Browser redirects and flow completion
This document covers browser redirects for Server Side Applications (Node.js, PHP, Golang etc.) and how to configure them.
Allow list
Set dynamic redirects using the ?return_to= query parameter on self-service flows. For example: a user opens a sharable link to
go to https://myapp.com/posts. This URL requires the user to have an active session and redirects the user back to the login
page. To return the user back to the original URL, append ?return_to=https://myapp.com/posts when starting the
self-service login flow:
curl -X GET 'http://<your-project>.projects.oryapis.com/self-service/login/browser?return_to=...'
When the login flow starts in a browser with a return_to URL set, return_to will be set. For API clients such as AJAX
visit this section.
The allow list prevents
Open Redirect Attacks by
just allowing certain domains, or paths on a domain. As in the example below https://sub.domain.myapp.com/only/path needs to
match the sub-domain and path. Other redirects using myapp.com will fail. Redirects using https://anotherapp.com will succeed
on any path.
Redirect flows
The Ory Network has a total of six flows, Login, Registration, Verification, Recovery, Settings and Logout which can be configured to redirect back to any URL. A common use case would be to redirect the user to your application home screen after a logout or to a specific URL on a sub-domain after a settings password update.
On project creation the redirect flows are by default set to the Ory Account Experience pages.
Login, registration, and settings
The Login and Registration flows have three fields (all optional):
- Default Redirect URL domain or path relative to your application URL
- Post-Password Redirect URL
- Post-OIDC Redirect URL
selfservice:
flows:
login:
after:
default_browser_return_url: https://this-is-overridden-by-password/
password:
# redirect after successful login or registration with `password` method
default_browser_return_url: https://end-up-here-after-login-with-password/
oidc:
# redirect after successful login or registration with `OIDC` method
default_browser_return_url: https://end-up-here-after-login-with-oidc/
registration:
after:
default_browser_return_url: https://end-up-here-after-registration/
# password:
# ...
The Settings flow has three fields (all optional):
- Default Redirect URL domain or path relative to your application URL
- Post-Password Redirect URL
- Post-Profile Redirect URL
selfservice:
flows:
settings:
after:
default_browser_return_url: https://this-is-overridden-by-password/
password:
# redirect after successfully updating the password in settings
default_browser_return_url: https://end-up-here-after-login-with-password/
profile:
# redirect after successfully updating the username or email in settings
default_browser_return_url: https://end-up-here-after-login-with-password/
The Default Redirect URL is used when Ory isn't sure where to redirect. It’s a good idea for this to be your default app URL, for
example / or the dashboard. Use sub-conditions to control where users are redirected after registration, login, and other
self-service flows.
When setting the Post-Login Redirect as an fully qualified domain name
(FQDN such as https://domain.example/login it will overwrite the
Default Redirect URL. As a path it will replace the Default Redirect URL path, for example /login will alter
https://domain.example/default/path to https://domain.example/login. This works the same for all other Post- flows and
sub-conditions.
On sub-conditions such as After Password or After Profile an FQDN or a path can be set. All the relative URLs will be updated with
their respective base URL. As shown in the example below, the Post-Login Redirect URL is a path. This means the base URL will be
the Default Redirect URL (https://myapp.com). This will set the Post-Login Redirect URL to https://myapp.com/after/login and
the Post-Password Redirect URL to https://myapp.com/after/login/password.
In the example below, the Post-Login Redirect URL is a FQDN. This will set the Post-Login Redirect URL to
https://myapp.com/after/login and the Post-Password Redirect URL to https://myapp.com/after/login/password.
Verification, recovery, and logout
The Post-Recovery redirect isn't supported and will automatically redirect the user to the Settings UI URL. Use the Post-Settings redirect for Post-Recovery flows.
Each of these flows has a single field, the Default Redirect URL. As with Login, Registration, and Settings configurations, the Default Redirect URL can be an FQDN or a path.
Reset and update flows
Update or delete a redirect by either changing the current redirects value or deleting the entry and clicking the Update button. Reset all flows at once with the Reset Flows button which will prompt a confirmation box. Resetting all flows will reset all the fields back to the default value which is the Ory Account Experience.
Updates to flows will take effect on new flows. It will have no effect on old flows that haven't expired yet.
Troubleshooting
API clients
The browser redirects work just for regular browser requests.
If you are using an API Client, for example AJAX, redirect the user to the right endpoint in the application:
.then((res) => {
router.push('/<your-route>')
})
Invalid URL
The allow list and any of the post-flow redirects require a valid URL with a scheme (HTTP or HTTPS). An example of
a valid URL is https://www.google.com.
Domain denied
It's not possible to set the any Ory-owned domain as redirect URL.
Read more
For a deeper dive into the background of browser redirects, read this document