Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi. We are using hydra to act as an IDP. Sometimes we need to reject login requests (OIDC), but the relying party (a whitelabel solution we are using) does not seem to handle the rejection properly. – Instead of showing a message to the user they retry the request which results in an endless loop. :boom:

So my idea to work around this is to reject the request in our login endpoint, but not redirect to the redirect_url of the reject response, but to show our own 403 page with some useful information instead.
Do you think that makes sense or does this break the OAuth flow and would make it unusable for other relying parties?

What is the "normal" reject response? Basically a 403 page as well right?
From a first glance this seems reasonable to me.
I am not sure if it breaks the flow for other parties though.

My understanding that the relying party should handle a rejection. Is that right?

&gt; If the user denies the authorization request, the server will redirect the user back to the redirect URL with `error=access_denied` in the query string, and no code will be present. It is up to the app to decide what to display to the user at this point.