I’ve created a successful Auth0 web app client using a wildcard subdomain in the callback url. Works like a charm. Now for my mobile app, I have a custom protocol in the callback url:
com.xtinguishers.tech:// This is so my app can open up when the callback arrives. So my redirectUri looks like:
usfire segment needs to be the wildcard. So i’ve added this to my allowed callbacks in Auth0:
But when trying to authenticate Auth0 tells me that the redirectUrl is not approved. Is this a bug, or is there a security reason why wildcards cannot be allowed in combination with a custom protocol (should be common use case for hybrid apps using Auth0).
Update: (follow-up to @jmangelo answer)
The analysis is spot on and I totally agree. Let me back up on my question one step. My situation is your last one: a single, mobile app. I do indeed ask the user for the tenant’s “domain” the first time they open the app.
My original question should have been, how to pass a parameter to the authorize endpoint that I can access from a Rule?
I was basically shoving this “tenant” parameter in the RedirectUri so that way in the Rule I could parse it out and use it in the rule. The RedirectUri was the only was I could see of passing a param from my application to Auth0 rules.
The reason I need the tenant “domain” in my rules is 2 reasons:
- Primarily, in the rule, I call my API method “GetValidUsers” that returns from my backend a list of all email addresses that are allowed to be used for login for this tenant. The tenant “domain” is required for this.
- I like to embed the tenant domain into the token, for a secure and consistent way that my app and api can know what tenant to deal with.
So…what’s the best way to pass this tenant parameter to Auth0 rule?