Redirect URI
A redirect URI is an endpoint where Scalekit redirects users post-authentication with the identity provider (IdP). In the Scalekit dashboard, you can configure up to 5 redirect URIs per environment.
Since redirect URIs can be manipulated by unauthorized parties, Scalekit requires pre-registration of all redirect URIs used in login flows. Registration can be done in the Scalekit dashboard.
Validation rules
Section titled “Validation rules”Redirect URIs that are configured in the Scalekit dashboard must adhere to specific validation rules for security:
Validation rule | Development environment | Production environment |
---|---|---|
Schemes supported | http https | https |
localhost | Allowed | Not allowed |
Wildcard support (*) | Allowed | Not allowed |
Max URI length | 256 characters | 256 characters |
Query parameters yourapp.com/callback?query=value | Not allowed | Not allowed |
Fragment component
| Not allowed | Not allowed |
Using wildcards in redirect URIs
Section titled “Using wildcards in redirect URIs”According to the OAuth 2.0 specification, a redirection URI must be an absolute URI. But, to make development and testing easier - this restriction is slightly relaxed in the development environments.
For development, wildcards can simplify testing. However, they must follow these rules:
Validation rule | Example |
---|---|
Wildcard characters are not allowed as a root-level domain | https://*.com https://*.acmecorp.com https://auth-*.acmecorp.com |
A redirect URI can have only one wildcard character | https://*.*.acmecorp.com https://*.acmecorp.com |
Wildcard character must be located in a subdomain within the hostname component | https://acmecorp.*.com https://*.acmecorp.com |
Wildcard must be part of the subdomain that is farthest from the hostname component | https://auth.*.acmecorp.com https://*.auth.acmecorp.com |