Social sign-in troubleshooting
'redirect_uri' mismatch
Ensure that the redirect_uri
query parameter in the URL matches the authorized redirect URI added to the social sign-in
provider.
https://{provider}/o/oauth2/v2/auth?client_id=(...)&
redirect_uri=https://$PROJECT_SLUG.projects.oryapis.com/self-service/methods/oidc/callback/{provider}&
response_type=code&scope=email+profile+openid
If you get a redirect_uri
mismatch error in a project created before September 2022 that uses a custom domain,
refer to this document for troubleshooting information.
'oryapis.com' doesn't work as authorized redirect URI
Integration with social sign-in providers may require proving the ownership of the authorized redirect URI domain. If that is the
case, you must use a custom domain and the https://$PROJECT_SLUG.projects.oryapis.com
URL can't be used as the redirect URI.
To add your domain to the redirect_uri
query parameter when redirecting to the social sign-in provider, adjust your project's
base_redirect_uri
configuration. To do that, use the Ory CLI:
ory patch identity-config --project <project-id> --workspace <workspace-id> --add '/selfservice/methods/oidc/config/base_redirect_uri="https://ory.your-custom-domain.com"'
Ensure that the custom domain is added to the social sign-in provider as an authorized redirect URI.
Redirect loops after successful registration
Ory redirects users back to the registration page after a successful OIDC flow when some identity traits, for example a phone number, couldn't be mapped using the data received from the social sign-in provider and require manual input from the user.
However, when the Jsonnet configuration for the social sign-in provider is incorrect and Ory can't map the data correctly, the user sees no input fields and the registration page gets stuck in a redirect loop.
To understand how to fix the problem, let's look at how Ory handles the OIDC registration flow. There are 5 steps that the system performs when users register with a social sign-in provider:
- Redirect to the social sign-in provider.
- Redirect back to Ory with a
code
query parameter. - Ory exchanges the
code
for an access token and retrieves the user information. - Ory maps the user information to the Identity Schema traits.
- (optional) Ory redirects back to the registration page, requiring the user to provide the values for the missing traits.
When step 4 fails, Ory becomes stuck in a redirect loop. To fix the redirect loop, adjust the Jsonnet configuration for the social sign-in provider so that the data from the provider gets mapped correctly to the Identity Schema.
Read Map and merge profile data to learn more.