Hi,
What do I want to achieve?
I want to create review apps, so on each PR an application is spun up for our QA people to test the new version before we merge. These are deployed with a dedicated PR, linked to that deployment. To make this possible fully automated, I would need to add a wildcard to the callback URLs for the deployments domain.
What’s the problem?
When I enter a domain like the following, I get a validation error:
Example Domain: https://review-frontend-pr*.sub.example.com (the * is a placeholder for the PR number). Even using *.sub.example.com this does not work.
The Error: One or more callback URLs are invalid. (and it highlights the above Domain, so there is not a chance it means another one)
This error is pretty unexpected, because the Documentation says explicitly, that this should be possible (note: we try to use this with a dev env, so no prod env is involved):
Allowed Callback URLs: Set of URLs to which Auth0 is allowed to redirect users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically, to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the following placeholders in this field:
- Wildcards: Use
* for subdomains (*.google.com) Not recommended for production environments.
Source: Application Settings - Auth0 Docs
Any help or hint is very appreciated!
Kind Regards,
Nico
Ah, forgot to actually add the question..
My questions are:
- Why is my wildcard not accepted?
- What do I need to change to use a wildcard in a callback URI?
Thank you very much in advance.
Update: this issue is only reproducible with Firefox. Using Chrome it works just fine…
Have a nice day.
Hi @nico.1
Welcome to the Auth0 Community!
I understand that you are presented with the One or more callback URLs are invalid error message when trying to update your Callback URLs with wildcards.
The structure and placement of the wildcard that you are using is correct, as it follows the rules outlined in our Subdomain URL Placeholders - Auth0 Docs documentation, such as:
- The wildcard is located in the subdomain furthest from the root domain;
- It contains only one wildcard;
- It successfully utilizes prefixes (Auth0 explicitly supports formats like https://prefix-*-suffix.example.com).
It appears that you do not have to make any changes, rather the issue stems from the URL validation and hostname parsing that FireFox enforces compared to Chrome that is more lenient with URL characters in input fields, which is why it parses the * properly and saves the configuration without issues.
Our recommended solution would be to continue using Chrome ( or another Chromium-based browser) to configure and save your Allowed Callback URLs in the Auth0 Dashboard, as Auth0’s backend will handle the wildcard callbacks for your QA environments seamlessly, regardless of which browser your QA team uses to actually log in.
Hope this helped!
Gerald