OAuth 2.0 authentication and redirect uri wildcards


#1

Hello,

Is there a way to authorize all uri of a domain (or subdomain) in the OpenId Application whitelist redirect uri ?

Thanks in advance.


#2

@Loic You cannot. RFC-6749 (OAuth 2.0) states that redirect URIs must be absolute:

The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3.

Edit: This is security consideration, as it is outlined in the OAuth 2.0 Threat Model:

An authorization server should require all clients to register their
"redirect_uri", and the “redirect_uri” should be the full URI as
defined in [RFC6749].