diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 01ba83b5e..2bd183ff7 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 0
       - name: Install dependencies
         run: npm i
-      - uses: chromaui/action@5f2cdb26c04c0364f5c8ca3fc41627a83d6ffc8a # v1
+      - uses: chromaui/action@v17.4.1
         with:
           projectToken: ${{ secrets.CHROMATIC_TOKEN }}
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/src/components/Authentication/Kratos/ory/errors.tsx b/src/components/Authentication/Kratos/ory/errors.tsx
index bb0c7d89d..d07806e08 100644
--- a/src/components/Authentication/Kratos/ory/errors.tsx
+++ b/src/components/Authentication/Kratos/ory/errors.tsx
@@ -19,10 +19,18 @@ export function handleGetFlowError<S>(
         return;
       case "session_already_available": {
         // User is already signed in; continue the requested flow when return_to is present.
-        const returnTo = new URLSearchParams(window.location.search).get(
-          "return_to"
+        const returnTo = sanitizeReturnTo(
+          new URLSearchParams(window.location.search).get("return_to")
         );
-        await router.push(sanitizeReturnTo(returnTo));
+
+        // /oidc/* is served by the backend via Next rewrites, which only fire on
+        // real navigations, not client-side router.push.
+        if (returnTo.startsWith("/oidc/")) {
+          window.location.assign(returnTo);
+          return;
+        }
+
+        await router.push(returnTo);
         return;
       }
       case "session_refresh_required":
diff --git a/src/components/Authentication/Kratos/ory/hooks.ts b/src/components/Authentication/Kratos/ory/hooks.ts
index 695657aa8..d66ef7e39 100644
--- a/src/components/Authentication/Kratos/ory/hooks.ts
+++ b/src/components/Authentication/Kratos/ory/hooks.ts
@@ -35,10 +35,18 @@ export function handleGetFlowError<S>(
         return;
       case "session_already_available": {
         // User is already signed in; continue the requested flow when return_to is present.
-        const returnTo = new URLSearchParams(window.location.search).get(
-          "return_to"
+        const returnTo = sanitizeReturnTo(
+          new URLSearchParams(window.location.search).get("return_to")
         );
-        await router.push(sanitizeReturnTo(returnTo));
+
+        // /oidc/* is served by the backend via Next rewrites, which only fire on
+        // real navigations, not client-side router.push.
+        if (returnTo.startsWith("/oidc/")) {
+          window.location.assign(returnTo);
+          return;
+        }
+
+        await router.push(returnTo);
         return;
       }
       case "session_refresh_required":