Hey, we wrote our own login + consent oauth2 handlers. We don't want the

ory_hydra_session

cookie to be set so we're using the provided remember option when accepting login challenges. This doesn't work with OIDC Login like Google since the challenge is accepted in the background after the oidc callback (

/self-service/methods/oidc/callback/google

) redirects to

/oauth2/auth

- is there some configuration key to control the

ory_hydra_session

cookie? Seem's like it's using the Kratos Session TTL ...

Hi @late-florist-28893 When you mean you have your own login + consent oauth2 handlers, you mean that you are using Hydra directly with your own IAM? Or are you referring to integration with other 3rd party providers e.g. Google. Maybe i'm misunderstanding it a bit, could you clarify?

Hey @proud-plumber-24205, i'm sorry let me clarify. I followed these docs to use a custom UI for Oauth2 flows: https://www.ory.sh/docs/hydra/guides/custom-ui-oauth2 Now i've enabled Google Social Sign-In via the Ory Network. When performing an oauth2 flow from my application, i'm showing the ory network login form which includes the Google Social Sign-In. When using Social Sign In instead of password, my custom login ui for the Oauth2 flow will not be called after Google redirects back to

/self-service/methods/oidc/callback/google

, instead this happens in the background on ory network's side and the user will be redirected back to the application which initiated the oauth2 flow. For now i'm unable to control how the login challenge is accepted. Shouldn't my custom ui be called at one point here? If this is not possible, I need to control the TTL of the

ory_hydra_session

cookie without changing the TTL for the Kratos sessions...

I still don't understand why you require your custom UI to be called during a social sign in flow to google since Kratos (IAM) manages this for you and returns a session for you. What is your use case exactly? From my perspective it seems you want to control the OIDC flow between Kratos (IAM) and the third party (google)? If you want to have 3rd parties integrate with your application, e.g. you are Google - then you can do this through your own UI + Hydra (OAuth2) server (https://www.ory.sh/docs/welcome#oauth2-and-oidc). If you want your own UI to support social sign in then you need to directly integrate with Kratos (IAM) which is essentially https://www.ory.sh/docs/welcome#identities-and-sessions If you want to be a provider (e.g. Google) with your own UI and with other social sign in options you most likely are just missing a configuration value which tells Kratos about your custom UI https://www.ory.sh/docs/guides/bring-your-user-interface

@proud-plumber-24205 This is the setup: we have several websites under different domains using the same IAM (ory network). So that the login can now work on all websites, this takes place via OAuth2 OIDC. If a user now initiates a login via OIDC on one of these pages, he will be redirected to the custom oauth2 login endpoint that we configured in Ory network's oauth-config. Here we then display the login form of Ory Network. This includes a Google Social Sign-In. If the user now chooses to login via Google, he will not be redirected back to the custom oauth2 login endpoint after the successful login, but directly back to the website that initiated the OIDC flow. The acceptance of the login challenge does not take place via us but via Ory Network. This means we cannot control the login challenge. Otherwise, logging in with a password works exactly as we want it to. I think after the user has successfully logged in via Google, he should be redirected to the custom oauth2 login endpoint with the original login challenge so that we can accept or reject the challenge here. And if that's not possible, we'd like to be able to set the TTL of the

ory_hydra_session

cookie. I hope I was able to make clear what we are doing here.

Hi @late-florist-28893 I see, this makes sense now. Thank you for the thorough explanation.

If a user now initiates a login via OIDC on one of these pages, he will be redirected to the custom oauth2 login endpoint that we configured in Ory network's oauth-config.

Okay this makes sense. Sorry for the bad diagram 😅. I made a quick sketch of the process from what you describe. I guess in this case there must be a redirect URL configuration missing, since Kratos still thinks that the application it should use is the built in Account Experience. I think this might be the issue. Have you checked out https://www.ory.sh/docs/concepts/redirects? Just a note - each project contains an instance of Hydra and Kratos and they are by default integrated with the Account Experience. For them to know about your custom UI, you would need to configure it.

@proud-plumber-24205 thank you, your diagram describes the process very well! I have already defined a post login URL and entered all the URLs for the custom UI. All custom URLs are also configured in the oauth2-config. Something weird just happened. When I just successfully logged in via Google, Kratos actually redirected me to the post login URL without Kratos/Hydra setting an

ory_hydra_session

cookie. When I tried the whole thing again, this didn't happen anymore and after a successful login via Google I was redirected to the custom consent ui endpoint that we defined in the oauth2-config and Kratos/Hydra had previously set an

ory_hydra_session

cookie 😕 I can't reproduce the first case either, it can't be due to cookies because that also happens in an incognito tab, seems like Kratos/Hydra is caching something here. In any case, I configured everything correctly, but Kratos never redirects me to the custom login ui endpoint with a login challenge. The post login URL can't be the solution, because I need a login challenge as a parameter. In any case, thank you very much for your time!

Just to get this right - you initiate an oauth2 flow in hydra, which is connected to kratos, which does social sign in, and the problem is that after social sign in you end up not in the oauth2 redirect but in another endpoint?

I sent you a DM.