We have a tricky problem with expired or deleted sessions. Let’s say a user is logged in and gets a session cookie. When the session expires on the server, the session cookie is still in the browser. Every call to our backend now gives a 401. And since the Cookie is httpOnly, we can’t delete it on the client side. An Ory logout flow is rejected with 401 by Ory as well. What is the correct way to handle this situation?

Hey team, We are currently doing our first production deployment 🎉 but are facing an issue: • We use a social login provider (keycloak) • The Ory login flow as been working with a local dev setup • On the production instance the login is successful ◦ The cookies get set and we are redirected to the page we wanted • But then all the subsequent calls to .toSession fail with 401 and we get stuck in a redirect loop login <> redirect page Does anyone have any clue what we could be missing? Thank you and have a good day :)

If I add a

return_to

param to the logout url, the redirect only seems to work if the value is a subpath of one of my allowed urls. It does not work if I try to redirect to just the root/base path. e.g. if I had

https://*.<http://example.com/|example.com/>

in my allowed urls, I can redirect to

<https://foo.example.com/bar>

but I can’t redirect to

<https://foo.example.com/>

.

Hi Ory team, we have a working environment on production with “Authorization code flow”. It worked yesterday but right now when ever we want to validate or refresh token the oauth2/token endpoint response 404 with this error code

payload: {
      error: 'invalid_grant',
      error_description: 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token has not been found: not_found'
    }

@fast-lunch-54279 @bland-eye-99092 Apologies for bothering you, I’m just setting up Ory and want to subscribe but I’m having trouble managing the owner of my project. Ideally I’d like to be able to add my manager (who is the holder of the almighty CC!) to it to manage billing, but it appears in the manage collaborators page I’m unable to do so. What is the workflow here?

The “Last Login” value doesn’t display correctly when the identity doesn’t have any active sessions but has inactive ones.

Hi Ory team! Can Ory Cloud platform send automated registration emails when inviting new user? Or is there a way to workaround the flow of manual sending the recovery link? Thank you in advance!

Our Ory project just suddenly had it’s config changed, did something happen in your system? It seems to have been reverted somehow to the config of another project

Hi, I have tried the example and having same issue in my local mentioned here. Having

authorizers.remote_json.enabled: false

makes the pod up but then none of endpoints like http://ory.test.info/panel/welcome works. Wondering what would be the fix to have the example up and running?

If a user haven't registered before with "sign up with google" they're still able to directly sign in with "sign in with google". This also creates an identity on the ory network. Is this intended? And would creating an account in this way trigger the after registration oidc hook?

Hi, would like to know how can i disable

Ory Account Experience

entirely in production?

Hi , can anyone suggest, how I can pass the body in webhook? I am facing a problem converting base64 encoded jsonnet?

hi can anyone help me to implement a reset password through link

How can I disable verification email for the users who are coming through invitation flow.

Is it possible to issue a session to the user after verification? Something similar to "Sign in after registration" but instead of registration it is after email verification. Using a post verification web hook might be an approach? But I'm not sure if it's possible to create new sessions there...

Hi, I’m trying to get Oauth working with a next.js app for local development. I’ve been using

@ory/integrations/next-edge

to handle proxying Ory cloud locally to avoid CORS issues. This has worked fine with our integration with Ory Identities. I’m now having trouble getting this to work with Hydra as the proxied openid discovery endpoint (

.well-known/openid-configuration

) returns relative paths for the Authorization and Token endpoints in this configuration. This causes issues with the OIDC library we are using to obtain tokens (

react-oidc-context

). Is there a known good configuration for doing Oauth with Ory and next.js with ``@ory/integrations/next-edge` that I can use here?

Hello again Oryers! I have yet another question, this time Kratos-related: We are using the after login webhook (interrupting, for validation purposes). Now I've recently seen some requests where the

login.Flow.Active

is unset, and thereby omitted. I'm not sure how a flow can get into a state where the CredentialsType is not set, particularly since this is in the "after" hook - but it results in the jsonnet parser failing because the field does not exist (in the json body that is, it's annotated with omitempty). So, 1: How can a login flow even get into a state where there is no credentials type? and 2: Is the entire field meant to be optional, since it's 'omitempty'? For clarification, we use that field in our validation logic, since there are different things to validate depending on what login type is used 🙂.

