Your description of the redirect loop between Hydra, Kratos, and the self-service UI during the OAuth2 authorization code flow is a common issue and usually points to a misconfiguration in the integration between these components. Based on the knowledge sources, here are the most likely causes and troubleshooting steps: 1. UI URL Configuration Ensure that the

ui_url

for the login flow is set correctly in your Kratos configuration. If this is not set, Kratos will not know where to redirect the browser after initializing the login flow, which can cause redirect loops. The configuration should look like:

yaml    selfservice:      flows:        login:          ui_url: <http://your-self-service-ui/login>

You can also set this via the

SELFSERVICE_FLOWS_LOGIN_UI_URL

environment variable. If this is missing, you may end up at a fallback page or in a redirect loop [Docs: Kratos Fallback Login UI](https://www.ory.sh/docs/kratos/fallback/login). 2. Top-Level Domain Matching Ory requires that Kratos and your UI are hosted on the same top-level domain (e.g.,

<http://ory.example.com|ory.example.com>

and

<http://app.example.com|app.example.com>

are fine, but

<http://ory.example.com|ory.example.com>

and

<http://example.com|example.com>

are not). If this is not the case, cookies (including session and CSRF tokens) will not be set correctly, leading to repeated flow initializations and redirect loops [Docs: Self-service flows](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-). 3. Session Handling and Cookies If the browser is not accepting cookies, or if cookies are not being set due to domain mismatches or misconfigurations, Kratos will not recognize the session and will keep redirecting to create a new login flow. Make sure cookies are being set and sent with each request. 4. Return-to Parameter and Allowed Return URLs If you are using the

return_to

parameter to redirect users after login, ensure that the domain is whitelisted in your Kratos configuration:

yaml    selfservice:      allowed_return_urls:        - <https://your-app.com/>

Otherwise, Kratos will ignore the

return_to

parameter, which can also cause unexpected redirects [Docs: HTTP redirection configuration](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). 5. Hydra and Kratos Version Compatibility There have been issues reported when the configuration file version does not match the running Kratos version. Ensure your

kratos.yml

matches the version of the Kratos binary you are running [Github Issue #4024](https://github.com/ory/kratos/issues/4024). 6. Check for Infinite Redirects Due to Missing Traits or Claims If you are using social sign-in or OIDC, and required identity traits are not mapped correctly, Kratos may redirect back to the registration or login page repeatedly. This is especially common if the identity schema is not satisfied by the data returned from the provider [Docs: Social sign-in troubleshooting](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in#redirect-loops-after-registration). Summary of what to check: - Correct

ui_url

in Kratos config for login flow. - Kratos, Hydra, and UI are on the same top-level domain. - Cookies are being set and sent. -

allowed_return_urls

includes your app domain if using

return_to

. - Configuration file version matches Kratos binary version. - All required identity traits are mapped if using OIDC/social sign-in. If after checking these points the issue persists, please provide more details about your configuration files and the exact URLs/domains in use, as the knowledge sources do not provide further specifics for your scenario.

Yes, a cookie issue can still occur even if Kratos is redirecting you with a flow ID in the query parameter. The presence of a flow ID in the redirect only means that Kratos is able to create a new flow and is redirecting the browser to the UI with that flow ID. However, if cookies (especially CSRF or session cookies) are not being set or sent correctly—due to domain misconfiguration, browser restrictions, or other issues—Kratos will not be able to recognize the user's session or CSRF state on subsequent requests. This can result in repeated flow initializations and redirect loops. The documentation emphasizes that for browser flows, the anti-CSRF cookie must be included in the request's HTTP Cookie header. If the cookie is missing or not sent (for example, due to a domain mismatch), the flow cannot be completed and a new flow may be started, leading to a loop [Docs: getLoginFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json), [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf). Additionally, Kratos and your UI must be on the same top-level domain or a properly configured subdomain, and the cookie domain must be set accordingly in your Kratos configuration to ensure cookies are shared as expected [Docs: configuring cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies), [Advanced cookie settings](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies). So, even if you see a flow ID in the URL, a cookie issue can still prevent the flow from progressing, causing the loop you described.