Why redirect after rejecting login?

[Brutus5000]

Hello there,

I'm a bit confused about the intended flow if a login fails. I tell hydra that the login failed via /oauth2/auth/requests/login/reject and it responds with a redirect url.
But I am showing the user that the login failed in my service already (nicely styled etc.). Why would I redirect back to Hydra? Would it redirect me back to the invoking client? There are plenty of reasons why a login is rejected and an outside application would need to get this information from somewhere, but how?

[vinckr]

Hey @Brutus5000

When a login attempt fails during the OAuth2 flow, you indeed inform Ory Hydra about the failure by using the /oauth2/auth/requests/login/reject endpoint as you mentioned. The response from this endpoint contains a redirect URL which your login provider should redirect the user-agent to.(source)

The reason for this redirection is to maintain the integrity of the OAuth2 flow. Ory Hydra manages the flow and needs to be aware of its state at all times, including when a login attempt fails. By redirecting back to Ory Hydra, you allow it to properly handle the failed login attempt and take the necessary next steps.
As for communicating the reason for the login failure to the invoking client, the details of the failure reason would typically be included in the response from the /oauth2/auth/requests/login/reject endpoint. This allows the invoking client to handle the failure appropriately.
Remember, the OAuth2 flow involves multiple parties (the user, your service, Ory Hydra, and the invoking client), and it's important to keep all parties in sync about the state of the flow. This is why even in the event of a failure, the flow continues to involve all parties.