Redirect URI

A redirect URI is an endpoint where Scalekit redirects users post-authentication with the identity provider (IdP). In the Scalekit dashboard, you can configure up to 5 redirect URIs per environment.

Since redirect URIs can be manipulated by unauthorized parties, Scalekit requires pre-registration of all redirect URIs used in login flows. Registration can be done in the Scalekit dashboard.

info

IdP-initiated SAML SSO flow: Scalekit uses your configured default redirect URI to redirect users. Learn more about handling IdP-initiated SSO flows.

Validation rules

Redirect URIs that are configured in the Scalekit dashboard must adhere to specific validation rules for security:

Validation rule	Development environment	Production environment
Schemes supported	http https	https
localhost	Allowed	Not allowed
Wildcard support (*)	Allowed See below for full details about wildcard character support	Not allowed
Max URI length	256 characters	256 characters
Query parameters https://your-domain.com/callback?query=value	Not allowed	Not allowed
Fragment component https://your-domain.com/callback#fragment=value	Not allowed	Not allowed

Wildcard character (*) in redirect URIs

According to the OAuth 2.0 specification (section 3.1.2 of RFC 6749), a redirection URI must be an absolute URI. But, to make development and testing easier - this restriction is slightly relaxed in the development environments.

For development, wildcards can simplify testing. However, they must follow these rules:

Validation rule	Example
Wildcard characters are not allowed as a root-level domain	https://*.com https://*.acmecorp.com https://auth-*.acmecorp.com
A redirect URI can have only one wildcard character	https://*.*.acmecorp.com https://*.acmecorp.com
Wildcard character must be located in a subdomain within the hostname component	https://acmecorp.*.com https://*.acmecorp.com
Wildcard must be part of the subdomain that is farthest from the hostname component	https://auth.*.acmecorp.com https://*.auth.acmecorp.com