Why Does Auth0 Not Allow Wildcards in an Application's Allowed Callback URL List

gabriela.pantea · September 12, 2024, 4:22pm

Overview

When configuring an application in the Auth0 dashboard, it is not possible to add a wildcard at the end of an Allowed Callback URL. For example:

https://www.example.com/*

This article clarifies what is the reasoning, from a security perspective, behind Auth0’s decision to not allow this type of URL for redirects.

Applies To

Application Configuration
redirect_uri
Callback URLs

Solution

This restriction comes down to protecting against any sort of open redirect vulnerability and ensuring authentication responses (containing tokens) are returned to trusted locations. The official OWASP site goes into more detail pertaining to specific types of attack vectors that could exploit wildcard redirects, so please see Unvalidated Redirects and Forwards Cheat Sheet.

Topic		Replies	Views
What are the security challenges why Auth0 does not allow wildcard at the end of the domain. For eg. example.com/* is not supported for allowed callback urls Help configuration , application	2	26	September 9, 2024
Can I use wildcards in redirect_uri after login? Help login-experience , new-universal-login-experience	3	615	February 20, 2024
Wildcard for callback urls Help callback	11	12248	December 21, 2022
Configure callback urls with wildcard Help	2	5002	June 12, 2020
We would like to add wildcard URL for "callbacks" and "allowed_logout_urls" Help auth0	2	2827	May 25, 2022

Why Does Auth0 Not Allow Wildcards in an Application's Allowed Callback URL List

Overview

Applies To

Solution

Related topics