Hi all, Been lurking for a bit trying to find an answer to an issue I’m having with CORS. We’re using Ory-Network, simple Password Login. Basically following: https://www.ory.sh/docs/getting-started/integrate-auth/nextjs to the letter. Works perfectly well for local development using the tunnel etc. The second I try to migrate to a custom domain, I get CORS issues left right and center. See attached image. I’ve got some slight code modifications where I’m wrapped everything in a Login Button control:

import { useState, useEffect } from "react";
import { useRouter } from 'next/router';
import { Button } from "@mui/material";
import style from './LoginButton.module.css';
import ory from './Ory'


interface LoginButtonProps {
  onSignedIn?: (signedIn: boolean) => void;
}

function LoginButton(props: LoginButtonProps) {
  const router = useRouter();
  const [isLoggedIn, setIsLoggedIn] = useState(false);
  const [logoutUrl, setLogoutUrl] = useState<string>();


  function handleLogin() {
    
    ory.createBrowserLoginFlow().then((response) => {
      router.push(`${process.env.NEXT_PUBLIC_ORY_SDK_URL}/ui/login`);
    })
  }

  useEffect(() => {
    ory.toSession()
      .then((response) => {
        setIsLoggedIn(true);
        ory.createBrowserLogoutFlow().then(({ data }) => {
          setLogoutUrl(data.logout_url);
        });
      })
      .catch(() => {
        setIsLoggedIn(false);
      })
      .finally(() => {
        if (props.onSignedIn) {
          props.onSignedIn(isLoggedIn);
        }
      });
  }, [isLoggedIn, props]);

  if (!isLoggedIn)
    return <Button onClick={handleLogin} className={style.loginbuttonstyle}>Log In</Button>
  else
    return <></>

}

export default LoginButton;

with Ory.tsx containing:

import { Configuration, FrontendApi } from "@ory/client";

const ory = new FrontendApi(
    new Configuration({
        basePath: process.env.NEXT_PUBLIC_ORY_SDK_URL,
        baseOptions: {
            withCredentials: true,
            
        },
    })
);

export default ory;

Ory is setup with the customer domain details in the second attached pic Final pic shows DNS settings inside of Vercel. Desperate to get this solved and would appreciate any help at all.

Hey, we just created our second Ory Project with a subscription and want to change the owner e-mail of our Project. We were not able to figure out how to do this via the Console. Can you help?

Unrelated question, when using Social Sign-in. Is it possible to craft a URL / send some Authorization Request that would by default "force" user to login with some specific Social Sign-in? Or hide one of the buttons for internal users?

@fast-lunch-54279 For one of our workflows we need to automate patching some of the identity-config in CI (to enable redirect urls on ephemeral environments that we create on each PR). I’ve created an API key in the console to do this, and this works to allow me to use the identity APIs. However I can’t for the life of me get this to work with the project management API (specifically to patch the project configuration). Is there a separate way of authenticating against this API and what is your recommended flow to do this in a CI environment?

How to integrate any third party applications with ory cloud identity and access management( like using api keys or client credentials)

@bland-eye-99092 Hi, we're using ory console now. But it's wired that we cannot get user's email when using /userinfo endpoint. The identity model is default

email and password

. And the data mapping for github is also the one in the documentation. Did I make mistakes?

Hi, Is there any way to prohibit a user from changing his e-mail address? We have a B2B product, and our customers invite their users. The users shall not be able to change their email address on their own. Is there any way to configure an identity or a schema like that?

Hey, when implementing a custom login / consent page. The Ory redirects to our page with the

login_challenge

and we need to call Ory Admin API to understand more about the flow, such as the client metadata. This adds an additional backend call to our frontend hence extra latency. Is there a way to configure Hydra so the redirection is done with extra information in the URL? Such as

client_id

etc.?

I have 2 webhooks set up, and one of them doesn’t seem to be triggering. I have a

login.after.password

flow-interrupting one that is working as expected. But the

login.after

non-blocking/async one is not sending requests to my endpoint.

Can any ory support staff help me out with some logs please? I'm getting a

13 INTERNAL: Received RST_STREAM with code 0

when making calls to Keto (in ory Network) from node (over grpc, hence the non-http error code), and I would really like to know why 🙂

Hey, I have a question about running Ory Proxy in a kubernetes pod. What could I use as readiness/liveness probes?

📢 Important Announcement: Upcoming IP Address Changes Hello everyone, As part of our ongoing commitment to enhancing the security and reliability of our services, we will be introducing new source IP addresses for our webhooks in 3 weeks - 16.06.2023 11:00 CET. This change is important to ensure the continued smooth operation of our services and to further enhance your security. Please note, if you do not have any firewall rules set up on your side, no action is required on your part. This update primarily affects users who have configured their firewall settings to only allow traffic from specific IP addresses. For those who do have firewall rules, please take a moment to review our updated list of IP addresses and ensure that your firewall settings are updated to allow traffic from these new addresses once they're live. This is crucial to prevent any disruptions to your service. You can find the detailed information, along with a list of the new IP addresses, in our documentation at https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks. We recommend marking your calendars and starting to prepare for this change as soon as possible. If you have any questions or need assistance, please don't hesitate to reach out.

https://ory-community.slack.com/archives/C02MR4DEEGH/p1685101396062509 <!channel> Please take note of upcoming changes to webhooks. more details in the post above ☝️