What are the security challenges why Auth0 does not allow wildcard at the end of the domain. For eg. example.com/* is not supported for allowed callback urls

Hi there,
When trying to set callback urls for a client, we encountered one limitation/question:
Auth0 does not allow wildcard at the end of the domain. For eg. example.com/*, only subdomain URL placeholder is supported (by this doc Subdomain URL Placeholders).

we can only find the statement as below in https://auth0.github.io/auth0-oidc-client-net/documentation/getting-started/callbacks.html:
“Since callback URLs can be manipulated, you will need to add your application’s URL to your client’s Allowed Callback URLs for security. This will enable Auth0 to recognize these URLs as valid. If omitted, authentication will not be successful.”

But can someone further clarify the security concerns about this limitation behind the scene? Thank you!

Hi there @Changrui.Yu and welcome to the community

You can find some more in official documentation here where a link OWASP goes into this in a bit more detail:

This restriction basically boils down to protecting against any sort of open redirect vulnerability and ensuring authentication responses (containing tokens) are returned to trusted locations.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.