We have a set of subdomains intended to use for different organizations (i.e. the organization name should match the subdomain), so it seemed to follow that we should be able to use the {organization_name} component in the callback URL in order to indicate which organization should be gated to each subdomain. However, if we just include https://{organization_name}.ourdomain.com/api/auth as the callback, we get an immediate error on attempting to login. We can only get this to work if we include each subdomain in the callback url list, and this allows a user in different domains to still log into every other subdomain regardless if they are a member of that organization.
Are we misunderstanding how this is intended to be used? What is the actual use case for an organization URL?
Your understanding is correct, you must specify the different subdomains in your callback URLs as mentioned in our documentation on the matter - Subdomain URL Placeholders, but also stated by this knowledge article - Dynamic Callback URLs with Wildcards
A placeholder must not be used in conjunction with a wildcard in the URL. https://{organization_name}.*.exampleco.com will not work.
However you can keep the {organization_name} placeholder in order to have an exact match when it comes to the Callback URL list, but you can deny access to any user that is trying to authenticate to that specific organization from the server-side, after inspecting the token and comparing the org_id claim to the id of the intended organization for the current subdomain.
Iām sorry for the late reply, but I hope this helps your use and others as well!
Thanks,
Remus