In Ory's self-service flows, issues are handled differently based on the type of error that occurs. If a system error occurs, such as a broken configuration file, the browser is redirected to the Error UI. This is a user-facing interface that provides information about the error that occurred. If the form payload is valid, the flow completes successfully. The result depends on the flow itself. For example, the login flow redirects the user to a specified redirect URL and sets a session cookie. The registration flow also redirects to a specified redirect URL but only creates the user in the database and might issue a session cookie if configured to do so. For client-side rendered browser applications such as Single Page Applications (SPAs), the submission is handled in the background through AJAX or fetch using a POST request to the Ory project URL. For server-side rendered browser applications, the submission is handled by a native form POST to the Ory project URL. Sources: - [Form submission and payload validation Part 2](https://www.ory.sh/docs/kratos/self-service#form-submission-and-payload-validation) - [Single-page application (SPA)](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#single-page-application-spa-1) - [Server-side (browser) application](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#server-side-browser-application-1)

The

/self-service/methods/oidc/callback

endpoint is used in the OpenID Connect (OIDC) flow for social sign-ins. If there's an error during this process, it's typically related to the

redirect_uri

parameter not matching the authorized redirect URI added to the social sign-in provider. If you get a

redirect_uri

mismatch error in a project created before September 2022 that uses a custom domain, you can mitigate this by removing the

/selfservice/methods/oidc/config/base_redirect_uri

configuration entry. This can be done using the Ory CLI command:

bash ## List all available projects   ory list projects      ## Remove the configuration entry   ory patch identity-config <project-id> \    --remove '/selfservice/methods/oidc/config/base_redirect_uri'

Please note that removing the

base_redirect_uri

can break previously existing and functional social sign-in connections. To fix a broken connection, choose the provider you want to fix from the Ory Console social sign-in configuration screen and copy the redirect URI. Use the value you copied to update the callback URL configuration of the social sign-in provider. Sources: - ['redirect_uri' mismatch](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect_uri-mismatch) - [Social sign-in

redirect_uri_mismatch

error (OTA-092022-01)](https://www.ory.sh/docs/troubleshooting/oidc-redirect-url-cname-OTA-092022-01)

In Ory, error handling can be configured globally and per access rule. Ory Oathkeeper, for instance, will first check for any access rule specific error handling before falling back to the globally defined error handling. For instance, if a redirect code is invalid and can't be handled, you can set up error handlers in the global Ory Oathkeeper config. The

json

error handler is always enabled by default. If

config.when

is empty, the error handler will always match. This can be a problem because Ory Oathkeeper now doesn't know if it should redirect or send a JSON error. Therefore, an additional configuration - called

fallback

- is available. This feature tells Ory Oathkeeper that the

json

error handler should be used as fallback. You could also define multiple fallback handlers - the first matching handler will be the one and only executed. Here is an example of how you can configure the error handling:

yaml # .oathkeeper.yaml   errors:     fallback:       - json        handlers:       json:         enabled: true # this is true by default       redirect:         enabled: true # this is false by default         config:           to: <http://mywebsite/login>

In this configuration example, Ory Oathkeeper would first check if the HTTP Request Header contains

Accept: text/html

(or

text/xhtml

,

text/text

, ...) and if not, would return a JSON Error Message. Sources: - [Fallback](https://www.ory.sh/docs/oathkeeper/pipeline/error#fallback) - [Error Handling](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#error-handling)