Skip to Main Content
Status Will not implement
Created by Guest
Created on Apr 14, 2021

Allow for wildcards in app redirect URIs

When testing our app, sometimes we'll use a redirect URI that appends a canary branch. For example, if we have the redirect URI https://ourservice we may have a test branch URI of https://ourservice/branch/bugfix-1 or https://ourservice/branch/bugfix-2. Instead of having to go into the console and specify each redirect URI, it'd be nice to have a wildcard, for instance https://ourservice/branch/*.

  • Admin
    Byrne Reese
    Oct 18, 2021

    We recognize the utility of this feature, however, IETF specifically recommends against this approach

    For example OAuth 2.1 (still in draft says (

    "Authorization servers MUST require clients to register their complete
    redirect URI (including the path component) and reject authorization
    requests that specify a redirect URI that doesn't exactly match one
    that was registered; the exception is loopback redirects, where an
    exact match is required except for the port URI component."


    "When comparing client redirect URIs against pre-registered URIs,
    authorization servers MUST utilize exact string matching except for
    port numbers in "localhost" redirection URIs of native apps, see
    Section 4.1.3. This measure contributes to the prevention of leakage
    of authorization codes and access tokens (see Section 4.1). It can
    also help to detect mix-up attacks (see Section 4.4)."
  • Guest
    Apr 15, 2021

    I really like the idea, btw.

    I'd add a branch name variable, site location/IP identifier within your code as a tag to automatically load the proper console. (If name=Houston, then load /houston-branch/*.)

  • Guest
    Apr 15, 2021

    Good idea. What if this change happened within your code by adding a drop down to choose between the wildcards?