https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> I am unable to get past this error ...
# ory-copilot
b
@chilly-king-10285 I am unable to get past this error with Ory tunnel and network.. the browser redirects have https://local.goriv.co:3000 setup but I am receiving this error { "error": { "id": "self_service_flow_return_to_forbidden", "code": 400, "status": "Bad Request", "request": "33b7c185-6ad9-98be-89aa-680886e94a67", "reason": "Requested return_to URL \"https://local.goriv.co:3000\" is not allowed.", "message": "The request was malformed or contained invalid parameters" } }
b
A message from kapa.ai
Based on the error message you're receiving, it appears that the 
return_to
URL you're trying to use (https://local.goriv.co:3000) is not allowed in your Ory Network project configuration. This is a security measure to prevent open redirect attacks. To resolve this issue, you need to add the URL to the allowed list in your project configuration. Here's how you can address this: 1. First, make sure that you have properly configured the allowed redirect URLs in your Ory Network project. As mentioned in the [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects) documentation, you need to set up an allow list for redirect URLs: "The 
allow list
prevents Open Redirect Attacks by just allowing certain domains, or paths on a domain." 2. You need to add 
<https://local.goriv.co:3000>
to the allowed redirect URLs in your Ory Network project configuration. This can typically be done through the Ory Console or using the Ory CLI. 3. If you're using the Ory Tunnel for local development, make sure you're running it correctly. As described in the [ory tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), you can use the following command:
Copy code
ory tunnel --project <project-id-or-slug> <https://local.goriv.co:3000>
Make sure to replace 
<project-id-or-slug>
with your actual project ID or slug. 4. If you're still encountering issues, you might want to check if you've properly set up the CORS configuration. The Ory Tunnel documentation mentions: "You can restrict the CORS domains using the 
--allowed-cors-origins
flag" You might need to add your domain to the allowed CORS origins:
Copy code
ory tunnel <https://local.goriv.co:3000> --allowed-cors-origins <https://local.goriv.co:3000>
5. If you're using a custom domain, ensure that you've set up the cookie domain correctly:
Copy code
ory tunnel --project <project-id-or-slug> --cookie-domain <http://goriv.co|goriv.co> <https://local.goriv.co:3000>
If you've followed these steps and are still encountering issues, you might want to double-check your overall configuration and ensure that all necessary settings are correctly applied. Remember, the error message specifically states that the return_to URL is not allowed, so focusing on properly configuring the allowed redirect URLs in your Ory Network project should be your primary concern.
3 Views
Open in Slack
PreviousNext
Powered by