Programatically configure [Allowed Callback URLs] for multi-tenant scenario

When configuring an Auth0 “application” for an SPA I’m hitting the multi-tenant configuration problem for callback URLs.

PROBLEM
I’ve seen some discussion related to this, as in Auth0 requires a specific path on URLs registered in the “Allowed Callback URLs” list. The problem is that in a multi-tenant scenario, where the tenant’s ID is the base of the URL we don’t know what the precise callback path.

It appears Auth0 prevents using wild-card paths…I can’t recall if they ever did, and clawed this back to reduce possible attack vectors, or whether this was never allowed. But it’s a total PITA…and after various scenarios of hacking the URL schemes on the app, I’m decidedly uneasy about it.

QUESTION
So I’m back to plugging in specific callback URLs. This obviously doesn’t scale, I’m wondering:

  • is there a way to programmatically configure the list of callback URLs through an Auth0 configuration API?

  • or is there some other best practice for handling this type of scenario?

Thanks! :cake:

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?