Thanks for your reply. I missed it before I went on vacation.
When I used the oauth sign-in again today with the "institutional access" method, everything worked as expected. So my problem appears to be solved.
For reference, the sequence of URLs that I see today are:
6) and finally back to my app, as expected.
I didn't record a trace of the failed redirects from last week, but it seemed like somewhere around step 4 or 5 there was redirect to https://orcid.org/
and that ended the sequence. The redirects didn't make it back to my application.
Thanks again for your help,