To block domains in Ory, you can use the allow list feature, which effectively blocks all domains not explicitly allowed. This approach is used to prevent Open Redirect Attacks and control which domains are permitted for redirects. Here's how you can implement it: 1. Configure an allow list: Set up a list of allowed domains or paths that you want to permit for redirects. This list will implicitly block all other domains not included. 2. Use the

return_to

parameter: When initiating self-service flows (like login), you can use the

?return_to=

query parameter to specify the allowed redirect URL. 3. Match patterns: The allow list will check if the provided

return_to

URL matches the allowed patterns. For example, you can allow specific subdomains or paths within a domain. Here's an example of how the allow list works: - If you allow

<https://sub.domain.myapp.com/only/path>

, it will only match that specific subdomain and path. - Other redirects using

<http://myapp.com|myapp.com>

will fail. - If you allow

<https://anotherapp.com>

, redirects to any path on that domain will succeed. For more detailed information on configuring browser redirects and the allow list, you can refer to the [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects) documentation. By implementing this allow list approach, you effectively block all domains that are not explicitly permitted, enhancing the security of your application against potential redirect-based attacks.

To block specific domains from registering in Ory, you can use Ory Actions (also known as hooks) to implement custom validation logic before the registration process. This allows you to control exactly who can sign up for your application. Here's how you can approach this: 1. Use Ory Actions: Ory Actions are an extensibility mechanism that allows you to integrate custom logic into various flows, including registration. 2. Implement a pre-registration webhook: You can create a flow-interrupting webhook that runs before the registration process starts. This webhook can contain your custom logic to check the email domain and block specific ones. 3. Add domain validation: In your webhook, implement logic to check the email domain against your list of blocked domains. If the domain is blocked, you can prevent the registration from proceeding. Here's a relevant excerpt from the Ory documentation: [Login and registration webhooks and actions](https://www.ory.sh/docs/identities/sign-in/actions) states: "Use Ory Actions to add extra validation that allows you to control exactly who can sign up. For example, you can prevent users from signing up when: - their email domain doesn't match a certain value - this way you can allow only users from certain organizations to sign up." To implement this: 1. Create a flow-interrupting webhook that checks the email domain. 2. If the domain is in your blocked list, return an error response to prevent registration. 3. If the domain is allowed, let the registration process continue. For more detailed information on how to set up and configure these webhooks, you can refer to the [Flow-interrupting webhooks documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#flow-interrupting-webhooks). By using this approach, you can effectively block specific domains from registering while allowing others to proceed with the registration process.

Yes, you can set up alerts for new account registrations in Ory using the live event streams feature. This can help you monitor and respond quickly to potential bot activity or unusual registration patterns. Here's how you can approach this: 1. Live Event Streams: Ory provides a feature called live event streams that allows you to receive real-time notifications for various events, including new account registrations. 2. Event Types: The specific event you'd be interested in is "RegistrationSucceeded", which is emitted when a user successfully registers an account. 3. Stream to Your Infrastructure: You can stream these events in real-time to your own infrastructure, allowing you to set up custom alerting mechanisms. According to the [Live event streams documentation](https://www.ory.sh/docs/actions/live-events): "You can stream events (sign-ups, logins, machine-to-machine tokens issued, and many more) in real-time, live as they happen in your Ory Network project, to your own infrastructure. Pipe those events into your own data warehouse, data lake, or flavor of choice, and use them to power your own analytics, dashboards, data science, and more." To set this up: 1. Enable live event streams for your Ory Network project. Note that this feature is available for Ory Network enterprise contracts. 2. Set up your infrastructure to receive and process these events. You could use a serverless function, a dedicated service, or integrate with an existing monitoring system. 3. Implement your alerting logic. For example, you could set up alerts for: - A sudden spike in registrations - Registrations from suspicious IP addresses - Unusual patterns in registration data 4. Configure your alert notifications (e.g., email, SMS, or integration with a team communication tool like Slack). It's important to note that while Ory provides the event data, you'll need to implement the actual alerting mechanism in your own infrastructure. For more details on the available events, you can check the [Event descriptions](https://www.ory.sh/docs/actions/live-events#event-descriptions) in the Ory documentation. Remember, this feature is part of the enterprise offering, so you may need to contact your Ory account manager or reach out to Ory directly to enable this functionality for your project.