In Ory, you can set a default redirect URL that applies to all social sign-in providers. This setting cannot be changed on a per-provider basis. If you change the

base_redirect_uri

, it will affect all previously existing and functional social sign-in connections, as Ory Identities will initiate the OIDC flow with the new redirect URL. To use a custom domain as the redirect URL, you need to update the

base_redirect_uri

. Here's how you can do it:

bash ## List all available projects   ory list projects      ## Add OIDC base redirect URI   ory patch identity-config <project-id> \    --add '/selfservice/methods/oidc/config/base_redirect_uri="<https://ory.example.org>"'

After changing the base redirect URI, you need to update the redirect URL of social sign-in providers you want to use. This is done in the configuration of the social sign-in provider. Please note that it's not possible to set any Ory-owned domain as a redirect URL. For more details, refer to the [Ory documentation](https://www.ory.sh/docs/identities/sign-in/social-sign-in/redirect-url).

Yes, you can use query parameters for the organization and client id in Ory. For example, in the OAuth 2.0 Authorization Code Grant, Implicit Grant, or hybrid flow, developers can request audiences at the

/oauth2/auth

endpoint using the

audience

query parameter. The

audience

query parameter can contain multiple strings separated by a URL-encoded space (

+

or

%20

). The audience values must also be URL-encoded. Here is an example of how you can use query parameters:

http https://{project.slug}.<http://projects.oryapis.com/oauth2/auth|projects.oryapis.com/oauth2/auth>    ?client_id=...    &scope=...    &audience=<https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/>

In this example,

client_id

and

audience

are used as query parameters. The

audience

query parameter can contain multiple strings separated by a URL-encoded space (

+

or

%20

). The audience values must also be URL-encoded. For more details, refer to the [Ory documentation](https://www.ory.sh/docs/hydra/guides/audiences#audience-in-authorization-code-implicit-and-hybrid-flows).

@chilly-king-10285 How do I configure the social sign in to work with this kind of uris?

To configure social sign-in with Ory, you need to follow these steps: 1. Define the redirect URL in the following format:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

2. Create a client at your provider to get the Client ID and Client Secret. 3. Set the redirect URI to URL that follows the pattern mentioned in step 1. 4. Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema. 5. Encode the Jsonnet snippet with Base64 or store it in a location available to your Ory Kratos instance. 6. Add the configuration for your social sign-in provider to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file. After changing the base redirect URI, you need to update the redirect URL of social sign-in providers you want to use. This is done in the configuration of the social sign-in provider. To update an existing social sign in provider, follow these steps: 1. Open the Ory Console and navigate to the social sign-in configuration screen. 2. Choose the provider you want to fix and click on the configuration button. 3. Copy the Redirect URI from the form. 4. Replace the Ory Network URL

{project-slug}.<http://projects.oryapis.com|projects.oryapis.com>

with your custom hostname, such as

<http://ory.example.org|ory.example.org>

. 5. Update the Redirect URI - also called Authorization callback URL - in the social sign-in provider configuration. Make sure the Redirect URI matches the hostname you configured in the Ory Network configuration. For example when your custom hostname is

<https://ory.example.org>

, the Redirect URI needs to be

<https://ory.example.org>

, not

<https://www.ory.example.org>

or

<https://ory.example.org/>

. For more details, refer to the [Ory documentation](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc) and [this guide](https://www.ory.sh/docs/identities/sign-in/social-sign-in/redirect-url).