Authentication after Sign-up


#1

We have sign-in and sign-up flows and after sign-up flow user must be authenticated in system.

hydra redirects to sign-in flow with login challenge. sign-in page has a link to sign-up page. If user goes to sign-up from login page we can accept login challenge after registration and everything works well.

What to do in situation when we have links to sign-up and have to show it not from login page (e.g. referral registration links in emails + other cases)? How to get login challenge in these cases?

I checked Signup during signin before asking. It sounds similar but didn’t cover my case.


#3

I’m assuming you’re talking about 1st party apps, right? In that case, simply show the sign up screen first and then perform the oauth2 flow. Alternatively (but not recommended) you could try and add a query parameter to the oauth2 auth code url which indicates to the login screen that you want to sign up and not log in. I don’t recommend it because I’m currently not sure if the login endpoint has access to the original oauth2 auth code url.


#4

We have 1st trusted apps (web, mobile), 3 party untrusted apps.

Not sure that I understand 1st option, sorry. Our login and sign-up dialogs are different by content and we should have direct links to login and signup pages from other places (can’t change this). Can you please elaborate this in more details?

We though about the second option. In login app you have access to original /authorize endpoint and can get params from it. This option is on the table but we trying to find other alternatives.


#5

It’s confirmed that the second option doesn’t work at the moment, there’s an issue for that here: https://github.com/ory/hydra/issues/1046

Option 1:

  1. User clicks sign up
  2. User signs up
  3. Upon successful registration, user is redirected to hydra (authorize code url). This does not require user interaction
  4. User has to sign in at login endpoint. You MAY choose to skip showing the login UI as the user just signed up. You’ll need to make sure this is secure and only works for a limited amount of time.
  5. User has to consent at consent endpoint. You MAY choose to skip this, see point 4
  6. User is redirect to callback URL. Session is active.