Auth0 Home Blog Docs

Are callback URLs case-sensitive?



If we inadvertently set a callback URL in our application that includes a mixed-case hostname, it appears that the URL will not match an all lowercase hostname that’s configured in our client. Is that accurate? If so, is that intended behaviour? DNS is not case-sensitive, so I would expect that the callback URL check should also be case-insensitive when comparing the hosts.


For the callback URLs, the scheme and host parts are case-insensitive. So for example, in http://www.Example.Com/FooHoo.html, the http://www.Example.Com is case-insensitive therefore normalized to lowercase, while the FooHoo.html is case-sensitive.

This behaviour is conformant with the relevant specification.

When a URI uses components of the generic syntax, the component syntax equivalence rules always apply; namely, that the scheme and host are case-insensitive and therefore should be normalized to lowercase. For example, the URI is equivalent to .

The other generic syntax components are assumed to be case-sensitive unless specifically defined otherwise by the scheme (see Section 6.2.3).