Redirect URI wildcard for path variable instead of subdomain?

Hi,

I see documentation that shows how to leverage a wildcard "" for a subdomain in my application redirect uri. For example, https://.foo.com/bar/baz.

However, I would like to use the wildcard in place of a path variable, like this: https://subdomain.foo.com/bar/*.

When I try that, I get the following error:

400 Bad Request error that states: "Your request resulted in an error. The ‘redirect_uri’ parameter but be a Login redirect URI in the client app settings:’

Thank you.

I don’t believe it’s currently possible. As you noticed wildcards are for subdomains only

1 Like

Right, the absolute URI, including path, must be registered as a Login redirect URI. Wildcards can ONLY be used for subdomains, as covered here:

  • If wildcard_redirect Early Access is DISABLED , all redirect URIs must be absolute URIs and must not include a fragment component. If wildcard_redirect is SUBDOMAIN , then any configured redirect URIs may contain a single * character in the lowest-level domain (for example, https://redirect-*-domain.example.com/oidc/redirect ) to act as a wildcard. The wildcard subdomain must have at least one subdomain between it and the top level domain.
  • The wildcard can match any valid hostname characters, but can’t span more than one domain. For example, if https://redirect-*-domain.example.com/oidc/redirect is configured as a redirect URI, then https://redirect-1-domain.example.com/oidc/redirect and https://redirect-sub-domain.example.com/oidc/redirect match, but https://redirect-1.sub-domain.example.com/oidc/redirect doesn’t match.
  • Only the https URI scheme can use wildcard redirect URIs.
    Caution: The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise great caution if you decide to include a wildcard redirect URI in your configuration.

URIs should be absolute (its in the spec).

OAuth 2.0 Threat Model and Security Considerations

An authorization server should require all clients to register their “redirect_uri”, and the “redirect_uri” should be the full URI as defined in [RFC6749]

Certainly can be an inconvenience for development though.

2 Likes