feat(core): add OAuth2 consent flow support

[Jorgagu]

Add complete OAuth2 consent flow support to @ory/nextjs and @ory/elements-react packages, enabling applications to handle OAuth2 authorization consent screens with Ory Hydra.

Related Issue or Design Document

Fixex #327

Add complete OAuth2 consent flow support to @ory/nextjs and @ory/elements-react packages, enabling applications to handle OAuth2 authorization consent screens with Ory Hydra.

Features

• Consent Flow Utilities (@ory/nextjs)

  • getConsentFlow - Fetch consent challenge from Ory Hydra
  • acceptConsentRequest - Accept consent with selected scopes
  • rejectConsentRequest - Reject consent request

• OAuth2 Client Logo Display

  • Display OAuth2 client logo on login, registration, and consent cards
  • Shared getConfigWithOAuth2Logo utility for consistent behavior

• Example Implementations

  • App Router: consent page + API route
  • Pages Router: consent page + API route
  • Custom Components: ConsentFooter, custom scope checkbox with toggle switches

• Exported Utilities

  • getConsentNodeKey, isFooterNode from card-consent
  • isUiNodeInput, UiNodeInput type helpers

Improvements

• Optimize rewriteUrls to single-pass regex replacement
• Add OAuth2 path exclusion in URL rewriting
• Add null/undefined handling in rewriteJsonResponse

Tests

• Unit tests for consent utilities and rewrite functions

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Further comments

This implementation follows the pattern established in kratos-selfservice-ui-node for handling OAuth2 flows. The OAuth2 client logo is displayed by overriding the project configuration's logo_light_url when an OAuth2 client logo is available, keeping the existing DefaultCardLogo component unchanged.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 73020fc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@Jorgagu is attempting to deploy a commit to the ory Team on Vercel.

A member of the Team first needs to authorize it.

[codecov]

Codecov Report

❌ Patch coverage is 47.10744% with 64 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.68%. Comparing base (f3fad4d) to head (73020fc).
⚠️ Report is 286 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #584       +/-   ##
===========================================
+ Coverage   42.43%   55.68%   +13.25%     
===========================================
  Files         136      178       +42     
  Lines        2008     3369     +1361     
  Branches      288      494      +206     
===========================================
+ Hits          852     1876     +1024     
- Misses       1149     1416      +267     
- Partials        7       77       +70     

Components	Coverage Δ
@ory/elements-react	55.10% <ø> (+18.31%)	⬆️
@ory/nextjs	58.60% <ø> (-7.38%)	⬇️

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Jorgagu]

@vinckr @jonas-jonas @aeneasr Happy New Year ! 🎉 Could you please review this one ?

[jonas-jonas]

hi @Jorgagu, thank you very much for this contribution, and happy new year!

We'll take a look at this in the coming weeks. We do have some code for this already; it just wasn't ready to be published, so we might need to do some merging with that.

And just a heads-up, we're quite busy ramping up after the holidays again, so it might take a couple days longer for us to get to this.

[juice928]

👋 Hi, I'm an automated AI code review bot. I ran some checks on this PR and found 1 point that might be worth attention (could be false positives, please use your judgment):

1. Enhance security by verifying the user identity during the consent flow
   • Location: examples/nextjs-pages-router/pages/api/consent.ts:L33-L84
   • Impact: Without matching the session to the challenge subject, there is a risk of processing consent on behalf of the wrong user.
   • Suggestion: Consider calling getOAuth2ConsentRequest to compare the subject with the current session identity before accepting the challenge.

If you find these suggestions disruptive, you can reply "stop" , and I'll automatically skip this repository in the future.