I’m trying to avoid maintaining per-brand callback URLs in Auth0 for a whitelabel app.
We use domains like {brand}.example.com, {brand}.stage.example.com, and locally {brand}.localhost:3000.
Auth0’s docs say wildcard subdomains are allowed in Allowed Callback URLs, for example https://*.example.com, as long as the wildcard is in the leftmost subdomain. Based on that, http://*.localhost:3000/auth/callback appears like it should allow http://mybrand.localhost:3000/auth/callback.
But in practice Auth0 is rejecting that callback, even though the docs seem to allow it.
Is .localhost or .localhost:3000 treated differently from normal domains for wildcard callback matching, or is there another limitation here that isn’t obvious from the docs?
I might add, the wildcard works fine for non-loopback domains. Doing https://*.stage.example.com/auth/callback works fine for different subdomains.
Hi @carl.erik.kopseng
Welcome to the Auth0 Community!
The behaviour that you are seeing is expected, as localhost is treated as a top-level domain and the callback fails since the wildcard must be located in a subdomain within the hostname component. This is also mentioned on the following topic : Wildcards for subdomain callbacks not working and what you are seeing on your end falls under the expected outcome.
In addition, ports in the callback URLs that use wildcards are not allowed, as these would need to be explicitly specified. While adding a list of callback URLs ( due to their ports ) can be inconvenient, this method is the most secure way of achieving your goal.
We warmly recommend submitting a Feature Request on this matter where other users can vote on it. As the page is monitored by our Product team, more popular suggestions can create interest and further drive the development.
Hope this helped!
Gerald