Based on the knowledge sources, Ory’s authentication and OAuth2 flows are designed to securely authenticate users and, when needed, issue tokens for authorization. However, if your requirement is only to authenticate the user (i.e., have them log in) and then redirect them back to the originating app—without issuing OAuth2 tokens or performing the code exchange—this is possible using Ory Kratos (Identities) flows. You can achieve this by initializing a login flow with a custom

return_to

URL. After the user completes the login, Ory will redirect them to the specified URL. This approach does not require you to go through the OAuth2 Authorization Code flow or issue tokens, as it’s purely an authentication step with a post-login redirect:

plaintext https://<ORY_SDK_URL>/self-service/login/browser?return_to=<https://your-app.com/after-login>

Make sure that the

return_to

URL is allow-listed in your Ory project configuration to prevent open redirect attacks. This method is commonly used for scenarios where you just want to authenticate the user and send them back to the app, without any OAuth2 code/token exchange. The redirect will happen after a successful login, and you can control the destination via the

return_to

parameter or through configuration settings for default redirect URLs[Advanced integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration), [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). If you need to pass any session or authentication state to the app, you would need to handle that separately (e.g., via cookies or other mechanisms), as this flow does not provide OAuth2 tokens. Summary: You do not need to create an OAuth2 client or use the authorization code flow if you only need login and redirection. Use the login flow with a

return_to

parameter for your use case. If you later need authorization or API access, then implementing the OAuth2 flow would be appropriate.

Yes, if you are using a custom login UI with Ory Kratos, you should still initialize the login flow by directing the user (or making a request) to the

/self-service/login/browser

endpoint, including the

return_to

parameter for post-login redirection. This is true regardless of whether you use the default Ory UI or your own custom UI. When using a custom UI, the typical flow is: 1. Initialize the login flow: Redirect the browser or make a request to:

https://<ORY_SDK_URL>/self-service/login/browser?return_to=<https://your-app.com/after-login>

This will create a new login flow and, if accessed via browser, redirect to your configured custom login UI with the

flow

ID as a query parameter. 2. Render your custom UI: Your custom UI should read the

flow

ID from the query parameter and use it to fetch the flow data from Ory, then render the login form accordingly. 3. On successful login: After the user logs in, Ory will redirect them to the

return_to

URL you specified, as long as it is allow-listed in your configuration. This approach is documented in the Ory guides for custom UI integration and advanced redirects. The

return_to

parameter works the same way with custom UIs as with the default UI, and is the recommended way to handle post-login redirection without involving OAuth2 code exchange[Advanced integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration), [Create a flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-a-flow), [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). Note: - Make sure your custom UI is configured as the login UI in Ory (via the

ui_url

setting). - The

return_to

URL must be allow-listed in your Ory configuration for security reasons. So, yes, you should use the

/self-service/login/browser?return_to=...

endpoint even with a custom login UI.

Yes, the

return_to

parameter can include query parameters in the URL you provide. For example, you can use:

/self-service/login/browser?return_to=<https://your-app.com/after-login?foo=bar&baz=qux>

However, you must ensure that the entire

return_to

URL (including its parameters) is properly URL-encoded and that the base URL is allow-listed in your Ory configuration to prevent open redirect attacks. Ory will validate the

return_to

URL against the allow list, but it does not strip or block query parameters from the redirect URL as long as the base URL matches the allow list entry. This is confirmed in the documentation, which shows that dynamic redirects using the

?return_to=

query parameter are supported, and the allow list is used to control which domains and paths are permitted for redirection. The example provided in the docs demonstrates that paths and subdomains can be matched, which implies that query parameters are preserved as part of the redirect URL as long as the base URL is allowed [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects), [Redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). Summary: You can use query parameters in your

return_to

URL, but ensure the full URL is allow-listed and properly encoded.