling "Account Experience 2.0 (preview)" [Identifier first authentication](https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication). - Configure organizations and SSO connections as described previously. - UI behavior: Ory's built-in Account Experience UI handles this automatically. If you are building a custom UI, you need to: - Submit the email to Ory (start the login flow). - Inspect the response from Ory. If the response indicates SSO is required for the entered email, render only the SSO button and hide the password field. - If the email does not match an SSO-enabled organization, show the password field as usual. Example from the docs: > After having set up everything, go to your registration page. Entering an email that ends with the organization's domain, such as

@my.example.com

, shows a Sign in with SSO button instead of the password field. Clicking it will take you to sign in with the SSO connection. The SSO connection is not visible for email addresses that are not managed by the organization [See it live](https://www.ory.sh/docs/kratos/organizations#see-it-live). Summary: - Enable identifier-first authentication. - Configure organizations and SSO connections. - Use Ory's built-in UI or, for custom UIs, update your form dynamically based on Ory's response after the email is entered. If you use the built-in Account Experience UI, this behavior is handled for you. For custom UIs, you must implement the logic to hide/show fields based on the flow data returned by Ory. If you need more technical details on how to implement this in a custom UI, the knowledge sources do not provide a step-by-step code example, but the described approach is supported and expected.

I'm sorry, but the knowledge sources do not contain information about an API endpoint or method in

@ory/client

that allows you to check, in real time as the user types, whether an email belongs to an organization and dynamically update the login flow nodes without the user submitting the form or clicking a button. The documented flows rely on submitting the identifier (email) to Ory, which then returns the appropriate UI nodes (e.g., showing the SSO button or password field) in the next step of the flow. There is no mention of a "live" or "on-the-fly" check for organization membership as the user types, nor an endpoint to query this directly for instant UI updates in a custom frontend. The identifier-first authentication and dynamic UI update are handled by Ory's built-in Account Experience, but the mechanism for custom UIs is not detailed beyond the standard flow submission and response pattern [See it live](https://www.ory.sh/docs/kratos/organizations#see-it-live). If you need this functionality, you may need to implement your own logic to check email domains against a list of organization domains you manage, but this approach is not described or recommended in the official Ory documentation.

@chilly-king-10285 is there a method I can recognize registered accounts and organizations that should opt in for sso?

Based on the knowledge sources, there is no direct method in

@ory/client

or the Ory APIs that allows you to instantly recognize, as a user types, whether an account is registered or if an email should opt in for SSO (i.e., belongs to an organization with SSO enabled) without submitting the identifier to Ory. How Ory handles this: - Ory’s identifier-first authentication flow is designed so that after the user submits their email, Ory determines if the email matches an organization domain and then returns the appropriate UI nodes (e.g., SSO button or password field). This is handled after form submission, not in real time as the user types [Identifier first authentication](https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication). - The built-in Account Experience UI from Ory handles this logic automatically after the email is submitted, but there is no mention of a public API for live, per-keystroke checks in custom UIs [See it live](https://www.ory.sh/docs/kratos/organizations#see-it-live). Listing organizations and their domains: - You can list all organizations and their domains via the Ory API (

GET /projects/{project_id}/organizations

), which could allow you to build your own client-side logic to check if an email domain matches an organization. However, this is not described as a recommended or supported approach for real-time SSO opt-in detection in the official documentation [B2B Single Sign-On & SAML](https://www.ory.sh/docs/kratos/organizations). Summary: - There is no built-in, real-time method in Ory to recognize registered accounts or SSO-eligible organizations as the user types. - The standard flow is: user submits email → Ory responds with the correct UI nodes based on organization membership and SSO configuration. - You can list organizations and their domains via API, but live SSO opt-in detection is not documented as a supported feature. If you need this feature, you would need to implement your own logic using the organizations API, but this is outside the scope of the official Ory documentation.

@chilly-king-10285 Any ory client method for getting organizations?

Yes, there is an Ory API endpoint for listing organizations:

GET /projects/{project_id}/organizations

This endpoint allows you to list all Enterprise SSO organizations in a project. You need to provide the

project_id

and authenticate using a workspace API key. The response includes organization details such as ID, label, domains, and creation time [Ory API Reference – listOrganizations](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). If you are using

@ory/client

, you would use the corresponding method from the generated SDK for your language to call this endpoint. The method typically requires the project ID and supports pagination and domain filtering as query parameters. Example parameters: -

project_id

(required): The ID of your Ory project. -

page_size

(optional): Number of items per page. -

page_token

(optional): For pagination. -

domain

(optional): Filter organizations by domain. Authentication: You must authenticate using an Ory Workspace API key to access this endpoint [Ory API Reference – getOrganization](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). For more details, see the [Ory API Reference](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json).

Thank you for your feedback and for sharing the error message. Based on the knowledge sources, the documented endpoint for listing organizations is:

GET /projects/{project_id}/organizations

This endpoint is described as listing all Enterprise SSO organizations in a project. It requires the

project_id

and authentication with a workspace API key. The expected response is a list of organizations, including their IDs, labels, domains, and creation times. The endpoint also supports pagination and domain filtering as query parameters [source](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). However, if you are receiving a

404 Not Found

error with the message "Invalid path" and "No resource found using the specified path," this suggests one of the following: - The endpoint may not be available in your current Ory deployment or environment. - The endpoint path or base URL might be incorrect. - The feature may not be enabled for your project or account. The knowledge sources do not provide troubleshooting steps for this specific error, nor do they mention any alternative endpoints for listing organizations. If you are using Ory Network, ensure you are using the correct project domain and have the necessary permissions and API key. If the issue persists, the knowledge sources do not contain enough information to resolve this error, and you may need to contact Ory support or consult the Ory community for further assistance. Summary: The endpoint

GET /projects/{project_id}/organizations

is documented, but a 404 error indicates it may not be available or enabled in your environment. The knowledge sources do not provide further troubleshooting steps for this issue.

You should send the

GET /projects/{project_id}/organizations

request to the Ory Console API domain, which is:

<https://api.console.ory.sh>

So the full URL would be:

<https://api.console.ory.sh/projects/{project_id}/organizations>

Make sure to replace

{project_id}

with your actual Ory project ID, and include your Workspace API key in the

Authorization

header as a Bearer token. This is confirmed in the official Ory documentation for managing organizations and projects via API [Manage Ory Network projects through the API](https://www.ory.sh/docs/guides/manage-project-via-api) and [B2B Single Sign-On & SAML](https://www.ory.sh/docs/kratos/organizations).

New message text here