Auth0 Home Blog Docs

M2M and "Allowed Callback URLs"?

I see option for providing values for “Allowed Callback URLs” property on the application settings page for machine to machine type. I also see description says "After the user authenticates we will only call back to any of these URLs. ".

In m2m - there is no user authentication. How and when this would be called ?

For testing I did add a valid URL to this property and tested accessing the API protected by this m2m application and it was not called.

Please let me know if I am doing something wrong or missing something.
Thank you.!

Hey there @manjunath.narayana, typically you would used the Allowed Callback URLs in the event of requesting resources from your api. This is devised up of a list of accepted URLs to access. Depending on your application stack you may have a number of apps that call back and forth from one another. For historical reference I have linked the definition via the documentation below as a reference point. Please let me know if you have any questions. Thanks!

Allowed Callback URLs : Set of URLs to which Auth0 is allowed to redirect the users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains ( *.google.com ). Make sure to specify the protocol, http:// or https:// , otherwise the callback may fail in some cases.
https://auth0.com/docs/applications/machine-to-machine

Thank you James.

When you say “…you would used the Allowed Callback URLs in the event of requesting resources from your api…” - you mean when I request my API and I get back result, call back API will be called?

Also from the documentation you have attached, it clearly says “…Set of URLs to which Auth0 is allowed to redirect the users after they authenticate…” --> There is no user authenticating in m2m scenario.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Following up @manjunath.narayana, on M2M there is no redirect. What would be the desired goal of the redirection? Can you share more details on the overall goal so we can better assist? Thanks!

Thanks. I was just trying to understand why the option of providing value to "Allowed Callback URLs” property on the application settings page is available?

Now that you have confirmed there is no redirect - looks like those options should be removed to avoid confusion?

When referencing Allowed Callback URLs this doc here states them as follows:

Because callback URLs can be manipulated by unauthorized parties, Auth0 recognizes only whitelisted URLs set in the Allowed Callback URLs field of an Application’s Settings as valid.

which I feel like really sends home idea behind Allowed Callback URLs. Do you feel if the other doc was updated to something like this it would be more accurate? Thanks in advance for your input!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.