How come "Allowed Web Origins" does not allow wildcards?

Hello Matt, my name is Jim and I’m the Community Lead here at Auth0 for Community.Auth0.com.

We understand your frustration with the current state of “Allowed Web Origins”, and the feedback process that you have been working through. We apologize that you have found this process frustrating.

As you can see, a product manager has recently commented on this feature request with current information on the subject. At this time, the team is acutely aware of this thread, and the feedback from our users, and will update this thread with relevant timelines when they become available.

To reiterate what @randynasson said, the feature has recently been moved into plans by our Product teams for future support although we have no timeframe to announce yet.

Please let us know if you would like to schedule a zoom call to elaborate.

Thank You,
Jim

Sweet. I’ll keep checking back for timelines. As we’re all dying to know when something so simple and so critical to modern CI/CD pipelines will be feasible.

Same issue… also filed feedback officially. Makes the product unusable for Heroku Review Apps.

Thank you @avimoondra for advocating for that and filling the product feedback form!

Checking back in on this. Not sure what y’alls product cycles are like so looking to see if an ETA has been determined.

Checking on this again

It seems like this feature has just been released as you can now use wildcards for subdomains in allowed origins field. However, it doesn’t work…yet.

Can someone from Auth0 confirm if there is currently a problem with the subdomains?

I’m getting The specified redirect_uri 'https://app.mydomain.com/account/process-external-login' does not have a registered origin. error even though I registered https://*.mydomain.com. It works perfectly fine if I just use https://app.mydomain.com.

It’s not fully enabled just yet.

Thank’s for the update Konrad. Looking forward to an estimated timeline or a announcement it’s live!

Sure! Will let you know as soon as it’s there.

Hello,

Quick question here.
If the feature is not fully enabled, why is it documented here ? https://auth0.com/docs/applications/wildcards-for-subdomains
Also why do we have to dig in a 2 year thread to discover this … I trust you are doing your best to keep advocate the features. But this is a lot of pain …

If there are docs, and front end components, I am struggling to understand why there isn’t a timeline

Hey, is this live yet? I can’t seem to get arbitrary domains to work. I test my application on these URLs

• http://localhost:3000
• http://foo.localhost:3000
• http://bar.localhost:3000

This is my config

Allowed Callback URLs

• http://foo.localhost:3000
• http://localhost:3000

Allowed Web Origins

• http://foo.localhost:3000
• http://localhost:3000

This won’t work for http://bar.localhost:3000. Changing the config to this

Allowed Callback URLs

• http://*.localhost:3000

Allowed Web Origins

• http://*.localhost:3000

Does not work for any subdomain.

It is not live yet. We’ll let you know once it’s there. Thank you!

(just encountered this - same use case of preview deploys on Netlify)

I was able to get this working in Heroku for Review App PRs (and didn’t have time to convert into a generic Heroku addon, so sharing Heroku version inspired by Netlify solution). Just change the environment variables (this example also assumes create-react-app based application):

package.json

{
    ...
    "scripts": {
        "review-app-postdeploy": "node scripts/review-app-postdeploy.js",
        "review-app-pr-predestroy": "node scripts/review-app-pr-predestroy.js",
    },
    ...
}

app.json (for Heroku)

{
    "environments": {
        "review": {
            "scripts": {
                "postdeploy": "yarn review-app-postdeploy",
                "pr-predestroy": "yarn review-app-pr-predestroy"
            }
        }
    },
}

scripts/review-app-postdeploy.js

const auth0 = require('auth0');
const dotenv = require('dotenv');
dotenv.config();

console.log(`🔑 Auth0 Plugin startup`);
const tab = '   ';
const requiredEnvVariables = [
    'REACT_APP_AUTH0_DOMAIN',
    'REACT_APP_AUTH0_CLIENT_ID',
    'AUTH0_MANAGEMENT_CLIENT_ID',
    'AUTH0_MANAGEMENT_CLIENT_SECRET'
];
const missingEnvVariables = requiredEnvVariables.filter(
    (envVar) => typeof process.env[envVar] === 'undefined'
);

if (missingEnvVariables.length > 0) {
    console.log(
        `${tab} ☠️ Missing environment variables: ${missingEnvVariables.join(
            ', '
        )}`
    );
}

const deployUrl = `https://${process.env.HEROKU_APP_NAME}.herokuapp.com`;
console.log(`${tab} 🧭 Deploy Preview URL will be:`, deployUrl);

const management = new auth0.ManagementClient({
    domain: process.env.REACT_APP_AUTH0_DOMAIN,
    clientId: process.env.AUTH0_MANAGEMENT_CLIENT_ID,
    clientSecret: process.env.AUTH0_MANAGEMENT_CLIENT_SECRET,
    scope: 'read:clients update:clients',
    audience: 'https://XXXXXX.us.auth0.com/api/v2/'
});

