Redirect URI

A Redirect URI is an endpoint where Scalekit redirects users post-authentication with the Identity Provider (IdP). In the Scalekit dashboard, you can configure up to 5 redirect URIs per environment.

Since Redirect URIs can be manipulated by unauthorized parties, Scalekit requires pre-registration of all redirect URIs used in login flows. Registration can be done in the Scalekit dashboard.

info

IdP-initiated SAML SSO Flow: Scalekit uses your configured default Redirect URI to redirect users. Learn more about handling IdP-initiated SSO flows.

Validation Rules

Redirect URIs that are configured in the Scalekit dashboard must adhere to specific validation rules for security:

Validation Rule	Development Environment	Production Environment
Schemes Supported	http https	https
localhost	Allowed	Not Allowed
Wildcard support (*)	Allowed See below for full details about wildcard character support	Not Allowed
Max URI Length	256 characters	256 characters
Query Parameters https://your-domain.com/callback?query=value	Not Allowed	Not Allowed
Fragment Component https://your-domain.com/callback#fragment=value	Not Allowed	Not Allowed

Wildcard Character (*) in Redirect URIs

According to the OAuth 2.0 specification (section 3.1.2 of RFC 6749), a redirection URI must be an absolute URI. But, to make development and testing easier - this restriction is slightly relaxed in the DEVELOPMENT environments.

For development, wildcards can simplify testing. However, they must follow these rules:

Validation Rule	Example
Wildcard Characters are not allowed as a root-level domain	https://*.com https://*.acmecorp.com https://auth-*.acmecorp.com
A redirect URI can have only one wildcard character	https://*.*.acmecorp.com https://*.acmecorp.com
Wildcard character must be located in a subdomain within the hostname component	https://acmecorp.*.com https://*.acmecorp.com
Wildcard must be part of the subdomain that is farthest from the hostname component	https://auth.*.acmecorp.com https://*.auth.acmecorp.com