Yes, Ory allows you to customize the redirect URL for social sign-in providers, but with some specific considerations. By default, Ory Network uses a redirect URL that points to the Ory Network domain with the path

/self-service/methods/oidc/callback/:provider

. However, you can customize this in two main ways: 1. Using a custom domain as the base redirect URI: You can change the domain part of the redirect URL while keeping the same path structure. This is useful when social sign-in providers like Google or GitHub show the redirect URL during the sign-in process and you want to display your own domain. To do this, you can set a

base_redirect_uri

in your configuration:

ory patch identity-config <project-id> \      --add '/selfservice/methods/oidc/config/base_redirect_uri="<https://ory.example.org>"'

After making this change, you'll need to update the redirect URL in your social sign-in provider's configuration to match your custom domain [Set custom domain as redirect URL](https://www.ory.sh/docs/identities/sign-in/social-sign-in/redirect-url). 2. Using PKCE with a different callback path: When using PKCE (Proof Key for Code Exchange) with the

pkce: force

setting, you can use a slightly different callback URL format. Instead of

/self-service/methods/oidc/callback/<provider-id>

, you would use

/self-service/methods/oidc/callback

(without the provider ID and trailing slash) [PKCE for Social Sign-in and B2B SSO](https://www.ory.sh/docs/kratos/social-signin/oidc-pkce). It's important to note that changing the

base_redirect_uri

will affect all social sign-in providers and may break existing connections. You'll need to update the redirect URLs in all your social sign-in provider configurations after making this change. Also, be aware that the path structure (

/self-service/methods/oidc/callback

) itself cannot be completely customized - you're primarily changing the domain part of the URL or using the alternative format with PKCE.

Yes, using a reverse proxy in front of Kratos is a viable approach for customizing the callback URL path. Ory provides a tool specifically for this purpose called Ory Proxy. ## Using Ory Proxy Ory Proxy is a reverse proxy that can be deployed in front of your application, allowing Ory endpoints to be mirrored on the same domain as your app. This approach solves several issues: - It rewrites cookies to match your application's domain instead of

<your-project-slug>.<http://projects.oryapis.com|projects.oryapis.com>

- It helps avoid browser CORS policy issues - It converts sessions into JWTs and ensures cookies and URLs are properly configured When using Ory Proxy, all Ory Network endpoints are available under the

/.ory

prefix. For example,

https://<proxy-host>/.ory/ui/login

would be equivalent to calling

https://<your-project-slug>.<http://projects.oryapis.com/ui/login|projects.oryapis.com/ui/login>

directly [Ory Proxy](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy). ## Setting up Ory Proxy For local development, you can run:

ory proxy --project <project-id> --workspace <workspace-id> <http://localhost:3000>

This creates an entry point at

<http://localhost:4000>

by default, which you would use to access your application through the proxy [Ory Proxy](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy). ## Alternative: Custom Reverse Proxy If you prefer to set up your own reverse proxy (like Nginx, Envoy, or Kong) instead of using Ory Proxy, that's also possible. Ory Kratos works well in environments with reverse proxies. The [Zero Trust with Access Proxy guide](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy) provides some insights into using reverse proxies with Kratos. When setting up your own reverse proxy, you'll need to ensure that: 1. Cookies are properly handled 2. CORS is properly configured 3. The proxy correctly forwards all necessary headers This approach gives you more flexibility in how you structure your URLs, allowing you to map the default Ory callback paths to custom paths in your application. Remember that if you're using social sign-in providers, you'll need to update the redirect URI configuration in those providers to match your new proxy URL structure.

New message text here