https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Can you explain this error? The ret...
# ory-copilot
p
@chilly-king-10285 Can you explain this error? The return_to url is rejected but listed in the allowed url:
Copy code
{
  "id": "2882f244-e299-4ddc-a998-3134e7030cb0",
  "error": {
    "code": 400,
    "debug": "Allowed domains are: <http://localhost:3000/.ory>, /ui/logout, /ui/consent, /ui/welcome, /ui/sessions, <http://localhost:3000/.ory/ui/error>, <http://localhost:3000/.ory/ui/login>, <http://localhost:3000/.ory/ui/recovery>, <http://localhost:3000/.ory/ui/settings>, <http://localhost:3000/.ory/ui/registration>, <http://localhost:3000/.ory/ui/verification>, <http://localhost:3000/.ory/self-service>",
    "id": "self_service_flow_return_to_forbidden",
    "message": "The request was malformed or contained invalid parameters",
    "reason": "Requested return_to URL \"<http://localhost:3000/.ory/ui/registration>\" is not allowed.",
    "status": "Bad Request"
  },
  "created_at": "2024-05-17T14:57:51.14111Z",
  "updated_at": "2024-05-17T14:57:51.14111Z"
}
c
A message from kapa.ai
The error message indicates that the 
return_to
URL you're trying to use is not allowed. This could be due to a few reasons: 1. The 
return_to
URL is not listed in the allow list. The allow list is a security feature that prevents Open Redirect Attacks by only allowing certain domains or paths on a domain. The allow list is set using the 
?return_to=
query parameter on self-service flows. If the 
return_to
URL is not in the allow list, it will be rejected. 2. The 
return_to
URL is not a valid URL. The allow list and any of the post-flow redirects require a valid URL with a scheme (HTTP or HTTPS). An example of a valid URL is 
<https://www.google.com>
. 3. The 
return_to
URL does not persist across different flows and must be added to new flows. For example, if the user starts a login flow with 
return_to
URL set and then switches to a registration flow, the 
return_to
URL isn't used for the registration flow. In such a case, your application can re-use the same 
return_to
from the login flow by extracting the 
return_to
URL from the login flow's 
flow.return_to
and adding it to the registration flow. Please check the 
return_to
URL you're trying to use against these points to see if it meets the requirements. If it does and you're still encountering this error, there might be a configuration issue that needs to be addressed. Sources: - [Advanced redirects](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#advanced-redirects) - [Invalid URL](https://www.ory.sh/docs/concepts/redirects#invalid-url) - [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects)
33 Views
Open in Slack
PreviousNext
Powered by