<@U04UQ68083H> When trying to recover my account o...
# ory-copilot
m
@chilly-king-10285 When trying to recover my account on a custom domain, I get redirected to https://playground.projects.oryapis.com/ui/error?id=74c71e8a-0b7d-4be5-a4fc-b5f42ecba258 and get this code
Copy code
{
  "id": "74c71e8a-0b7d-4be5-a4fc-b5f42ecba258",
  "error": {
    "code": 400,
    "id": "self_service_flow_return_to_forbidden",
    "message": "The request was malformed or contained invalid parameters",
    "reason": "Requested return_to URL \"../self-service/settings/browser?return_to=\" is not allowed.",
    "status": "Bad Request"
  },
  "created_at": "2025-06-03T18:03:49.40739Z",
  "updated_at": "2025-06-03T18:03:49.40739Z"
}
what could be the reason behind this ? and why am I not being redirected to my custom domain https://stg.auth.kemettrading.com/ui/error instead?
b
A message from kapa.ai
The error you are seeing:
Copy code
json {   "id": "self_service_flow_return_to_forbidden",   "message": "The request was malformed or contained invalid parameters",   "reason": "Requested return_to URL \"../self-service/settings/browser?return_to=\" is not allowed.",   "status": "Bad Request" }
indicates that the
return_to
URL provided in the recovery flow is not allowed by your Ory project's configuration. Ory enforces strict allow-listing of redirect URLs to prevent open redirect attacks. If a
return_to
URL is not explicitly allowed in your configuration, Ory will reject it and show this error. In your case, the URL
../self-service/settings/browser?return_to=
is a relative path, which is not supported—Ory requires fully qualified URLs (including protocol and domain) to be allow-listed in the configuration. Relative URLs like
../self-service/settings/browser?return_to=
will be rejected as invalid or forbidden [Docs: Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects), [Ory Proxy and Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy-deprecated). Why are you not being redirected to your custom domain error page? By default, Ory Network does not automatically allow
/ui
URLs or relative paths for redirects, especially when using custom domains. If you want users to be redirected to a custom error page on your domain (e.g., `https://stg.auth.kemettrading.com/ui/error`), you must ensure that this URL is included in your project's allow list for return URLs. Otherwise, Ory will fall back to its default error UI, which is typically on the Ory Network domain (e.g.,
<http://playground.projects.oryapis.com|playground.projects.oryapis.com>
) [Github Issue: redirect to /ui/settings is not allowed for recovery flow when 2FA is enabled](https://github.com/ory/network/issues/363). How to fix: 1. Update your Ory project configuration to allow the desired return URLs. For example:
Copy code
yaml    selfservice:      allowed_return_urls:        - <https://stg.auth.kemettrading.com/ui/>        - <https://stg.auth.kemettrading.com/ui/error>
2. Always use fully qualified URLs (not relative paths) for
return_to
parameters. 3. If you want to redirect to a custom error page, make sure that page is included in the allow list. Summary: The error is due to an invalid or unallow-listed
return_to
URL (relative path). Ory requires fully qualified, allow-listed URLs for redirects. Update your configuration to include your custom domain's error page as an allowed return URL to ensure proper redirection [Docs: Browser redirects and flow completion](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion), [Github Issue: redirect to /ui/settings is not allowed for recovery flow when 2FA is enabled](https://github.com/ory/network/issues/363).
m
@chilly-king-10285 I am not setting
../self-service/settings/browser?return_to=
as the return to, I am setting the return_to via the api to my dev website, also when I am testing locally using ory tunnel it's working as expected any idea why?
b
A message from kapa.ai
Based on the knowledge sources, here’s what could be happening: When you use Ory Tunnel locally, the environment is more permissive regarding redirect URLs, and relative paths or local URLs often work as expected. However, when you deploy to a custom domain in Ory Network, the redirect and return_to logic becomes stricter. Ory Network enforces an allow-list for return_to URLs to prevent open redirect attacks, and only fully qualified URLs that are explicitly allow-listed in your project configuration are accepted. Relative URLs like ../self-service/settings/browser?return_to= are not supported and will be rejected as invalid or forbidden in production environments with custom domains [Browser redirects and flow completion](https://www.ory.sh/docs/concepts/redirects#allow-list), [Ory Proxy and Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy-deprecated). If you are setting the return_to parameter to your dev website via the API and it works locally but fails on your custom domain, it is likely because: - The return_to URL you are using in production is not included in the allowed_return_urls configuration for your Ory project. - Ory Tunnel may bypass or relax some of these restrictions for local development, but Ory Network enforces them strictly for security reasons. - If the return_to is not allowed, Ory falls back to its default error handling, which may explain why you see the error page on playground.projects.oryapis.com instead of your custom domain. What you should do: - Make sure the exact return_to URL you are using in production is included in the allowed_return_urls list in your Ory project configuration. - Use fully qualified URLs (including protocol and domain) for all return_to parameters in production. - Double-check that your custom domain and any relevant paths are present in the allow-list. This difference in behavior between local (Ory Tunnel) and production (custom domain) is expected due to the stricter security model in Ory Network [Browser redirects and flow completion](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion), [Browser redirects and flow completion - Troubleshooting](https://www.ory.sh/docs/concepts/redirects#troubleshooting). If you have already set the correct return_to and it is still not working, double-check for typos, missing protocols, or misconfigurations in your allow-list. If the issue persists, it may be a bug or a more complex configuration issue not fully covered in the current documentation.
m
@chilly-king-10285 is there a way to validate or debug the existing project configuration?! It's been days now and I don't have a solution for the issue I am having
b
A message from kapa.ai
New message text here
m
we don't have oauth2 I want to export the project settings/config is that possible? also this command you suggested
ory get oauth2-config <project-id> --format yaml
isn't working I got
Copy code
Error: unknown command "*****-****-***-*****-********" for "ory get oauth2-config"
Usage:
  ory get oauth2-config [flags]

