HTTP Redirection Configuration
Self-Service flows such as Login, Registration, Updating Settings support two successful response modes:
- For browsers, the response will be a redirection.
- For API clients (this includes AJAX) the response will be in JSON.
Redirection
Browser requests, identified by the Accept: text/html
header, complete with a
redirection flow. If no redirection URL is set for the flow, the Default
Redirect URL will be used for most flows (for example login, registration):
selfservice:
default_browser_return_url: https://always-end-up-here-per-default/
It's possible to specify a redirect URL per Self-Service Flow:
selfservice:
flows:
login:
after:
default_browser_return_url: https://end-up-here-after-login/
registration:
after:
default_browser_return_url: https://end-up-here-after-registration/
# verification
# ...
You may also set redirect URLs per method (overrides
selfservice.flows.<login|registration|...>.default_return_to
):
selfservice:
flows:
login:
after:
default_browser_return_url: https://this-is-overridden-by-password/
password:
default_browser_return_url: https://end-up-here-after-login-with-password/
# ...
It's also possible to redirect someone back to the original URL. For example, if
a user requests https://www.myapp.com/blog/write
but isn't logged in, we want
the user to end up at that page after login. To achieve that, you append
?return_to=https://www.myapp.com/blog/write
when initializing the Login /
Registration /Settings flow.
Because Ory Kratos prevents Open Redirect Attacks, you need to whitelist the
domain in your Ory Kratos config when using the ?return_to=
query parameter.
For other return urls specified inside the configuration it isn't necessary to
add the domain to the whitelist.
Let's look at an example, here we're adding myapp.com
to the whitelist, thus
we can now specify a dynamic return url like so
?return_to=https://www.myapp.com/blog/write
.
selfservice:
allowed_return_urls:
- https://www.myapp.com/
Post-Login Redirection
Post-login redirection considers the following configuration keys:
selfservice:
default_browser_return_url: https://end-up-here-per-default/
flows:
login:
after:
# overrides url.default_browser_return_url
default_browser_return_url: https://this-is-overridden-by-password/
password:
# overrides selfservice.login.after.default_browser_return_url
default_browser_return_url: https://end-up-here-after-login-with-password/
Post-Registration Redirection
Post-login redirection considers the following configuration keys:
selfservice:
default_browser_return_url: https://end-up-here-per-default/
flows:
registration:
after:
# overrides url.default_browser_return_url
default_browser_return_url: https://this-is-overridden-by-password/
password:
# overrides selfservice.registration.after.default_browser_return_url
default_browser_return_url: https://end-up-here-after-registration-with-password/
Post-Settings Redirection
Post-settings redirection doesn't use the urls.default_redirect_to
configuration key. Instead the redirect ends at the same Settings UI with the
same Settings Request ID and key state
set to success
. If the listed keys
are set, the redirection will end up at the specified values:
selfservice:
flows:
settings:
after:
default_redirect_to: https://this-is-overridden-by-password/
password:
# overrides selfservice.settings.after.default_redirect_to
default_redirect_to: https://end-up-here-after-settings-with-password/
Post-Verification Redirection
Post-verification redirection doesn't use the urls.default_redirect_to
configuration key. Instead the redirect ends at the same Verification UI with
the same Verification Request ID and key state
set to passed_challenge
. If
the listed keys are set, the redirection will end up at the specified values:
selfservice:
flows:
verification:
after:
default_redirect_to: https://this-is-overridden-by-password/
Specify Redirection URL during Registration
Verification emails are usually sent in response to a successful registration
flow. To specify the redirect URL for the verification flow after registration,
append after_verification_return_to
to the Browser Registration Init endpoint:
https://public.kratos/self-service/registration/browser?after_verification_return_to=https://my-redirect/foo
JSON
Requests from API clients - for example AJAX - are identified by the
Accept: application/json
header and return a JSON response. If no redirection
URL is set for the flow, the default_redirect_to
URL will be used for most
flows.