management.clients
    .get({ client_id: process.env.REACT_APP_AUTH0_CLIENT_ID })
    .then((client) => {
        console.log(`${tab} 🗝  Retrieved Auth0 client: ${client.name}`);

        const clientWebOrigins = client.web_origins || [];

        const urlOrigins = [deployUrl];

        const urlsToAdd = urlOrigins.filter(
            (url) => !clientWebOrigins.includes(url)
        );

        if (urlsToAdd.length > 0) {
            console.log(
                `${tab} Adding URLs to the Auth0 Application Web Origins:`
            );
            urlsToAdd.forEach((url) => console.log(`${tab} • ${url}`));
            management.clients.update(
                { client_id: process.env.REACT_APP_AUTH0_CLIENT_ID },
                { web_origins: clientWebOrigins.concat(urlsToAdd) },
                (updateError) => {
                    if (updateError) {
                        utils.build.failPlugin(
                            `${tab} ☠️ Something wrong happened while trying to patch Auth0 Application`
                        );
                    } else {
                        console.log(
                            `${tab} 🍾 Successfully patched Auth0 Application.`
                        );
                    }
                }
            );
        } else {
            console.log(
                `${tab} 👍 URL has already been added to Auth0 Application`
            );
        }
    });

And, scripts/review-app-pr-predestroy.js

const auth0 = require('auth0');
const dotenv = require('dotenv');
dotenv.config();

console.log(`🔑 Auth0 Plugin startup`);
const tab = '   ';
const requiredEnvVariables = [
    'REACT_APP_AUTH0_DOMAIN',
    'REACT_APP_AUTH0_CLIENT_ID',
    'AUTH0_MANAGEMENT_CLIENT_ID',
    'AUTH0_MANAGEMENT_CLIENT_SECRET'
];
const missingEnvVariables = requiredEnvVariables.filter(
    (envVar) => typeof process.env[envVar] === 'undefined'
);

if (missingEnvVariables.length > 0) {
    console.log(
        `${tab} ☠️ Missing environment variables: ${missingEnvVariables.join(
            ', '
        )}`
    );
}

const deployUrl = `https://${process.env.HEROKU_APP_NAME}.herokuapp.com`;
console.log(`${tab} 🧭 Deploy Preview URL will be:`, deployUrl);

const management = new auth0.ManagementClient({
    domain: process.env.REACT_APP_AUTH0_DOMAIN,
    clientId: process.env.AUTH0_MANAGEMENT_CLIENT_ID,
    clientSecret: process.env.AUTH0_MANAGEMENT_CLIENT_SECRET,
    scope: 'read:clients update:clients',
    audience: 'https://XXXXXX.us.auth0.com/api/v2/'
});

management.clients
    .get({ client_id: process.env.REACT_APP_AUTH0_CLIENT_ID })
    .then((client) => {
        console.log(`${tab} 🗝  Retrieved Auth0 client: ${client.name}`);

        const clientWebOrigins = client.web_origins || [];

        const urlsToRemove = [deployUrl];

        if (urlsToRemove.length > 0) {
            console.log(
                `${tab} Removing URLs to the Auth0 Application Web Origins:`
            );

            urlsToRemove.forEach((url) => console.log(`${tab} • ${url}`));
            management.clients.update(
                { client_id: process.env.REACT_APP_AUTH0_CLIENT_ID },
                {
                    web_origins: clientWebOrigins.filter(
                        (origin) => !urlsToRemove.includes(origin)
                    )
                },
                (updateError) => {
                    if (updateError) {
                        utils.build.failPlugin(
                            `${tab} ☠️ Something wrong happened while trying to patch Auth0 Application`
                        );
                    } else {
                        console.log(
                            `${tab} 🍾 Successfully patched Auth0 Application.`
                        );
                    }
                }
            );
        } else {
            console.log(
                `${tab} 👍 URL has already been removed to Auth0 Application`
            );
        }
    });

To everyone who contributed to this thread, we thank you for your input and your advocacy for making Auth0 more developer-friendly and better accommodate CI/CD scenarios.

We are pleased to inform you that, as of today, wildcards may be used in subdomains in the Allowed Web Origins URL for applications. You can read more about the announcement in our Support Center notification (Auth0 Support Center). Allowable wildcard patterns are consistent with other Application URLs, as explained in our documentation (Subdomain URL Placeholders).

As many of you are already aware, the OAuth BCP guidance states that exact match URLs should be used to guard against attack vectors. For production applications, Auth0 still recommends that you follow these guidelines.

Thank you for your continued support!

Thanks a lot for the update Randy!

WooHoo! 32 months later, and I can confirm this works now!

Thanks everyone in the community for keeping this thread/issue alive through the years.

Sometime advocating for certain features can take as much time as this. Glad we eventually did it!