What type of app are you developing?

It might be possible if we’re really smart about this in the Ory Proxy

For now I'm getting around it by copying the callback request and pasting it into the address bar under localhost

some providers like GitHub don’t allow multiple redirect URLs

Don't they generally allow localhost though?

I'd be totally willing to configure a localhost callback URL in my testing Github application. Today I tried doing that and rewriting the

redirect_uri

in the browser-side self-service flow, but still no cigar. My only solution at the moment is manually resending the request in the Network tab of browser dev tools.

I'm actually pretty confused about why rewriting the

redirect_uri

didn't work. I'm using the TS client to submit the login flow. It returns a

browser_location_change_required

error, as expected, with this shape:

{
  "error": {
    "id": "browser_location_change_required",
    "code": 422,
    "status": "Unprocessable Entity",
    "reason": "In order to complete this flow please redirect the browser to: <https://github.com/login/oauth/authorize?client_id=97a8edf1455568b30ff1&redirect_uri=https%3A%2F%2Fheuristic-engelbart-7370ityw6e.projects.oryapis.com%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fgithub&response_type=code&state=3fae5ecc-5419-444a-af5a-fab55664cc1b>",
    "message": "browser location change required"
  },
  "redirect_browser_to": "<https://github.com/login/oauth/authorize?client_id=97a8edf1455568b30ff1&redirect_uri=https%3A%2F%2Fheuristic-engelbart-7370ityw6e.projects.oryapis.com%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fgithub&response_type=code&state=3fae5ecc-5419-444a-af5a-fab55664cc1b>"
}

But instead of redirecting to that URL, I first rewrite it, changing

redirect_uri

from the Cloud URL to the local proxy path:

<https://github.com/login/oauth/authorize?client_id=97a8edf1455568b30ff1&redirect_uri=http%3A%2F%2Flocalhost%3A4000%2F.ory%2Fself-service%2Fmethods%2Foidc%2Fcallback%2Fgithub&response_type=code&state=3fae5ecc-5419-444a-af5a-fab55664cc1b>

This works at first. I've configured Github to use localhost for the callback URL, so it accepts it. It sends me back to localhost correctly, e.g.:

<http://localhost:4000/.ory/self-service/methods/oidc/callback/github?code=2c628ec3b50af5361e3c&state=da81a7a1-3247-4bb2-87bd-e51a70306bd7>

But this is where the problem occurs. An error is thrown: the temporary code we receive doesn't work to retrieve an access token from Github.

{
  "code": 500,
  "message": "oauth2: server response missing access_token",
  "status": "Internal Server Error"
}

However, if I disable the local proxy before this request is fired, I can use the code to get an access token successfully. Of course, if I try it again with the same code, it fails. The code is single-use. I'm almost certain that

<http://github.com/login/oauth/access_token|github.com/login/oauth/access_token>

is being called prematurely, so that when the access token is supposed to be retrieved, it fails because it's already been read once. I have no idea why this only happens when sending requests through the proxy.

I actually don't think this is a proxy problem. I simply cannot get the AJAX flow working with social login, even with Postman:

(Sorry if this thread has diverged from the #cloud topic)

Okay I think I've figured it out. I suspect that when the server is getting the access token from github (/login/oauth/access_token), it's supplying the (optional) redirect_uri parameter as my Ory project URL – which Github rejects because I've set my GH app callback url to localhost. It's impossible to know for sure because Ory Cloud errors are pretty opaque. It would help tremendously if it would show the cause of an error like "cannot retrieve access token" – in this case the cause would be Github's error

redirect_uri_mismatch

, if my theory is right.

The redirect URIs have to match

By the way, it's better to start a new thread here or ask in github discussions as it helps others who might face the same issue, and it's easier for js to track :)

*for us