Aliases:
  oauth2-config, oc, hydra-config

Examples:
$ ory get oauth2-config --project "*****-****-***-*****-******** --format yaml > oauth2-config.yaml

$ ory get oauth2-config --format json   # uses currently selected project
@chilly-king-10285 we don't have oauth2 I want to export the project settings/config is that possible? also this command you suggested
ory get oauth2-config <project-id> --format yaml
isn't working I got
Copy code
Error: unknown command "*****-****-***-*****-********" for "ory get oauth2-config"
Usage:
  ory get oauth2-config [flags]

Aliases:
  oauth2-config, oc, hydra-config

Examples:
$ ory get oauth2-config --project "*****-****-***-*****-******** --format yaml > oauth2-config.yaml

$ ory get oauth2-config --format json   # uses currently selected project
b
A message from kapa.ai
New message text here
m
@chilly-king-10285 how can I force apply my idenity-config.json via
ory update identity-config
cli command?
b
A message from kapa.ai
To force apply your
identity-config.json
using the Ory CLI, use the following command:
Copy code
bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.json
This command will overwrite the existing Ory Identities configuration with the contents of your
identity-config.json
file. All values in the configuration will be replaced. Make sure to specify both your project and workspace IDs as shown above. This is the documented way to import or force-apply a new identity configuration in Ory Network [ory update identity-config](https://www.ory.sh/docs/cli/ory-update-identity-config#ory-update-identity-config), [Ory Identities CLI Guide](https://www.ory.sh/docs/guides/cli/identity-cli). If you want to apply the configuration from a YAML file, you can use the same command and just change the file extension. Note: There is no separate "force" flag; using
ory update identity-config
with the
--file
option will always overwrite the current configuration with the provided file.
m
@chilly-king-10285 not all the idenitity-config file is applied, I get
Copy code
Warnings were found.
- Configuration key `serve.*` can not be set and will be ignored.
- Configuration key `cookies.path` can not be set and will be ignored.
- Configuration key `cookies.domain` can not be set and will be ignored.
- Configuration key `session.cookie.domain` can not be set and will be ignored.
- Configuration key `session.cookie.name` can not be set and will be ignored.
- Configuration key `session.cookie.path` can not be set and will be ignored.
It is safe to ignore these warnings unless your intention was to set these keys.
b
A message from kapa.ai
The warnings you are seeing indicate that certain configuration keys in your
identity-config.json
are not supported or cannot be set in Ory Network. Specifically, keys like
serve.*
,
cookies.path
,
cookies.domain
,
session.cookie.domain
,
session.cookie.name
, and
session.cookie.path
are ignored when applying configuration to Ory Network projects. This is expected behavior: - Ory Network manages runtime and networking, so settings related to serving endpoints or low-level cookie parameters are not configurable by users. - These warnings are informational and safe to ignore unless you specifically intended to set those keys. This limitation is documented in Ory's CLI and API references, which state that some configuration keys (such as those related to serving and cookies) will be ignored by Ory Network, and a warning will be shown to help you understand why certain configuration keys might not be respected. This is to ensure security and consistency across the managed platform [see example in Github Issue](https://github.com/ory/network/issues/213). Summary: Not all keys from a self-hosted Ory Kratos config are supported in Ory Network. The warnings you see are normal and indicate which keys are ignored. Only the supported configuration options will be applied. If you need to control these settings, you would need to use a self-hosted deployment instead of Ory Network.
