Last Updated: Dec 5, 2024
Overview
This article is for the admins who want to configure an application with a large number of Allowed Callback URLs and Allowed Logout URLs. Wildcard subdomains might help, but the Auth0 documentation states they should not be used in a production environment (see this link for reference).
This article clarifies the nature of the security threat that wildcard subdomains might pose to my application.
Applies To
- Allowed Callback URLs
- Allowed Logout URLs
- Wildcard Subdomains
Solution
The risk is mainly around the threat of a subdomain takeover scenario.
Risks would depend on which of the configured URLs these wildcards are used on. These might be the potential consequences for each type:
- Callback URLs could potentially direct the resulting access/id tokens back to the wrong receiver. (e.g., allowing user spoofing/impersonation)
- Logout URLs could let users be redirected to the wrong destination after logging out. (e.g., spoofing via a phishing site)
- Origin URLs that would otherwise prevent sign-in requests could no longer specify that protection. (e.g., cookies leaked in follow-up requests)
The recommendation is that when the list of subdomains is finite and known, always define and maintain that list instead of using a wildcard character. The use of wildcards is like leaving the door open. One of the subdomains might not be using HTTPS, and if the tokens were included because a previous request was authenticated through another subdomain app, they could be easily intercepted. In summary, it is advised to balance security vs maintainability (of the subdomain lists).