Overview
When configuring an application in the Auth0 dashboard, it is not possible to add a wildcard at the end of an Allowed Callback URL. For example:
This article clarifies what is the reasoning, from a security perspective, behind Auth0’s decision to not allow this type of URL for redirects.
Applies To
- Application Configuration
- redirect_uri
- Callback URLs
Solution
This restriction comes down to protecting against any sort of open redirect vulnerability and ensuring authentication responses (containing tokens) are returned to trusted locations. The official OWASP site goes into more detail pertaining to specific types of attack vectors that could exploit wildcard redirects, so please see Unvalidated Redirects and Forwards Cheat Sheet.