Handle www subdomain in "Allowed web origins"


Handle www subdomain in “Allowed web origins” configuration


Have a way to handle www subdomain here Subdomain URL Placeholders


We encounter an issue when configuring “Allowed web origins” from our Auth0 tenant.

We use wildcards for all other configurations, such as “Allowed Callback URLs” or “Allowed Logout URLs” and it works as expected.

Here is what we configure: “https://*.dev.site.fr”.

We have now the need to configure “Allowed Web Origins”. It’s written that a wildcard is working there, so we add the same entry that we have for other fields: “https://*.dev.site.fr”.

But we still have CORS issues when performing cross-origin authentication through the /co/authenticate endpoint.

This issue is there because we are using www in our domain, “https://www.*.dev.site.fr”. So indeed that breaks the rule that says “A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard.”

It works with other fields (Allowed Callback URLs or Allowed Logout URLs) because we are redirecting “https://.dev.site.fr" to "https://www..dev.site.fr” on our side so it’s not an issue.

That’s a blocker to use cross-origin authentication for us at the moment because of that www issue, that’s not something we can remove due to security.

Hey there!

Thanks for advocating for that and creating this feedback card. We review those feedback card on a monthly basis and will let you know once we have updates on that front but in the meantime please make sure to upvote it. Thank you!

1 Like