Based on the knowledge sources, your expectation is correct: in a native/mobile app flow with Ory Kratos, after a successful OIDC sign-in, the user should be redirected to your app’s custom scheme URL (e.g., `<app://oidc_complete?code=&lt;code&gt;&gt;`), and the code should be present as a query parameter. This code is then exchanged by the app for a session token. However, you are observing that the redirect happens to

<gdc://oidc_complete>

without the

code

query parameter. ### What should happen - The native app initializes the flow with

return_to=<app://oidc_complete>

and

return_session_token_exchange_code=true

. - After successful authentication, Ory should redirect to

<<app://oidc_complete?code=<code>>>

, where

<code>

is the session token exchange code you need to complete the login in your app. ### What you are seeing - The redirect happens to

<gdc://oidc_complete>

(note: different scheme?) and the

code

parameter is missing. ### Possible causes and troubleshooting 1. Scheme mismatch: Double-check that the

return_to

parameter you pass when initializing the flow exactly matches the scheme and path your app expects (e.g.,

<app://oidc_complete>

). If you initialize with

app://

, but the redirect is to

gdc://

, this could be a configuration or typo issue. 2. Missing or incorrect

return_session_token_exchange_code

: Ensure you are setting

return_session_token_exchange_code=true

when initializing the flow. This is required for the code to be returned in the redirect URL. If this parameter is missing, the code will not be included in the redirect. 3. Known issues and fixes: There was a known issue where, in case of errors, the

return_to

parameter was not respected and the user was redirected to the browser UI instead. However, for successful flows, the code should be present in the redirect URL as described in the documentation and confirmed in the issue tracker. If you are seeing this issue even on successful authentication, it may be a bug or a misconfiguration. The expected behavior is described here: > Ory Network issues a session for the user and redirects the browser to the application's

return_to

URL (12). The native application receives the second part of the session token exchange code in the

code

URL query parameter. [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation) 4. Check for typos or configuration mismatches: Make sure the redirect URI registered with your OIDC provider matches exactly what Ory is using, and that your app is set up to handle the correct scheme. ### Summary - The redirect should include the

code

parameter if the flow is initialized correctly. - If it does not, double-check the

return_to

value, the use of

return_session_token_exchange_code

, and your app’s URL scheme. - If everything is configured correctly and the issue persists, it may be a bug. In that case, consider opening an issue with Ory, providing the exact flow initialization parameters and observed behavior. If you need more detailed troubleshooting, please provide the exact initialization request and the full redirect URL you receive. References: [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation) [Github Issue: return_to parameter of registration/login api flows don't work for errors](https://github.com/ory/network/issues/344)

A message from kapa.ai

Based on the knowledge sources, in a native/mobile app flow with Ory Kratos, after a successful OIDC sign-in, the user should be redirected to your app’s custom scheme URL (e.g., `<app://oidc_complete?code=&lt;code&gt;&gt;`), where the code is included as a query parameter. This code is then exchanged by the app for a session token. The correct flow is described in the official documentation: > Ory Network issues a session for the user and redirects the browser to the application's

return_to

URL. The native application receives the second part of the session token exchange code in the

code

URL query parameter. [Social sign-in for native and mobile apps – Implementation](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation) If you are seeing that the redirect happens to

<app://oidc_complete>

without the

code

query parameter, this is not the expected behavior according to the documentation. The knowledge sources do not provide a specific troubleshooting step for this exact symptom, but they do emphasize: - You must initialize the flow with both

return_to=<app://oidc_complete>

and

return_session_token_exchange_code=true

for the code to be included in the redirect URL. - If these parameters are set correctly and the issue persists, it may indicate a bug or a misconfiguration. If you have confirmed that both parameters are set as described and the problem remains, the knowledge sources do not provide further troubleshooting steps for this scenario. In that case, you may need to reach out to Ory support or file an issue with detailed information about your flow initialization and observed behavior. Summary: - The code should be present in the redirect URL if the flow is initialized correctly. - If it is missing, double-check your initialization parameters. - If the problem persists, the knowledge sources do not provide a solution for this specific issue. [Social sign-in for native and mobile apps – Implementation](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation)