When configuring an Auth0 “application” for an SPA I’m hitting the multi-tenant configuration problem for callback URLs.
I’ve seen some discussion related to this, as in Auth0 requires a specific path on URLs registered in the “Allowed Callback URLs” list. The problem is that in a multi-tenant scenario, where the tenant’s ID is the base of the URL we don’t know what the precise callback path.
It appears Auth0 prevents using wild-card paths…I can’t recall if they ever did, and clawed this back to reduce possible attack vectors, or whether this was never allowed. But it’s a total PITA…and after various scenarios of hacking the URL schemes on the app, I’m decidedly uneasy about it.
So I’m back to plugging in specific callback URLs. This obviously doesn’t scale, I’m wondering:
is there a way to programmatically configure the list of callback URLs through an Auth0 configuration API?
or is there some other best practice for handling this type of scenario?