modern-caravan-99632
06/04/2025, 2:42 PM{
"id": "74c71e8a-0b7d-4be5-a4fc-b5f42ecba258",
"error": {
"code": 400,
"id": "self_service_flow_return_to_forbidden",
"message": "The request was malformed or contained invalid parameters",
"reason": "Requested return_to URL \"../self-service/settings/browser?return_to=\" is not allowed.",
"status": "Bad Request"
},
"created_at": "2025-06-03T18:03:49.40739Z",
"updated_at": "2025-06-03T18:03:49.40739Z"
}
what could be the reason behind this ? and why am I not being redirected to my custom domain
https://stg.auth.kemettrading.com/ui/error instead?brief-egg-61061
06/04/2025, 2:42 PMbrief-egg-61061
06/04/2025, 2:42 PMjson { "id": "self_service_flow_return_to_forbidden", "message": "The request was malformed or contained invalid parameters", "reason": "Requested return_to URL \"../self-service/settings/browser?return_to=\" is not allowed.", "status": "Bad Request" }
indicates that the return_to
URL provided in the recovery flow is not allowed by your Ory project's configuration. Ory enforces strict allow-listing of redirect URLs to prevent open redirect attacks. If a return_to
URL is not explicitly allowed in your configuration, Ory will reject it and show this error. In your case, the URL ../self-service/settings/browser?return_to=
is a relative path, which is not supported—Ory requires fully qualified URLs (including protocol and domain) to be allow-listed in the configuration. Relative URLs like ../self-service/settings/browser?return_to=
will be rejected as invalid or forbidden [Docs: Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects), [Ory Proxy and Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy-deprecated). Why are you not being redirected to your custom domain error page? By default, Ory Network does not automatically allow /ui
URLs or relative paths for redirects, especially when using custom domains. If you want users to be redirected to a custom error page on your domain (e.g., `https://stg.auth.kemettrading.com/ui/error`), you must ensure that this URL is included in your project's allow list for return URLs. Otherwise, Ory will fall back to its default error UI, which is typically on the Ory Network domain (e.g., <http://playground.projects.oryapis.com|playground.projects.oryapis.com>
) [Github Issue: redirect to /ui/settings is not allowed for recovery flow when 2FA is enabled](https://github.com/ory/network/issues/363). How to fix: 1. Update your Ory project configuration to allow the desired return URLs. For example: yaml selfservice: allowed_return_urls: - <https://stg.auth.kemettrading.com/ui/> - <https://stg.auth.kemettrading.com/ui/error>
2. Always use fully qualified URLs (not relative paths) for return_to
parameters. 3. If you want to redirect to a custom error page, make sure that page is included in the allow list. Summary: The error is due to an invalid or unallow-listed return_to
URL (relative path). Ory requires fully qualified, allow-listed URLs for redirects. Update your configuration to include your custom domain's error page as an allowed return URL to ensure proper redirection [Docs: Browser redirects and flow completion](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion), [Github Issue: redirect to /ui/settings is not allowed for recovery flow when 2FA is enabled](https://github.com/ory/network/issues/363).modern-caravan-99632
06/05/2025, 11:53 AM../self-service/settings/browser?return_to=
as the return to, I am setting the return_to via the api to my dev website, also when I am testing locally using ory tunnel it's working as expected any idea why?brief-egg-61061
06/05/2025, 11:53 AMbrief-egg-61061
06/05/2025, 11:54 AMmodern-caravan-99632
06/17/2025, 2:59 PMbrief-egg-61061
06/17/2025, 2:59 PMbrief-egg-61061
06/17/2025, 2:59 PMmodern-caravan-99632
06/17/2025, 3:52 PMory get oauth2-config <project-id> --format yaml
isn't working I got
Error: unknown command "*****-****-***-*****-********" for "ory get oauth2-config"
Usage:
ory get oauth2-config [flags]
Aliases:
oauth2-config, oc, hydra-config
Examples:
$ ory get oauth2-config --project "*****-****-***-*****-******** --format yaml > oauth2-config.yaml
$ ory get oauth2-config --format json # uses currently selected project
modern-caravan-99632
06/17/2025, 3:58 PMory get oauth2-config <project-id> --format yaml
isn't working I got
Error: unknown command "*****-****-***-*****-********" for "ory get oauth2-config"
Usage:
ory get oauth2-config [flags]
Aliases:
oauth2-config, oc, hydra-config
Examples:
$ ory get oauth2-config --project "*****-****-***-*****-******** --format yaml > oauth2-config.yaml
$ ory get oauth2-config --format json # uses currently selected project
brief-egg-61061
06/17/2025, 3:58 PMbrief-egg-61061
06/17/2025, 3:59 PMmodern-caravan-99632
06/22/2025, 5:58 PMory update identity-config
cli command?brief-egg-61061
06/22/2025, 5:58 PMbrief-egg-61061
06/22/2025, 5:58 PMidentity-config.json
using the Ory CLI, use the following command: bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.json
This command will overwrite the existing Ory Identities configuration with the contents of your identity-config.json
file. All values in the configuration will be replaced. Make sure to specify both your project and workspace IDs as shown above. This is the documented way to import or force-apply a new identity configuration in Ory Network [ory update identity-config](https://www.ory.sh/docs/cli/ory-update-identity-config#ory-update-identity-config), [Ory Identities CLI Guide](https://www.ory.sh/docs/guides/cli/identity-cli). If you want to apply the configuration from a YAML file, you can use the same command and just change the file extension. Note: There is no separate "force" flag; using ory update identity-config
with the --file
option will always overwrite the current configuration with the provided file.modern-caravan-99632
06/22/2025, 6:04 PMWarnings were found.
