Our app hosts customer domains at {org_name}.myapp.com
. We want to redirect users to their subdomain after login, but we don’t want to require users to type in/remember their organization before initiating the login flow (which is required to use Organization URL parameters - see docs).
The approach I’m taking (inspired by this post) is to have an auth.myapp.com
domain that redirects users to Auth0, and is also the callback URL. After login is completed, auth.myapp.com
will manually redirect users to their subdomain. Note that I am setting the cookieDomain=.myapp.com
to allow the subdomains to access the requisite cookies.
This is nearly working, however, when I redirect to {org_name}.myapp.com
, because the callback URL is set to auth.myapp.com/callback
, the getTokenSilently
API uses the callback URL origin of auth.myapp.com
, which doesn’t match the user’s actual origin {org_name}.myapp.com
. This prevents the token flow from succeeding (the /authorize?prompt=none
request succeeds but has the wrong targetOrigin
, so the /token
request never follows)
I could fix this by adding *.myapp.com
to the allowed callback URLs and then using {org_name}.myapp.com
as the callback URL, but from what I understand wildcard callback URLs are discouraged for security reasons.
Feels like this should be more straightforward and maybe I’m taking the wrong approach. Is there another way to do this? I suppose the “other way” is to use {organization_name} in the callback URL but I would rather not force my users to type in their organization before logging in.