OAuth 2.0 authentication and redirect uri wildcards

Hello,

Is there a way to authorize all uri of a domain (or subdomain) in the OpenId Application whitelist redirect uri ?

Thanks in advance.

@Loic You cannot. RFC-6749 (OAuth 2.0) states that redirect URIs must be absolute:

The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3.

Edit: This is security consideration, as it is outlined in the OAuth 2.0 Threat Model:

An authorization server should require all clients to register their
"redirect_uri", and the “redirect_uri” should be the full URI as
defined in [RFC6749].

2 Likes

I completely agree about the security concern, but from a testing point of view it’s a major blocker.

There are several UI workflows that deploy testing UI builds to somewhat randomly generated host names (usually fitting a known pattern). Look at Zeit now as an example.

None of these workflows work with Okta and this is a major obstacle to sharing testing builds internally.

I should add that Auth0 used to have the same stance as you, but recently the opened this behavior up, with the expected warnings, and it makes the developer workflow much more effective.

In conclusion, yes, it’s a terrible idea to do this in production, but it’s a vitally useful feature to provide in test environments. Please reconsider.

you can add those redirect URIs to the application instance in Okta with API calls. So your automation tool can handle this, though it’s inconvenience for developers, I agree.

This is true, but it’s a terrible DX.

It also complicates/breaks our automation. We use terraform to manage all of the Okta configuration so having random builds wanting to change the redirect_uri really breaks our workflow.