Hi there,
When trying to set callback urls for a client, we encountered one limitation/question:
Auth0 does not allow wildcard at the end of the domain. For eg. example.com/*, only subdomain URL placeholder is supported (by this doc Subdomain URL Placeholders).
we can only find the statement as below in https://auth0.github.io/auth0-oidc-client-net/documentation/getting-started/callbacks.html:
“Since callback URLs can be manipulated, you will need to add your application’s URL to your client’s Allowed Callback URLs for security. This will enable Auth0 to recognize these URLs as valid. If omitted, authentication will not be successful.”
But can someone further clarify the security concerns about this limitation behind the scene? Thank you!