ory tunnel does not respect the Account Experience > Custom UI > Login UI setting

[EcBen]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

The ory tunnel is running on a server, for example: https://auth.example.com. An API server is running on https://api.example.com. The API server is configured to check authentication and send the user to the login page. This works, but the ory tunnel running on https://auth.example.com does not work with the Account Experience > Custom UI > Login UI setting.

I have changed the Account Experience > Custom UI > Login UI setting to /login. When the API server redirects the user to login, it gets back https://auth.example.com/login?flow=some-flow-uuid-here, which is correct, and sends the user's browser there. However, the ory tunnel does not respond on /login. Visiting the URL returns:

{
  "error": {
    "code": 404,
    "message": "No resource found using the specified path.",
    "reason": "Invalid path",
    "status": "Not Found"
  }
}

However, if I change the URL in the browser to: https://auth.example.com/ui/login?flow=some-flow-uuid-here, it shows the login page and works. If I change the Account Experience > Custom UI > Login UI setting to /ui/login the redirect and login works correctly.

I would expect when the Account Experience > Custom UI > Login UI setting is /login, the ory tunnel would use that and work correctly, but it does not.

I also have a web app that is setup with ory and renders the Login page at /login, which works fine. Which is why the Account Experience > Custom UI > Login UI setting is /login, not /ui/login. But when authenticating from the API server, which redirects to the ory tunnel on https://auth.example.com, the /login setting does not work.

The ory tunnel should use the same Account Experience > Custom UI > Login UI setting when it exposes the URLs.

Reproducing the bug

1. Set your Account Experience > Custom UI > Login UI setting to /login instead of the default /ui/login
2. Run the ory tunnel for your project
3. Run a server/api/etc. that using Ory for authentication and redirects unauthenticated users to the ory tunnel. This is done by calling /self-service/login/browser?return_to=server-api-requested-URL-here to get the flow.RequestUrl response and redirects the browser there
4. Visit the server/api/etc. and get redirected to https://auth.example.com/login?flow=some-flow-uuid-here, which doesn't load and shows:

{
  "error": {
    "code": 404,
    "message": "No resource found using the specified path.",
    "reason": "Invalid path",
    "status": "Not Found"
  }
}

5. Change URL to https://auth.example.com/ui/login?flow=some-flow-uuid-here, which does work

Relevant log output

No response

Relevant configuration

No response

Version

v0.3.2

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

None

Additional Context

No response

[EcBen]

I tried changing the oauth2-config to /login with this command:

ory patch oauth2-config project-uuid-here --replace "/urls/login=\"/login\""

But that didn't change anything with the above issue.

Is using a different login URL for ory tunnel possible? At this point, I'm going to have to change the webapp's URL to match /ui/login so things work correctly.

[zach-pp]

Running into a similar issue. We're developing a custom UI, and have set the custom base UI URL value appropriately. Things work as expected on the deployed dev site itself when we log in via Google. However, when running locally with ory tunnel (http://localhost:3000 for the UI), we're redirected to our local tunnel (http://localhost:4000). Seems like we should be able to set the custom base UI URL for the tunnel, but I'm unsure how.