Allowed web origins URLs doesn't work with wildcard

Hi,

we encounter an issue when configuring “Allowed web origins” from our Auth0 tenant.

We use wildcards for all other configurations, such as “Allowed Callback URLs” or “Allowed Logout URLs” and it works as expected.

Here is what we configure: “https://*.dev.site.fr”.

We have now the need to configure “Allowed Web Origins”. It’s written that a wildcard is working there, so we add the same entry that we have for other fields: “https://*.dev.site.fr”.

But we still have CORS issues when performing cross-origin authentication through the /co/authenticate endpoint.

We have tested entering the full URL to see if it’s not something we miss somewhere else, and it works without a wildcard.

Do you have any clues about that?

Thanks

Hi @Will956

Thanks for contacting Auth0 Community.

Please note that there are certain rules that need to be followed for this to work, they are listed here https://auth0.com/docs/get-started/applications/wildcards-for-subdomains#wildcard-url-placeholders

Providing all of these rules are followed then it should work as expected.

Warm regards.

1 Like

Hi, thanks for your response.

This issue is there because we are using www in our domain, “https://www.*.dev.site.fr”. So indeed that breaks the rule that says “A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard.”

It works with other fields (Allowed Callback URLs or Allowed Logout URLs) because we are redirecting “https://.dev.site.fr" to "https://www..dev.site.fr” on our side so it’s not an issue.

That’s a blocker to use cross-origin authentication for us at the moment because of that www issue, that’s not something we can remove due to security.

I’m wondering if there is a flow to perform the same but in the back end. A call to an endpoint providing email/password to Auth0 that returns a code (we are using the express-openid-connect library that works with code flow).

Do you have any clues about that?

Thanks

Hi @Will956

Ah ok I see. I would suggest leaving some feedback directly to our Product Team about this, please use our Feedback form found at https://auth0.com/feedback to submit your request. Please know that our team reviews each and every request received to determine product fit and may reach out to you if additional information is needed.

In regards to the backend you mentioned, you can review our ROP flow here which returns an access token if auth is successful, it is not a recommended flow but can be used if the authorization code flow cannot be used for some reason.

Warm regards.

1 Like