https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how do I fix this error where do I ...
# ory-copilot
s
@chilly-king-10285 how do I fix this error where do I set the list of allowed return urls?
Copy code
{
  "id": "f38bf1c6-23de-445f-ba66-2fa29b96122b",
  "error": {
    "code": 400,
    "id": "self_service_flow_return_to_forbidden",
    "message": "The request was malformed or contained invalid parameters",
    "reason": "Requested return_to URL \h\" is not allowed.",
    "status": "Bad Request"
  },
  "created_at": "2024-09-01T17:04:12.845748Z",
  "updated_at": "2024-09-01T17:04:12.845748Z"
}
c
A message from kapa.ai
The error message indicates that the 
return_to
URL you're trying to use is not allowed. This is because Ory uses an allow list to prevent Open Redirect Attacks. Only certain domains or paths on a domain are allowed. To fix this error, you need to add the domain of your 
return_to
URL to the allow list in your Ory configuration. Here's an example of how to do this:
Copy code
yaml selfservice:     allowed_return_urls:       - <https://app.bettersea.tech/>
In this example, 
<https://app.bettersea.tech/>
is added to the allow list, so it can now be used as a 
return_to
URL. For more information, you can refer to the [Ory documentation on redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) and [Ory documentation on allow list](https://www.ory.sh/docs/concepts/redirects).
A message from kapa.ai
The error message indicates that the 
return_to
URL you're trying to use is not allowed. This is because Ory uses an allow list to prevent Open Redirect Attacks. Only certain domains or paths on a domain are allowed. To fix this error, you need to add the domain of your 
return_to
URL to the allow list in your Ory configuration. Here's an example of how to do this:
Copy code
yaml selfservice:     allowed_return_urls:       - <https://your-allowed-url.com/>
In this example, 
<https://your-allowed-url.com/>
is added to the allow list, so it can now be used as a 
return_to
URL. For more information, you can refer to the [Ory documentation on redirection](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection) and [Ory documentation on allow list](https://www.ory.sh/docs/concepts/redirects).
s
@chilly-king-10285 my ory-config already includes that url, what could be the issue? security: account_enumeration: mitigate: true selfservice: allowed_return_urls: - https://admiring-wu-1mbxij2ve2.projects.oryapis.com - https://auth.bettersea.tech - /ui/logout - /ui/consent - /ui/welcome - /ui/sessions - https://app.bettersea.tech - https://app.bettersea.tech/ - https://bettersea.tech/ - https://bettersea.tech - http://bettersea.tech - http://bettersea.tech/ - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/error - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/login - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/recovery - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/settings - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/registration - https://admiring-wu-1mbxij2ve2.projects.oryapis.com/ui/verification default_browser_return_url: https://bettersea.tech/ flows: error:
c
A message from kapa.ai
The error message you're seeing indicates that the 
return_to
URL is not allowed. However, you've mentioned that the URL is already included in the 
allowed_return_urls
list in your Ory configuration. One possible issue could be that the URL you're trying to use as a 
return_to
URL is not exactly the same as the one in the 
allowed_return_urls
list. The URLs must match exactly. For example, 
<http://my-url/callback>
and 
<http://my-url/callback?foo=bar>
are considered different URLs. Another possible issue could be related to the URL scheme. The [Ory documentation](https://www.ory.sh/docs/concepts/redirects#invalid-url) mentions that the allow list and any of the post-flow redirects require a valid URL with a scheme (HTTP or HTTPS). If none of these seem to be the issue, it might be helpful to check the logs for more detailed error messages or to verify the exact 
return_to
URL that's being used. If you're still having trouble, you might want to consider reaching out to the Ory community or support for more specific guidance.
s
@chilly-king-10285 where can I see the logs?
c
A message from kapa.ai
In Ory, log output is sent to stdout/stderr. There is no option to change the log destination. You can use bash pipes to redirect the output to a file. For example:
Copy code
bash hydra serve all >log.txt 2>&1
This command will start the Hydra service and redirect all output (both stdout and stderr) to a file named 
log.txt
. If you're running Ory in a Docker container, you can use the 
docker logs <container-id>
command to view the logs for a specific container. For more information, you can refer to the [Ory documentation on logging](https://www.ory.sh/docs/self-hosted/operations/logging).
Open in Slack
PreviousNext
Powered by