Just closing the loop on this one if anyone stumbles across this, but Okta has implemented wildcards in subdomains for redirect_uris. More info in our docs here:
- If
wildcard_redirectisDISABLED, all redirect URIs must be absolute URIs and must not include a fragment component. Ifwildcard_redirectisSUBDOMAIN, then any configured redirect URIs may contain a single*character in the lowest-level domain (for example,https://redirect-*-domain.example.com/oidc/redirect) to act as a wildcard. The wildcard subdomain must have at least one subdomain between it and the top level domain.- The wildcard can match any valid hostname characters, but can’t span more than one domain. For example, if
https://redirect-*-domain.example.com/oidc/redirectis configured as a redirect URI, thenhttps://redirect-1-domain.example.com/oidc/redirectandhttps://redirect-sub-domain.example.com/oidc/redirectmatch, buthttps://redirect-1.sub-domain.example.com/oidc/redirectdoesn’t match.- Only the
httpsURI scheme can use wildcard redirect URIs.
Caution: The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise great caution if you decide to include a wildcard redirect URI in your configuration.