- Configuration key `serve.*` can not be set and will be ignored.
- Configuration key `cookies.path` can not be set and will be ignored.
- Configuration key `cookies.domain` can not be set and will be ignored.
- Configuration key `session.cookie.domain` can not be set and will be ignored.
- Configuration key `session.cookie.name` can not be set and will be ignored.
- Configuration key `session.cookie.path` can not be set and will be ignored.
It is safe to ignore these warnings unless your intention was to set these keys.
brief-egg-61061
06/22/2025, 6:04 PMbrief-egg-61061
06/22/2025, 6:04 PMidentity-config.json
are not supported or cannot be set in Ory Network. Specifically, keys like serve.*
, cookies.path
, cookies.domain
, session.cookie.domain
, session.cookie.name
, and session.cookie.path
are ignored when applying configuration to Ory Network projects. This is expected behavior: - Ory Network manages runtime and networking, so settings related to serving endpoints or low-level cookie parameters are not configurable by users. - These warnings are informational and safe to ignore unless you specifically intended to set those keys. This limitation is documented in Ory's CLI and API references, which state that some configuration keys (such as those related to serving and cookies) will be ignored by Ory Network, and a warning will be shown to help you understand why certain configuration keys might not be respected. This is to ensure security and consistency across the managed platform [see example in Github Issue](https://github.com/ory/network/issues/213). Summary: Not all keys from a self-hosted Ory Kratos config are supported in Ory Network. The warnings you see are normal and indicate which keys are ignored. Only the supported configuration options will be applied. If you need to control these settings, you would need to use a self-hosted deployment instead of Ory Network.modern-caravan-99632
06/25/2025, 6:51 AMbrief-egg-61061
06/25/2025, 6:51 AMbrief-egg-61061
06/25/2025, 6:52 AMbash ory patch identity-config <project-id> \ --add '/selfservice/flows/registration/enabled=false'
This was implemented as a feature request in Ory Network, as mentioned in [Ability to disable self-service registration flow](https://github.com/ory/network/issues/49). ## Option 2: Disable the entire Account Experience For paid Ory Network plans, you can completely disable the Account Experience UI: 1. Go to Branding → UI URLs in the Ory Console 2. Set up custom UI URLs for all flows 3. Disable the "Enable the Account Experience welcome page" setting When you define a custom UI base URL, you lose access to the Ory Account Experience as mentioned in [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). This feature was added in response to user requests as seen in [Ability to disable Account Experience](https://github.com/ory/network/issues/306) and [Disable Account Experience UI pages when Custom UI is set up](https://github.com/ory/network/issues/350). ## Option 3: Use a custom domain If you're using a custom domain (available in paid plans), you can set up your own UI and redirect users away from the default Ory Account Experience: 1. Configure a custom domain for your project 2. Set up custom UI URLs that point to your own implementation 3. This effectively hides the default Ory-hosted UI from users This approach is documented in [Bring Your Own Domain](https://github.com/ory/network/issues/16) and [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). The most comprehensive approach is combining options 1 and 2 - disable the registration flow completely and set up custom UI URLs for all other flows to ensure users can't access the default Ory Account Experience pages.modern-caravan-99632
06/25/2025, 6:53 AMbrief-egg-61061
06/25/2025, 6:53 AMbrief-egg-61061
06/25/2025, 6:54 AMprivileged_session_max_age
setting, which forces the user to re-authenticate if their session is too old before allowing sensitive changes like password updates [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). If you need more advanced flows (like requiring the current password), you may need to implement this logic in your own UI and backend, but this is not covered in the provided knowledge sources.