I understand your issue with social login in Ory Kratos when using NextJS. This is a common problem related to cookie domains when using different subdomains for your application and Ory. ## The Problem The issue you're experiencing is that the continuity cookie (used for OIDC flows) is being set on

our.domain

when you initiate the login flow through your NextJS server at

our.domain/api/.ory

, but when Google redirects back to

ory.our.domain

, the cookie isn't available because it was set on a different domain. ## Solution There are a few approaches to solve this: ### 1. Configure Cookie Domain You need to ensure that cookies are set on a domain that's accessible by both your application and the Ory redirect URL. The best approach is to set the cookie domain to your root domain:

yaml session:   cookie:     domain: our.domain

This configuration allows the cookie to be shared across all subdomains of

our.domain

[Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies). ### 2. For NextJS Edge Integration If you're using the Ory NextJS Edge integration, you need to set the

forceCookieDomain

option to your top-level domain (without www):

javascript // In your NextJS Edge configuration export default createApiHandler({   // ...other options   forceCookieDomain: "our.domain" // Not "www.our.domain" })

This is crucial as mentioned in a GitHub issue where a similar problem was solved [Cookies not being sent to backend after deploying](https://github.com/ory/network/issues/53). ### 3. Ensure Consistent Domain Structure Make sure your domain structure follows best practices: - Run Ory at

ory.our.domain

- Host your backend API at

api.our.domain

- Serve your frontend UI at

www.our.domain

or another subdomain This setup allows both your frontend and backend to access the authentication session cookies managed by Ory [Migrate to Ory tutorial](https://www.ory.sh/docs/migrate-to-ory#integrate-frontend). ### 4. Check OIDC Configuration For social sign-in, ensure your OIDC callback URL is correctly configured:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

And make sure to add the

session

hook to

after/oidc/hooks

in your configuration:

yaml selfservice:   flows:     registration:       after:         oidc:           hooks:             - hook: session

This prevents users from having to log in again after signing up [Social sign-in](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). ## Important Notes 1. HTTP Cookies aren't port-specific but are domain-specific 2. Cookies in Ory Kratos are always

httpOnly

3. Unless in dev mode, cookies are only sent over HTTPS 4. It's possible to set a cookie for a parent domain from a subdomain, but not vice versa If you continue to have issues, check your browser's developer tools to inspect the cookies being set and ensure they have the correct domain. Hope this helps resolve your social login issue!