Adding parameters to callback URLs

canderson · July 22, 2023, 12:17am

So I have a website with several pages that use GET parameters and are called like this:

/staff/00500A which IIS redirects to /staff.php?Staff=00500A
and
/project/20230567.001 which IIS redirects to /project.php?Prj=20230567.001

So I’m trying to figure out how to list callbacks with something like https://www.domain.com/staff/* (Which, yes, I know does not work).

I’ve seen questions similar to this in the forums, but never one that has been answered.

Any help would be appreciated.

rueben.tiow · July 24, 2023, 8:29pm

Hi @canderson,

Welcome to the Auth0 Community!

Unfortunately, as you have discovered, calling a wildcard at the end of your URL will not work and can make your application vulnerable to attacks. A redirect_uri with the value of https://www.domain.com/staff/staff.php?Staff=88888A would be considered valid even if there were no staff with that value.

Some options around this would be to:

Include each URL to the list of Allowed Callback URLs as there is no limit on the number of callback URLs.
Redirect to a common URL such as the app’s home page

Here are some helpful resources for your reference:

Please let me know if you have any questions.

Thanks,
Rueben

system · August 7, 2023, 8:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.