We would like to use Ory Account Experience (managed UI) in production, encountering two blocking issues: • Anyone has access to the dev-only view when visiting the self-service application with

/ui

appended. • Signing out in the self-service UI does not respond to the passed

return_to

query param. When signing out, the user is redirected to the

/ui/welcome

screen. Using default redirect URLs is not an option for us, because we have multiple applications using the same Ory self-service application.

Hello @rhythmic-musician-58953 I just talked to the team about the issues you encountered. The

return_to

should be respected on all pages except the “Welcome” and /settings pages. We have created an issue internally to make it work on the other pages as well! Please let us know if it is not respected on other ui pages. As for the /ui route are you specifically talking about the /ui/welcome page? There are no security risks in the end-user viewing that page. We do plan to make it configurable in a “production” mode, so you can turn it off. Do you have any preference as to how that should work? fyi @fast-lunch-54279

Thanks for the quick response! Yes, open access for everyone to the

/ui/welcome

page, containing dev docs and the session information hash, is not ideal. I understand it's not a security risk, but it is a mistake in the eyes of the end users. In the

/ui/settings

page,

return_to

is respected in all the

Save

actions (which is what we want), but not when selecting

Logout

. We would like to be able to instruct what redirect should happen after logout in the settings page, without setting up a default redirect URL. Perhaps similarly to how

ui/registration

allows passing

after_verification_return_to

param. Another behaviour we wish existed is to allow passing

after_verification_return_to

to the

ui/login

flow as well, since some users will go to the registration page from the login page. For these cases, we couldn't find a way to automatically redirect them back to our app after verifying their email. Finally, there's the previously discussed issue of rendering the submission form again even after successful verification on the

ui/verification

page. Sorry for the lengthy message, we had a QA yesterday and these are the things that are leaning us towards building a custom app right away, instead of using the managed UI for V1.