To retrieve the

returnSessionTokenExchangeCode

when using

createBrowserLoginFlow

, you need to follow a specific process that involves using the API flow rather than the browser flow. The

returnSessionTokenExchangeCode

is not directly available in the browser flow, which is what you see in the Ory Tunnel. Instead, you should use the native (API) login flow with specific parameters. Here's how you can do it: 1. Initiate a native login flow by calling the

createNativeLoginFlow

endpoint: [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/frontend/operation/createNativeLoginFlow) Make a GET request to

/self-service/login/api

with the following query parameters: -

refresh=false

(optional, default is false) -

return_session_token_exchange_code=true

(this is crucial for getting the exchange code) -

return_to=<your-app-url>

(optional, but recommended for redirecting after login) 2. In the response, you'll receive a

session_token_exchange_code

in the login flow object. This is the first part of the code you'll need. 3. After the user completes the login process, you'll receive the second part of the code in the

return_to

URL's query parameter. 4. Finally, you can exchange these two parts of the code for a session token using the

exchangeSessionToken

endpoint: [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/frontend/operation/exchangeSessionToken) Make a GET request to

/sessions/token-exchange

with the following query parameters: -

init_code=<first-part-of-code>

-

return_to_code=<second-part-of-code>

This process is designed for native applications and API clients, not for browser-based flows that you might see in Ory Tunnel. If you need this functionality in a browser-based application, you'll need to implement the native flow using AJAX requests or similar techniques. For more detailed information on implementing this flow in native applications, you can refer to the Ory documentation on social sign-in for native and mobile apps: [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation) This guide provides step-by-step instructions and code examples for implementing the native app authentication flow, which includes retrieving and using the session token exchange code.

A message from kapa.ai

I apologize, but I don't have specific information about retrieving a code when using

createBrowserLoginFlow

with an OIDC connection to Microsoft Entra in the context of Ory Tunnel. The knowledge sources provided don't contain information about this specific scenario. However, I can provide some general information about the browser login flow in Ory: 1. The browser login flow is typically initiated using the

createBrowserLoginFlow

endpoint, which is different from the native (API) flow we discussed earlier. 2. For browser-based flows, Ory doesn't typically return a session token exchange code directly. Instead, it usually sets a session cookie for browser-based authentication. 3. When using OIDC connections (like with Microsoft Entra), the flow typically involves redirecting the user to the identity provider for authentication and then back to your application. If you're seeing a code in Ory Tunnel when using an OIDC connection to Microsoft Entra, it might be related to the OIDC flow itself rather than an Ory-specific code. OIDC flows often involve authorization codes, but these are typically handled internally by Ory during the authentication process. To get more specific information about what you're seeing in Ory Tunnel and how to retrieve or use any codes involved in the OIDC flow with Microsoft Entra, I would recommend: 1. Checking the Ory documentation for any specific instructions related to Microsoft Entra integration. 2. Reviewing the logs or output in Ory Tunnel to understand the context of the code you're seeing. 3. Reaching out to Ory support or community forums with the specific details of what you're observing in Ory Tunnel. If you need to implement a flow that requires retrieving a code, you might want to consider using the native (API) flow as described in the previous answer, which does provide a mechanism for retrieving a session token exchange code. [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/frontend/operation/createNativeLoginFlow) Remember that the browser flow and API flow have different use cases and security considerations, so choose the appropriate one for your application's needs.

A message from kapa.ai

I apologize, but I don't have specific information about retrieving an authorization code when using

createBrowserLoginFlow

with an OIDC connection to Microsoft Entra in the context of Ory Tunnel. The knowledge sources provided don't contain information about this specific scenario. However, I can provide some general information about the OAuth2 Authorization Code flow, which is likely what you're observing: 1. In the OAuth2 Authorization Code flow, the authorization code is typically sent to a redirect URI after the user authenticates and authorizes the application. 2. When using Ory with an OIDC provider like Microsoft Entra, Ory acts as an OAuth2 client to the OIDC provider. 3. The authorization code is an intermediate step in the OAuth2 flow and is usually exchanged for tokens immediately after it's received. If you're seeing an authorization code in Ory Tunnel, it's likely part of the OAuth2 flow between Ory and Microsoft Entra. Normally, you wouldn't need to retrieve this code manually, as Ory should handle the exchange automatically. However, if you need to implement a custom flow or debug the process, you might want to: 1. Set up a custom redirect URI that your application can handle. 2. Configure your OAuth2 client in Ory to use this redirect URI. 3. Implement an endpoint in your application to receive the authorization code. Here's an example of how you might create an OAuth2 client with a custom redirect URI:

ory create oauth2-client --project $PROJECT_ID \   --name "Authorization Code Grant with OpenID Connect Demo" \   --grant-type authorization_code,refresh_token \   --response-type code \   --redirect-uri <http://127.0.0.1:4446/callback>

[Run your own OAuth2 Server](https://www.ory.sh/run-oauth2-server-open-source-api-security/#perform-oauth2-authorization-code-flow-and-openid-connect) Remember that directly handling authorization codes can have security implications. In most cases, it's better to let Ory handle the entire OAuth2 flow internally. For more detailed information about implementing OAuth2 flows with Ory, you might want to refer to: [OAuth2 Authorization Code Flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow) If you need specific guidance on how to integrate with Microsoft Entra or debug the OIDC flow in Ory Tunnel, I recommend reaching out to Ory support or consulting their community forums for the most up-to-date and specific information.