Hi, we added generic oidc provide as per docs . We are getting an error

Unable to complete OpenID Connect flow because the OpenID Provider did not return the state query parameter

. Is there any specific config that required for oidc generic provider that could cause this issue.

That sounds like a problem on the OIDC provider‘s end

@refined-kangaroo-48640 I did some debugging on kratos code. Kratos is expecting the state query parameter in the callback to be a base64-encoded string, which contains a string format (UUID:data). Once decoded, it checks the UUID against different flows such as login, registration, and settings. If the UUID in the state query parameter matches the flow UUID generated by Kratos, it proceeds; otherwise, it may reject the request or handle it differently. This where it is failing https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L255 state query param decoding base64 https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L163 state flow id validated over here https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L255-L288 If the state query parameter is expected to contain the Kratos flow ID, am I missing something?

Sounds correct. The error message comes frome here: https://github.com/ory/kratos/blob/9710549ea18c36e0f580ea5496a352d4f9d54fec/selfservice/strategy/oidc/strategy.go#L298 If the OIDC provider doesn't give us back the state param: 1. that's violatiom of OAuth2 2. we couldn't proceed anyway.

Thanks @refined-kangaroo-48640. There was some mistake on my end as I was not initiating OIDC flow (for generic provider) with Kratos. Instead, I directly hit IDP auth endpoint which didn’t receive the Kratos-generated state in the first place to return it in callback.