m
@chilly-king-10285 is there a way to disallow all users from using ory console links for registration, welcome and signup?
b
A message from kapa.ai
Yes, there are several ways to disable or restrict access to the default Ory Account Experience UI pages (including registration, welcome, and signup) in your Ory Network project: ## Option 1: Disable specific flows You can completely disable the registration flow, which prevents users from signing up through self-service:
Copy code
bash ory patch identity-config <project-id> \   --add '/selfservice/flows/registration/enabled=false'
This was implemented as a feature request in Ory Network, as mentioned in [Ability to disable self-service registration flow](https://github.com/ory/network/issues/49). ## Option 2: Disable the entire Account Experience For paid Ory Network plans, you can completely disable the Account Experience UI: 1. Go to BrandingUI URLs in the Ory Console 2. Set up custom UI URLs for all flows 3. Disable the "Enable the Account Experience welcome page" setting When you define a custom UI base URL, you lose access to the Ory Account Experience as mentioned in [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). This feature was added in response to user requests as seen in [Ability to disable Account Experience](https://github.com/ory/network/issues/306) and [Disable Account Experience UI pages when Custom UI is set up](https://github.com/ory/network/issues/350). ## Option 3: Use a custom domain If you're using a custom domain (available in paid plans), you can set up your own UI and redirect users away from the default Ory Account Experience: 1. Configure a custom domain for your project 2. Set up custom UI URLs that point to your own implementation 3. This effectively hides the default Ory-hosted UI from users This approach is documented in [Bring Your Own Domain](https://github.com/ory/network/issues/16) and [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). The most comprehensive approach is combining options 1 and 2 - disable the registration flow completely and set up custom UI URLs for all other flows to ensure users can't access the default Ory Account Experience pages.
m
@chilly-king-10285 is there a way to show current password and new password inputs in Ory self service settings page?
b
A message from kapa.ai
Based on the available knowledge sources, Ory’s self-service settings flow for updating the password only presents a single input for the new password. The documented payloads and UI nodes for the password update method show only a field for the new password and a submit button—there is no mention of a "current password" input being required or supported by default in the settings flow UI or API. The validation examples and API references also only show a single password field for updates, not both current and new password fields [Settings flow payloads](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#settings-flow-payloads), [Update password](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#update-password-1). Therefore, there is no documented way to require or display both a current password and a new password input in the Ory self-service settings page using the default flows and configuration. If you need this feature, it would require custom logic outside of what is described in the official documentation and examples. If you need stricter verification for password changes, Ory recommends using the
privileged_session_max_age
setting, which forces the user to re-authenticate if their session is too old before allowing sensitive changes like password updates [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). If you need more advanced flows (like requiring the current password), you may need to implement this logic in your own UI and backend, but this is not covered in the provided knowledge sources.