My callback URL list has many pairs like this:
https://www.mysite.com/app/, https://www.mysite.com/app/index.html
It would be nice to avoid the second one by using a wildcard like this:
https://www.mysite.com/app/*
That doesn’t work. Is there something like it that does?
Would be useful, even having to specify .html is a bit of a pain. But I am totally ignorant on the security consequences of this. Maybe it opens too much to some security concerns.
There is no support for wildcards within the path component of the redirect URL; this is in accordance to the recommendations as that wildcard in the path would mean a (malicious) end-user would be able to choose any page under that path and any open redirector in one of your pages (even if not authentication related) would compromise your application.
You should continue to specify the full path of all your redirect URL’s. If you have a situation where you want to do a final conditional redirect based on some dynamic condition you should consider leveraging the state parameter.