How to use the return_to query string with Oathkeeper + kratos?


I see in documentation, that self service login flows support a return_to query string, but I am really not sure how/where to use it.

I use the ory example self service node app with Oathkeeper, and I have a “protected” route. I’d love to be redirected after the sign in to the page I wanted to reach, not the settings. Where should I squeeze in the return_to argument? In oathkeeper rules? Or somehow in the self service app?

When calling the flow init endpoints (e.g. login init)!

What I don’t understand is this:

  1. Browser tries to access /protected/too

  2. Oathkeeper notices this user is not signed in, redirects to /auth/login in node self service app

  3. I guess the node app should pass return_to in first call to kratos (when it gets the request I’d and form fields)

  4. After successful sign-in POST to kratos, it will redirect to return_to address.

Question: The node app does not receive the address from Oathkeeper. Oathkeeper saw it, but redirected the browser to /auth/login, so we loose track. Is there a way to pass this URL from Oathkeeper ? Maybe there is a variable I could use in rules file?

I think an option is missing in Oathkeeper to set the return_to address when it redirects to the login endpoint currently! Would probably male sense to add such a functionality. Would you be open to contribute that?

I have never written a line of Go in my life but it’s just another language so I could try.
By pls give me tips on where to put this architecturally (making error handlers URL templetable? Making rules config templetable? Which files handle it? Or should it be another place?)

Hi @hackerman, I have created a work-in-progress PR here :tada::

I am not sure if this approach is best :thinking::

  • Is the url_param config option a good name?
  • Shouldn’t the ErrorRedirectConfig store a parsed to as url.URL? This way if url_param is set, we would not have to url.Parse it every time. On the other hand, we would have to run to.String() on it every time. Not sure what would be best.
  • I’ve created a RedirectUrl method. Not sure if it should be public or private.
  • The json schema contains pattern to limit allowed characters for url_param. I did it based on allowed unescaped/unreserved characters for a query string param.

Tell me what you think!

Related topic: Now this return_to parameter must be handled by kratos client library.
I guess the return_to must be passed in this call: ?
But unfortunately this API does not allow passing of query string. Oh no! :cry:

Added an issue here: