Allowed web origins URLs doesn't work with wildcard

Will956 · May 16, 2023, 7:58am

Hi,

we encounter an issue when configuring “Allowed web origins” from our Auth0 tenant.

We use wildcards for all other configurations, such as “Allowed Callback URLs” or “Allowed Logout URLs” and it works as expected.

Here is what we configure: “https://*.dev.site.fr”.

We have now the need to configure “Allowed Web Origins”. It’s written that a wildcard is working there, so we add the same entry that we have for other fields: “https://*.dev.site.fr”.

But we still have CORS issues when performing cross-origin authentication through the /co/authenticate endpoint.

We have tested entering the full URL to see if it’s not something we miss somewhere else, and it works without a wildcard.

Do you have any clues about that?

Thanks

SaqibHussain · May 30, 2023, 7:29am

Hi @Will956

Thanks for contacting Auth0 Community.

Please note that there are certain rules that need to be followed for this to work, they are listed here https://auth0.com/docs/get-started/applications/wildcards-for-subdomains#wildcard-url-placeholders

Providing all of these rules are followed then it should work as expected.

Warm regards.

Will956 · May 30, 2023, 7:46am

Hi, thanks for your response.

This issue is there because we are using www in our domain, “https://www.*.dev.site.fr”. So indeed that breaks the rule that says “A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard.”

It works with other fields (Allowed Callback URLs or Allowed Logout URLs) because we are redirecting “https://.dev.site.fr" to "https://www..dev.site.fr” on our side so it’s not an issue.

That’s a blocker to use cross-origin authentication for us at the moment because of that www issue, that’s not something we can remove due to security.

I’m wondering if there is a flow to perform the same but in the back end. A call to an endpoint providing email/password to Auth0 that returns a code (we are using the express-openid-connect library that works with code flow).

Do you have any clues about that?

Thanks

SaqibHussain · May 31, 2023, 6:50am

Hi @Will956

Ah ok I see. I would suggest leaving some feedback directly to our Product Team about this, please use our Feedback form found at https://auth0.com/feedback to submit your request. Please know that our team reviews each and every request received to determine product fit and may reach out to you if additional information is needed.

In regards to the backend you mentioned, you can review our ROP flow here which returns an access token if auth is successful, it is not a recommended flow but can be used if the authorization code flow cannot be used for some reason.

Warm regards.

system · June 14, 2023, 6:51am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Handle www subdomain in "Allowed web origins" Feedback	1	1036	May 31, 2023
Configure callback urls with wildcard Help	2	4987	June 12, 2020
Allowed web origins URLs not working with wildcard Knowledge Articles	1	714	July 26, 2023
What are the security challenges why Auth0 does not allow wildcard at the end of the domain. For eg. example.com/* is not supported for allowed callback urls Help configuration , application	2	25	September 9, 2024
How come "Allowed Web Origins" does not allow wildcards? Help wildcard	123	26607	September 22, 2020

Allowed web origins URLs doesn't work with wildcard

Related Topics