Wildcard subdomains in redirect URI (oauth 2.0)

I am switching over a single page javascript app to use okta for authentication with sign in redirection, with the quirk that in addition to the normal domain name for the app, I deploy test builds to dynamically generated subdomains underneath the app domain.

To illustrate what I mean:

The main app domain is: https://myapp.mydomain.com/. That we can set up the okta integration for easily.

But the test build app domains are: https://<name-of-test-build>.test-builds.myapp.mydomain.com

Where the <name-of-test-build> is dynamic and unique for each new test build. This allows us to get multiple test builds online in parallel.

Ideally, in order to authenticate our test build apps, we could add an okta app integration which uses a wildcard login redirect uri, ex: https://*.test-builds.myapp.mydomain.com. However, I am confused as to whether this is possible, since I found the following somewhat conflicting information:

https://support.okta.com/help/s/article/Is-wildcard-URL-s-configurable-in-the-Developer-Admin-console?language=en_US

https://developer.okta.com/docs/release-notes/2021/#wildcards-for-oauth-redirect-subdomains

The former help article confirms what I found out by actually trying to enter a wildcard domain in the gui using * - it doesn’t work. The latter release notes seem to indicate that this is possible if I have early access and if I use the App API rather than the okta admin dashboard to set it up. However it is unclear if the wildcard will only match a single character, or if the wildcard can match multiple characters, for example the entire subdomain name.

To boil down my question:

  1. Will the wildcarded domains entered through the app api with early access be the right thing for my use case?
  2. Is there any other way that is recommended to handle this sort of situation?

Here is a post about the same issue before the wildcard redirect domains was added to app api.

That thread is ancient now though, and no satisfying answers came out of it.

The support article predates the EA release of the Wildcards for OAuth redirect subdomains feature. It is correct that you can not configured wildcard subdomains in the Okta admin dashboard. However, if you have enabled the EA feature (Wildcards for OAuth redirect subdomains) then you can configure the redirect_uri with wildcards using the API.

The wildcard can match multiple characters. I believe it should work for you use case.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.