Redirects
Redirects are registered endpoints in Scalekit that control where users are directed during authentication flows. You must configure these endpoints in the Scalekit dashboard before they can be used.
Understanding redirect types
Section titled “Understanding redirect types”Scalekit uses four types of redirect endpoints, each serving a specific purpose in the authentication flow:
Allowed callback URLs
Section titled “Allowed callback URLs”Purpose: Where users are sent after successful authentication to exchange authorization codes and retrieve profile information.
Example scenario: A user completes sign-in and Scalekit redirects them to https://yourapp.com/callback where your application processes the authentication response.
Intiate login URL
Section titled “Intiate login URL”Purpose: Where users are redirected to start the authentication process when they need to sign in.
Example scenario: When a user’s session expires or they access a protected resource, they’re redirected to https://yourapp.com/login which then redirects to Scalekit’s authentication endpoint.
Post logout URL
Section titled “Post logout URL”Purpose: Where users are sent after successfully signing out of your application.
Example scenario: After logging out, users are redirected to https://yourapp.com/goodbye to confirm their session has ended.
Back channel logout URL
Section titled “Back channel logout URL”Purpose: A secure endpoint that receives notifications when an administrator logs out a user, commonly used in Enterprise SSO scenarios.
Example scenario: An IT administrator removes a user from their organization’s identity provider, and Scalekit sends a logout notification to https://yourapp.com/api/logout to terminate the user’s session.
Configure redirect URLs
Section titled “Configure redirect URLs”To configure your redirect URIs:
- Navigate to Authentication settings in your Scalekit dashboard
- Add your URIs following the validation rules below
- Save your configuration
URI validation rules
Section titled “URI validation rules”Your redirect URIs must meet specific requirements that vary between development and production environments:
Environment-specific requirements
Section titled “Environment-specific requirements”| Validation rule | Development environment | Production environment |
|---|---|---|
| Supported schemes | http https | https |
| localhost usage | Allowed | Not allowed |
| Wildcard support (*) | Allowed | Not allowed |
| Maximum URI length | 256 characters | 256 characters |
Query parameters yourapp.com/callback?query=value | Not allowed | Not allowed |
Fragment components | Not allowed | Not allowed |
Use wildcards for development
Section titled “Use wildcards for development”Wildcards can simplify testing in development environments, but they must follow specific patterns:
| Validation rule | Examples |
|---|---|
| Wildcards cannot be used as root-level domains | https://*.comhttps://*.acmecorp.comhttps://auth-*.acmecorp.com |
| Only one wildcard character is allowed per URI | https://*.*.acmecorp.comhttps://*.acmecorp.com |
| Wildcards must be in the hostname component only | https://acmecorp.*.comhttps://*.acmecorp.com |
| Wildcards must be in the outermost subdomain | https://auth.*.acmecorp.comhttps://*.auth.acmecorp.com |