fusionauth logo
search-interface-symbol
Quickstarts
API Docs
SDK
search-interface-symbol
talk to an expert
Log In
talk to an expert
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
      • Overview
      • Java Spring
      • Python Django
      • Ruby on Rails
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
        • Okta
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
        • Okta
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
      • URL Validation
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • PagerDuty
      • Tableau Cloud
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • Amazon API Gateway
      • Kong Gateway
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Application Specific Email Templates
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Self-Service Registration
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
      • Kickstart Custom Theme
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    URL Validation

    Available since 1.43.0

    Overview

    Beginning in version 1.43.0 FusionAuth provides support for wildcards in OAuth 2.0 redirect URLs and origin URLs. This document provides details on where wildcards are allowed in configured values and the valid replacement patterns for wildcards in each position.

    • URL Validation Policy

    • Allowed Wildcard Positions

      • Domain

      • Port

      • Path Segments

      • Query String Values

    • Wildcard Replacement Patterns

      • Domain

      • Port

      • Path Segments

      • Query String Values

    URL Validation Policy

    In order to validate allowed authorized redirect and origin URLs containing wildcards, the URL validation setting must be configured to Allow wildcards under Applications → Edit Application → OAuth.

    See the Application API or Application OAuth Configuration for details.

    Allowed Wildcard Positions

    In order to maintain security while allowing the flexibility of wildcards, FusionAuth limits the position and number of wildcards that are allowed in the configured authorized redirect and origin URLs. The asterisk character, *, is the wildcard character.

    Domain

    The domain of a configured URL allows 0 or 1 wildcards in the domain portion of the URL. Wildcards are not allowed if the host is specified by an IP address. If the domain contains a wildcard, it must meet all of the following requirements:

    • The domain must contain at least three segments.

    • The wildcard may only appear in the host portion of the domain (left-most subdomain).

    • The wildcard can be a full or partial replacement of the host.

    The following table provides some examples of valid and invalid wildcard patterns.

    Table 1. Domain Wildcards
    Example Valid Reason

    https://*.example.com

     

    https://blah*.example.com

     

    https://*.com

    The domain only contains two segments

    https://auth.*.com

    The wildcard does not appear in the host

    https://*mid*.example.com

    The domain contains multiple wildcards

    https://*.168.1.1

    Wildcards are not allowed with IP addresses

    Port

    The port number can be specified as a wildcard. There is no partial wildcard support for the port number.

    Table 2. Port Wildcards
    Example Valid Reason

    https://example.com:*

     

    https://example.com:4*

    Partial wildcards are not allowed for the port number

    Path Segments

    Wildcards are allowed in path segments with the following restrictions:

    • There can be no more than one wildcard per path segment.

    • The wildcard can be a full or partial replacement of the path segment.

    The following table provides some examples of valid and invalid wildcard patterns in the path.

    Table 3. Path Wildcards
    Example Valid Reason

    https://example.com/path/*/resource

     

    https://example.com/p*/to/resource

     

    https://example.com/*/par*tial/*

     

    https://example.com/path/*mid*/resource

    The path segment contains multiple wildcards

    Query String Values

    Wildcards are allowed in query string values with the following restrictions:

    • Partial wildcards are not allowed for query string values.

    Wildcards are not allowed in query string names. The following table provides some examples of valid and invalid wildcard patterns in the query string.

    Table 4. Query String Wildcards
    Example Valid Reason

    https://example.com?foo=*

     

    https://example.com?foo=*&bar=*&baz=blah

     

    https://example.com?foo=par*tial

    Partial wildcard replacement is not allowed for query string values

    https://example.com?*=blah

    Wildcards are not allowed in query string names

    Wildcard Replacement Patterns

    The position where wildcards are allowed in configured values is just one half of the puzzle. Wildcards in each portion of the URL have different rules for the replacement values. Please note that allowed replacement values may not produce a valid URL. This section provides details on the allowed replacements for wildcards in each portion of the URL. Each wildcard in the configured value must match one or more characters. Matches against empty strings will fail.

    Domain

    Replacements for wildcards in the domain portion of the URL must not contain ., :, /, or ? characters. The following table lists examples of valid and invalid replacements for valid wildcard patterns.

    Table 5. Domain wildcard replacement
    Pattern Value Valid Reason

    https://*.example.com

    https://login.example.com

     

    https://auth*.example.com

    https://auth2.example.com

     

    https://auth*.example.com

    https://auth.example.com

    The value does not contain a character to replace the *

    https://*.example.com

    https://auth.customer.example.com

    The replacement contains a . character

    Port

    Replacement values for wildcards in the port portion of the URL must consist of one or more decimal digits.

    Table 6. Port wildcard replacement
    Pattern Value Valid Reason

    https://example.com:*

    https://example.com:2012

     

    https://example.com:*

    https://example.com:80b

    The replacement value contains a non-numeric character

    Path Segments

    Replacement values for wildcards in a path segment of the URL must not contain / or ? characters.

    Table 7. Path segment wildcard replacement
    Pattern Value Valid Reason

    https://example.com/path/*/resource

    https://example.com/path/to/resource

     

    https://example.com/p*/to/resource

    https://example.com/path/to/resource

     

    https://example.com/*/par*tial/*

    https://example.com/path/partotial/resource

     

    https://example.com/path/*/resource

    https://example.com/path/to/the/resource

    The replacement value contains a /

    https://example.com/path/*

    https://example.com/path/resource?foo=bar

    The replacement value contains a ?

    https://example.com/*/par*tial/*

    https://example.com/path/partial/resource

    The segment partial does not contain a replacement character for the wildcard

    Query String Values

    Replacement values for query string values must not contain the & character.

    Table 8. Query string value wildcard replacement
    Pattern Value Valid Reason

    https://example.com?foo=*

    https://example.com?foo=bar

     

    https://example.com?foo=*

    https://example.com?foo=bar&baz=blah

    The replacement value contains an & character

    https://example.com?foo=*

    https://example.com?baz=blah&foo=bar

    The replacement value contains an extra query string parameter

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    How-to
    Blog
    Expert Advice
    Download
    Subscribe for developer updates