We have a set of subdomains intended to use for different organizations (i.e. the organization name should match the subdomain), so it seemed to follow that we should be able to use the {organization_name} component in the callback URL in order to indicate which organization should be gated to each subdomain. However, if we just include https://{organization_name}.ourdomain.com/api/auth as the callback, we get an immediate error on attempting to login. We can only get this to work if we include each subdomain in the callback url list, and this allows a user in different domains to still log into every other subdomain regardless if they are a member of that organization.
Are we misunderstanding how this is intended to be used? What is the actual use case for an organization URL?