This article is for the admins who want to configure an application with a large number of Allowed Callback URLs and Allowed Logout URLs. Wildcard subdomains might help, but the Auth0 documentation states they should not be used in a production environment (see this link for reference).


This article clarifies the nature of the security threat that wildcard subdomains might pose to my application.

• Allowed Callback URLs
• Allowed Logout URLs
• Wildcard Subdomains

The risk is mainly around the threat of a subdomain takeover scenario.

Risks would depend on which of the configured URLs these wildcards are used on. These might be the potential consequences for each type:

• Callback URLs could potentially direct the resulting access/id tokens back to the wrong receiver. (e.g., allowing user spoofing/impersonation)

• Logout URLs could let users be redirected to the wrong destination after logging out. (e.g., spoofing via a phishing site)

• Origin URLs that would otherwise prevent sign-in requests could no longer specify that protection. (e.g., cookies leaked in follow-up requests)

The recommendation is that when the list of subdomains is finite and known, always define and maintain that list instead of using a wildcard character. The use of wildcards is like leaving the door open. One of the subdomains might not be using HTTPS, and if the tokens were included because a previous request was authenticated through another subdomain app, they could be easily intercepted. In summary, it is advised to balance security vs maintainability (of the subdomain lists).