Skip to main content

Social sign-in troubleshooting

'redirect_uri' mismatch

Ensure that the redirect_uri query parameter in the URL matches the authorized redirect URI added to the social sign-in provider.

https://{provider}/o/oauth2/v2/auth?client_id=(...)&
redirect_uri=https://$PROJECT_SLUG.projects.oryapis.com/self-service/methods/oidc/callback/{provider}&
response_type=code&scope=email+profile+openid
info

If you get a redirect_uri mismatch error in a project created before September 2022 that uses a custom domain, refer to this document for troubleshooting information.

'oryapis.com' doesn't work as authorized redirect URI

Integration with social sign-in providers may require proving the ownership of the authorized redirect URI domain. If that is the case, you must use a custom domain and the https://$PROJECT_SLUG.projects.oryapis.com URL can't be used as the redirect URI.

To add your domain to the redirect_uri query parameter when redirecting to the social sign-in provider, adjust your project's base_redirect_uri configuration. To do that, use the Ory CLI:

ory patch identity-config --project <project-id> --workspace <workspace-id> --add '/selfservice/methods/oidc/config/base_redirect_uri="https://ory.your-custom-domain.com"'
tip

Ensure that the custom domain is added to the social sign-in provider as an authorized redirect URI.

Redirect loops after successful registration

Ory redirects users back to the registration page after a successful OIDC flow when some identity traits, for example a phone number, couldn't be mapped using the data received from the social sign-in provider and require manual input from the user.

However, when the Jsonnet configuration for the social sign-in provider is incorrect and Ory can't map the data correctly, the user sees no input fields and the registration page gets stuck in a redirect loop.

To understand how to fix the problem, let's look at how Ory handles the OIDC registration flow. There are 5 steps that the system performs when users register with a social sign-in provider:

  1. Redirect to the social sign-in provider.
  2. Redirect back to Ory with a code query parameter.
  3. Ory exchanges the code for an access token and retrieves the user information.
  4. Ory maps the user information to the Identity Schema traits.
  5. (optional) Ory redirects back to the registration page, requiring the user to provide the values for the missing traits.

When step 4 fails, Ory becomes stuck in a redirect loop. To fix the redirect loop, adjust the Jsonnet configuration for the social sign-in provider so that the data from the provider gets mapped correctly to the Identity Schema.

tip

Read Map and merge profile data to learn more.