The error message

error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity]

indicates that Ory Kratos is unable to find the required OIDC authorization code session information in the

ory_kratos_continuity

cookie. This typically happens during OIDC (social login) flows when Kratos expects to resume a session using data stored in this cookie, but the cookie is missing, inaccessible, or not set correctly. Common causes and troubleshooting steps: 1. Cookie Domain Issues: If Kratos and your UI or OIDC callback endpoint are on different subdomains, the

ory_kratos_continuity

cookie may not be accessible to Kratos after the redirect from the OIDC provider. Currently, the domain for this cookie is not configurable, which can cause issues in multi-subdomain setups. This is a known limitation and has been discussed as a feature request to allow configuring the domain for the continuity cookie, similar to other Kratos cookies. Without this, Kratos may not be able to access the cookie and thus cannot resume the session after OIDC login, resulting in the error you see. [See related discussion and user reports](https://github.com/ory/kratos/issues/2713). 2. API vs. Browser Flows: In API flows (as opposed to browser-based flows), the continuity container (which holds the session data) cannot be retrieved from the database without the

ory_kratos_continuity

cookie. This is problematic for native or API-based flows, as the current implementation only looks for the cookie in the browser context. [See explanation and technical details](https://github.com/ory/network/issues/345). 3. Redirects and Cookie Loss: If the OIDC provider redirects back to a domain that does not have access to the original continuity cookie, or if the cookie is not set due to misconfiguration (e.g., missing or incorrect domain/path, or issues with SameSite/secure flags), Kratos will not be able to resume the session. What you can do: - Ensure that your Kratos instance and the UI/OIDC callback are on the same domain or properly configured subdomains, and that cookies are set with the correct domain attribute if possible. - If you are running into this issue in an API/native flow, be aware that this is a known limitation and may require a workaround or waiting for a future update that allows for continuity container handling outside of browser cookies. - Monitor the related GitHub issues for updates on configurability and fixes. Summary: This error is most often caused by the inability of Kratos to access the

ory_kratos_continuity

cookie due to domain or flow context issues. There is currently no direct configuration to set the domain for this cookie, which can cause problems in multi-subdomain or API-based setups. This is a known issue and is being discussed in the Ory community for future improvements. References: - [Kratos continuity cookie domain issue](https://github.com/ory/kratos/issues/2713) - [Traits lost in OIDC API flow due to missing continuity cookie](https://github.com/ory/network/issues/345)

Currently, based on the available knowledge sources, Ory Kratos relies on the ory_kratos_continuity cookie to resume the OIDC flow after the callback from the identity provider. This cookie is essential for Kratos to retrieve the continuity container, which holds the necessary state to complete the authentication process. In API/native flows, this reliance on the continuity cookie is problematic because the current implementation only looks for the cookie in the browser context. As a result, if the cookie is missing or inaccessible (for example, due to domain or subdomain issues), Kratos cannot resume the session, and the flow fails. There is no documented way to use the callback endpoint without the ory_kratos_continuity cookie at this time. This limitation is acknowledged by the Ory team, and a solution—such as attaching the continuity container to the state parameter for native flows—has been discussed but is not yet implemented or available in the documentation or product as of now [Traits lost in OIDC API flow due to missing continuity cookie](https://github.com/ory/network/issues/345). Summary: You cannot currently use the OIDC callback endpoint without the ory_kratos_continuity cookie. This is a known limitation for API/native flows, and there is no official workaround documented in the knowledge sources. If this is a blocker for your use case, you may want to follow the related GitHub issues for updates on future improvements.