selfservice.flows.login.style reverts to identifier_first despite explicitly setting password

[pokohide]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

https://busy-archimedes-8gobxuzsfx.projects.oryapis.com

Describe the bug

I am using Ory Network and trying to configure the login flow to show both the Email and Password fields immediately (single step).

I have explicitly set selfservice.flows.login.style to password in my configuration file. However, after running ory update identity-config or ory patch identity-config, the configuration either persists as identifier_first or reverts back to it immediately.

The login flow initialization continues to return group: "identifier_first" nodes, and the flow state becomes choose_method, preventing the password field from appearing in the first step.

Reproducing the bug

Identity Schema: I have updated my Identity Schema to remove all references to webauthn and passkeys. Only password is defined in ory.sh/kratos.credentials.

Configuration (kratos.config.yaml): I am trying to apply the following configuration. Note that I need code enabled for Recovery, but I have disabled it for Passwordless Login.

selfservice:
  flows:
    login:
      style: password  # <--- I want this
  methods:
    password:
      enabled: true
    code:
      enabled: true    # Enabled for Recovery
      config:
        passwordless_enabled: false # Disabled for Login to avoid identifier_first
    webauthn:
      enabled: false
    passkey:
      enabled: false

Command Execute.

ory update identity-config --project <MY_PROJECT_ID> --file kratos.config.yaml

Result: The CLI reports Project updated successfully!.

I run ory get identity-config .... Result: The output shows selfservice.flows.login.style: identifier_first. It ignores my setting.

Expected behavior

If selfservice.methods.code.config.passwordless_enabled is set to false, the system should allow selfservice.flows.login.style to be set to password, even if the code method itself is enabled globally (for recovery purposes).

Environment

$ ory version
Version:    v1.2.0
Git Hash:   0e0da3c44491277d0aabeb720dc90e0c046bfc4a
Build Time: 2025-09-25T12:12:40Z

Additional context

It seems like the validation logic on Ory Network forces identifier_first as soon as it sees code.enabled: true, disregarding the passwordless_enabled: false flag or the Identity Schema structure.

Is there any hidden dependency or configuration I am missing to force the "Password" style while keeping "Code" recovery enabled?

Relevant log output

Relevant configuration

Version

v1.2.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[jonas-jonas]

Hi, valid values for selfservice.flows.login.style are unified or identifier_first. You probably want unified.

[pokohide]

Thank you for your reply.

I set selfservice.flows.login.style to unified and tried updating identity-config again, but it did not update.
Could it be that this setting is also failing validation and preventing the update?

[jonas-jonas]

Ah apologies, this is about Ory Network?

In that case, we don't support the unified style with the built-in Account Experience at the moment. https://www.ory.com/docs/identities/sign-in/identifier-first-authentication