Allowed Callback URLs validation is incorrect

Feature: Custom schemes should be valid as Callback URLs.

Description: The URL validation does not allow all characters which are permitted in a custom scheme, it appears to only accept alphanumeric characters.

Use-case: Mobile apps often use custom schemes, and it is essential that an OAuth redirect be able to return to a mobile app to complete sign-in. Custom schemes containing “+”, “-”, or “.” are valid, and should not be prevented from being entered in the Allowed Callback URLs field for an Auth0 app.

Hey there!

Thanks for creating this feedback card! Make sure to upvote it so that it gets as much attention from other community users as possible. We review those feedback cards on a monthly basis and will let you know once we have any updates on that front. Thank you!

That’s fine, I guess, but this is clearly a bug.

Hi there. I haven’t heard anything back on this one. Did my point get lost that the validation for callbacks does not meet the URI specifications spelled out in RFC3986? The standard is clear about the valid characters, and Auth0 should correct its validation to comply.

It turns out I was led astray by the opaque error message from Auth0. It seems like the URI validation requires at least a root path for a custom scheme, which means three slashes. Two should be permitted, and this requirement means Expo’s makeRedirectUri requires the isTripleSlashed option, but a workaround is available.