Entra App installation failure

[DimuthuSig]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

We have an Entra App to distribute to clients via an installation link with format https://login.microsoftonline.com/common/adminconsent?client_id=<app-client-id>&redirect_uri=https://<kratos-api-endpoint>/self-service/methods/oidc/callback/<provider>. This link then triggers the following flow https://<kratos-api-endpoint>/self-service/methods/oidc/callback/<provider>?admin_consent=True&tenant=<tenantid>

This results in the following error:

Unable to complete OpenID Connect flow because the OpenID Provider did not return the state query parameter

The Kratos logs show that in fact the query parameters are empty query:<nil>.

Interestingly when opening a new tab and attempting to login, the login flow works. It is only on the initial installation of the app.

Reproducing the bug

1. Create an Entra App of type Web.
2. Add a Kratos callback URL.
3. Attempt to install Entra App in a separate tenant.

Relevant log output

An error occurred and is being forwarded to the error user interface. audience=application error=map[debug: message:The request was malformed or contained invalid parameters reason:Unable to complete OpenID Connect flow because the OpenID Provider did not return the state query.

Relevant configuration

No response

Version

v0.6.3-alpha.1

service_name=Ory Kratos service_version=v1.1.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal

No response