Callback URL mismatch when changing the allowed callback URL of the application

Hi @sinko,

Welcome to the Community!

For Allowed Callback URLs, you cannot use something like a wildcard (e.g. http://localhost:4200/*), but instead the URL must be an exact match, including the relative path.

The suggested implementation is to pass a state param when requesting authentication and then refer to that in the /callback page to perform the redirect:

1. Store the following in localStorage: randomStateValue : the URL pathname.

2. Pass randomStateValue as the state parameter in the authentication request.

3. Check the state value in the callback, and retrieve the value for randomStateValue from localStorage.

4. Perform the redirect from within your application.

Documentation: Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters

Related topics:

• How to allow list of URL's in Auth0 after mentioning particular path - #3 by stephanie.chamblee
• Allowed Callback URLs ending with a wildcard - #2 by prashantT