Allowed Callback URLs
A redirect URI is an endpoint where Scalekit redirects users post-authentication with the identity provider (IdP). In the Scalekit dashboard, you can configure up to 5 Allowed Callback URIs per environment.
Since redirect URIs can be manipulated by unauthorized parties, Scalekit requires pre-registration of all Allowed Callback URIs used in login flows. Registration can be done in the Scalekit dashboard at Dashboard > Authentication > Redirects > Allowed Callback URIs.
Validation Rules
Section titled “Validation Rules”| Validation rule | Development environment | Production environment |
|---|---|---|
| Schemes supported | http https | https |
| localhost | Allowed | Not allowed |
| Wildcard support (*) | Allowed | Not allowed |
| Max URI length | 256 characters | 256 characters |
Query parameters yourapp.com/callback?query=value | Not allowed | Not allowed |
Fragment component | Not allowed | Not allowed |
Using Wildcards
Section titled “Using Wildcards”According to the OAuth 2.0 specification, a redirection URI must be an absolute URI. But, to make development and testing easier - this restriction is slightly relaxed in the development environments.
For development, wildcards can simplify testing. However, they must follow these rules:
| Validation rule | Example |
|---|---|
| Wildcard characters are not allowed as a root-level domain | https://*.comhttps://*.acmecorp.comhttps://auth-*.acmecorp.com |
| A redirect URI can have only one wildcard character | https://*.*.acmecorp.comhttps://*.acmecorp.com |
| Wildcard character must be located in a subdomain within the hostname component | https://acmecorp.*.comhttps://*.acmecorp.com |
| Wildcard must be part of the subdomain that is farthest from the hostname component | https://auth.*.acmecorp.comhttps://*.auth.acmecorp.com |