If you have multiple domains like

<http://app1.com|app1.com>

and

<http://app2.com|app2.com>

and want users to log in via a central authentication domain such as

<http://auth.central-domain.com|auth.central-domain.com>

, you should use Ory's support for custom domains and OpenID Connect (OIDC) for federated authentication. Here's how this works with Ory: - Custom Domains & Multibrand: Ory Network allows you to add multiple custom domains to your project (with the Multibrand feature on paid plans). Each application (

<http://app1.com|app1.com>

,

<http://app2.com|app2.com>

) can have its own custom domain and UI base URL. However, due to browser cookie isolation, each domain will have its own session, and users will need to authenticate separately on each domain. The same account can be used across domains, but the session is not shared automatically between them for security reasons. This is a browser limitation, not an Ory-specific one. You can configure this setup in the Ory Console under Branding → Theming, and set the appropriate cookie domains and custom UI base URLs for each app domain. The central auth domain (

<http://auth.central-domain.com|auth.central-domain.com>

) would handle the authentication flows and issue sessions for each app domain as users log in there [Multiple custom domains](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains) [Set up custom domains](https://www.ory.sh/docs/guides/custom-domains). - OpenID Connect (OIDC): For a more seamless SSO-like experience, you can use Ory as an OpenID Connect provider. Each app (

<http://app1.com|app1.com>

,

<http://app2.com|app2.com>

) would act as an OIDC client, redirecting users to

<http://auth.central-domain.com|auth.central-domain.com>

for authentication. After login, the user is redirected back to the app with an ID token and access token. This allows users to use the same credentials across all your domains, but again, due to browser security, each domain will have its own session cookie [OpenID Connect overview](https://www.ory.sh/docs/oauth2-oidc/overview/oidc-concepts). Important limitations: - Session cookies are domain-scoped: Even with Ory's Multibrand and OIDC features, browser cookies (including session cookies) cannot be shared across top-level domains (

<http://app1.com|app1.com>

and

<http://app2.com|app2.com>

). Users will need to log in separately on each domain, but can use the same credentials. - OIDC for federated login: OIDC is the recommended way to provide a central login experience across multiple domains, but it does not provide a shared browser session between domains. Summary: Use Ory's custom domains and OIDC features to enable login via a central domain for multiple apps. Each app will have its own session, but users can authenticate with the same credentials via the central auth domain. This is the industry-standard approach due to browser security restrictions. For more details and setup instructions, see the documentation on [Multiple custom domains](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains) and [OpenID Connect overview](https://www.ory.sh/docs/oauth2-oidc/overview/oidc-concepts).

@chilly-king-10285 Given that those are first party apps, can I skip consent page and just sign-in automatically?

Yes, for first-party apps, you can skip the consent page and have users sign in automatically. Ory supports skipping the consent screen for trusted clients (such as your own first-party applications). This can be configured per OAuth2 client either via the Ory Console or CLI by enabling the "Skip consent" option. How to enable skip consent: - Ory Console: Go to OAuth 2 → OAuth2 Clients, edit your client, and toggle the Skip consent option in the Consent screen section. Save your changes. This will ensure that the consent screen is not shown for that client [Skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent) [Consent flow documentation](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent). - CLI: When creating or updating an OAuth2 client, use the

--skip-consent

flag:

ory create oauth2-client \     --skip-consent \     # other options...

or

ory update oauth2-client \     --skip-consent \     # other options...

[CLI options](https://www.ory.sh/docs/cli/ory-create-oauth2-client#options) Behavior: When this is enabled, Ory will automatically accept the consent request for that client, and the user will not see the consent screen. This is the recommended approach for first-party applications managed by the same entity as your Ory project. Note: This only skips the consent screen. The user will still need to authenticate (log in) if they do not have an active session. Session sharing across domains is still subject to browser restrictions. For more details, see the official documentation on [skipping consent for trusted clients](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent) and [skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent).