Skip to content

feat: support wildcard patterns in redirect URIs #8094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Arochka wants to merge 12 commits into
base: master
Choose a base branch
from
Open

feat: support wildcard patterns in redirect URIs #8094

Arochka wants to merge 12 commits into from
+724 −48

Conversation

@Arochka
Copy link

@Arochka Arochka commented Dec 17, 2025

Summary

This PR adds support for wildcard patterns (*) in redirect URIs to better support dynamic environments (e.g. preview deployments).

Rules (web only):

  • Wildcards are allowed for http/https redirect URIs in the hostname and/or pathname.
  • Wildcards are rejected in scheme, port, query, and hash.
  • Hostname wildcard patterns must contain at least one dot to avoid overly broad patterns.

Implementation details:

  • @logto/core-kit: extend validateRedirectUrl() to accept wildcard web redirect URIs.
  • @logto/schemas: allow wildcard patterns in redirectUris and postLogoutRedirectUris validation.
  • @logto/core: support wildcard redirect URIs when deriving allowed CORS origins (origin matching only).
  • @logto/console: allow wildcard values in redirect/post-logout URI input validation.
  • oidc-provider (Logto fork): patch Client.redirectUriAllowed() and Client.postLogoutRedirectUriAllowed() to match wildcards, and prevent omitting redirect_uri when the only registered redirect URI is a wildcard pattern.

Testing

  • Unit tests:
    - packages/toolkit/core-kit/src/utils/url.test.ts (wildcard redirect URL validation)
    - packages/core/src/oidc/utils.test.ts (origin matching with wildcard redirect URIs)

Tested locally.

Checklist

  • .changeset
  • unit tests
  • integration tests
  • necessary TSDoc comments

@github-actions github-actions bot added feature Cool stuff size/l labels Dec 17, 2025
@github-actions
Copy link

github-actions bot commented Dec 17, 2025
edited
Loading

COMPARE TO master

Total Size Diff ⚠️ 📈 +21.56 KB

Diff by File
Name Diff
.changeset/wild-cats-march.md 📈 +550 Bytes
package.json 📈 +54 Bytes
packages/console/src/mdx-components/UriInputField/index.tsx 📈 +155 Bytes
packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/Settings.tsx 📈 +1.16 KB
packages/console/src/utils/validator.ts 📈 +2.79 KB
packages/core/src/oidc/utils.test.ts 📈 +2.72 KB
packages/core/src/oidc/utils.ts 📈 +2.78 KB
packages/phrases/src/locales/en/translation/admin-console/application-details.ts 📈 +186 Bytes
packages/phrases/src/locales/fr/translation/admin-console/application-details.ts 📈 +231 Bytes
packages/schemas/src/foundations/jsonb-types/oidc-module.ts 📈 +62 Bytes
packages/toolkit/core-kit/src/utils/url.test.ts 📈 +787 Bytes
packages/toolkit/core-kit/src/utils/url.ts 📈 +3.05 KB
patches/oidc-provider.patch 📈 +6.14 KB
pnpm-lock.yaml 📈 +962 Bytes

@github-actions github-actions bot added size/l and removed size/l labels Dec 17, 2025
@simeng-li simeng-li changed the title feat(oidc): support wildcard patterns in redirect URIs feat(core, console, schemas, tool-kit): support wildcard patterns in redirect URIs Dec 18, 2025
@github-actions github-actions bot added size/l and removed size/l labels Dec 18, 2025
@Arochka Arochka force-pushed the feat/wildcard-redirect-uris branch from 16f9a25 to b25868a Compare December 18, 2025 11:10
@github-actions github-actions bot added size/xl and removed size/l labels Dec 18, 2025
wangsijie
wangsijie reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@wangsijie wangsijie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since wildcard redirect URIs are not standard OIDC and expand the attack surface, could we add either a warning banner in the admin console when wildcards are used, or an environment variable to explicitly opt-in to this feature?

@Arochka Arochka force-pushed the feat/wildcard-redirect-uris branch from b25868a to 2c3384d Compare December 19, 2025 12:10
@Arochka Arochka requested a review from darcyYe as a code owner December 19, 2025 12:10
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 19, 2025
@Arochka Arochka closed this Dec 19, 2025
@Arochka Arochka force-pushed the feat/wildcard-redirect-uris branch from 2c3384d to 50e6847 Compare December 19, 2025 12:14
@github-actions github-actions bot added size/xs and removed size/xl labels Dec 19, 2025
@Arochka Arochka reopened this Dec 19, 2025
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 25, 2025
Arochka and others added 12 commits December 25, 2025 21:36
@Arochka @wangsijie
feat(core,console,schemas,toolkit): support wildcard patterns in redi…
d2f62c4 
…rect URIs
@Arochka @wangsijie
fix(console,core): address PR review comments for wildcard redirect URIs
849a9f8 
- Limit wildcard redirect URIs to non-native apps (SPA/Traditional only)
- Add dot segment validation to prevent path traversal in console validator
- Reorder scheme validation logic for better code flow
- Add comprehensive test cases for wildcard origin matching edge cases
@wangsijie
fix(toolkit): fix lint errors in wildcard URL validation
713f88a 
- Optimize regex character class order per unicorn/better-regex
- Fix multi-line return formatting per prettier
@wangsijie
fix(core): resolve eslint errors in oidc/utils.ts
4c9ba6e 
- Optimize regex character class order for unicorn/better-regex
- Wrap escapeRegExp in arrow function for unicorn/no-array-callback-reference
@wangsijie
chore: add changeset for wildcard redirect URIs feature
ce843da
@wangsijie
fix(console): fix lint issues in validator.ts
487edb5
@wangsijie
fix(console): fix prettier formatting in UriInputField
07bc5fc
@wangsijie
refactor(core): use upstream oidc-provider with wildcard support
8c74c0a
@wangsijie
feat(core): enable allowWildcardRedirectUris in oidc-provider
212afd9
@wangsijie
chore: update pnpm-lock.yaml
f8abfb4
@wangsijie
fix(core): add allowWildcardRedirectUris to oidc-provider types
9050754
@wangsijie
revert: restore patch approach for oidc-provider wildcard support
fc27099 
The upstream commit 1107094 has ESM issues that break Jest tests.
Reverting to the original approach using patch file with the working
base commit aa47a2b.
@wangsijie wangsijie force-pushed the feat/wildcard-redirect-uris branch from 7278ce3 to fc27099 Compare December 25, 2025 13:36
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangsijie wangsijie wangsijie left review comments

@charIeszhao charIeszhao charIeszhao left review comments

Copilot code review Copilot Copilot left review comments

@xiaoyijun xiaoyijun Awaiting requested review from xiaoyijun xiaoyijun is a code owner

@gao-sun gao-sun Awaiting requested review from gao-sun gao-sun is a code owner

@simeng-li simeng-li Awaiting requested review from simeng-li simeng-li is a code owner

@darcyYe darcyYe Awaiting requested review from darcyYe

At least 1 approving review is required to merge this pull request.

Assignees

@Arochka Arochka

Labels

feature Cool stuff size/xl

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Arochka @wangsijie @charIeszhao