Configure variable callback URI in Okta
I'm trying to configure a new Okta application with a callback URL that will depend on the tenant's subdomain. Meaning I need the same Okta app to accept redirection (using the redirect_uri parameter) to https://0001.my.domain.com/oauth2/callback, https://0002.my.domain.com/oauth2/callback and so on. Notice the 0001 and 0002 subdomains. This may seem strange, but it's for demo purposes. The point is to avoid having to set up a different Okta app per tenant.
Okta's own docs on the subject read:
Does your Initiate Login URI vary by tenant? — If Yes, enter which part of the Initiate Login URI is customizable. For example, the
subdomaininhttps://<subdomain>.example.com/signin/.
However, when I try to do this I run into an error complaining that:
The redirect URIs must be absolute URIs.
Maybe I'm just reading this wrong, but I take it to mean that variables/placeholders are supported.
I've searched the rest of the Okta docs but found no additional information on the subject.
If Okta let you do this, it would not be OAuth 2.0 compliant.
See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-16#section-2.1:
When comparing client redirect URIs against pre-registered URIs, authorization servers MUST utilize exact string matching except for port numbers in "localhost" redirection URIs of native apps.
- Getting refresh token for gmail API with Spring Security
- Creating firebase user with authentication information from Salesforce
- Where to store the refresh token on the Client?
- AuthorizedClientServiceOAuth2AuthorizedClientManager: accessToken cannot be null
- How do I add audience validation using Spring OAuth without needing the issuer?
- Ruby & IMAP - Accessing Office 365 with Oauth 2.0
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Swift Discord OAuth2 redirect URi not supported by Client
- Apim policy to validat token for b2b and as well as b2c tenant token endpoints
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Google APIs Console - missing client secret
- Automating access token refreshing via interceptors in axios
- Supabase does not append code parameter to the redirect URL after OAuth login
- How/why is login page redirect required?
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- Getting user data through an Azure AD OAuth login - React Native Expo App
- Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication
- spring oauth client (v6.4.2): does not redirect to oauth-server
- NextJs: server component vs server action
- Why Does OAuth v2 Have Both Access and Refresh Tokens?