This article provides information on Wildcards redirect URIs supported for OpenID Connect (OIDC) applications.
- OpenID Connect (OIDC) applications
- Sign-in Redirect URIs
- Wildcards
- Okta Classic Engine
- Okta Identity Engine (OIE)
Okta supports Wildcards in Sign-in Redirect URIs, but they must be explicitly enabled for a given application, either via the API or in the Okta Admin Console under Application > General Settings > Login.
When wildcard_redirect is disabled, all redirect URIs must be absolute URIs and must not include a fragment component.
If wildcard_redirect is set to subdomain, then any configured redirect URIs may contain a single * character in the lowest-level domain (for example, https://redirect-*-domain.example.com/oidc/redirect) to act as a wildcard. The wildcard subdomain must have at least one subdomain between it and the top-level domain.
The wildcard can match valid hostname characters, but cannot span more than one domain.
For example, if https://redirect-*-domain.example.com/oidc/redirect is configured as a redirect URI, then https://redirect-1-domain.example.com/oidc/redirect and https://redirect-sub-domain.example.com/oidc/redirect match, but https://redirect-1.sub-domain.example.com/oidc/redirect does not match.
Important limitations and considerations:
- Wildcards are only supported when using HTTP/HTTPS URI schemes.
- Wildcards can only be used for subdomains (for example,
https://redirect-*-domain.example.com). - Wildcards cannot be used in the folder path. For example,
https://redirect.domain.example.com/*/redirectis not supported. - Wildcards cannot be used for a port number. For example,
https://redirect.domain.example.com:*is not supported. - Wildcards are not supported for Logout Redirect URIs.
- Exercise caution when using wildcard subdomains, as it is considered an insecure practice and may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages.
