Allow for wildcards in app redirect URIs

When testing our app, sometimes we'll use a redirect URI that appends a canary branch. For example, if we have the redirect URI https://ourservice we may have a test branch URI of https://ourservice/branch/bugfix-1 or https://ourservice/branch/bugfix-2. Instead of having to go into the console and specify each redirect URI, it'd be nice to have a wildcard, for instance https://ourservice/branch/*.

Post comment
Admin

Byrne Reese

Oct 18, 2021

We recognize the utility of this feature, however, IETF specifically recommends against this approach
For example OAuth 2.1 (still in draft says (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-2.3.2):
"Authorization servers MUST require clients to register their complete
redirect URI (including the path component) and reject authorization
requests that specify a redirect URI that doesn't exactly match one
that was registered; the exception is loopback redirects, where an
exact match is required except for the port URI component."
And https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18#section-2.1
"When comparing client redirect URIs against pre-registered URIs,
authorization servers MUST utilize exact string matching except for
port numbers in "localhost" redirection URIs of native apps, see
Section 4.1.3. This measure contributes to the prevention of leakage
of authorization codes and access tokens (see Section 4.1). It can
also help to detect mix-up attacks (see Section 4.4)."
Guest

Apr 15, 2021

I really like the idea, btw.
I'd add a branch name variable, site location/IP identifier within your code as a tag to automatically load the proper console. (If name=Houston, then load /houston-branch/*.)
Guest

Apr 15, 2021

Good idea. What if this change happened within your code by adding a drop down to choose between the wildcards?

RELATED IDEAS