From 0246b8c427ed4bc0c7f1d18083ebfd7a41ad4383 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Andr=C3=A9s=20V=C3=A9lez=20Vidal?= Date: Wed, 24 Jun 2026 11:47:46 +0200 Subject: [PATCH] Document DCR redirect URI allowlist wildcard and query matching behavior --- .../configure/integrations-configuration-settings.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source/administration-guide/configure/integrations-configuration-settings.rst b/source/administration-guide/configure/integrations-configuration-settings.rst index 769a07f6317..f9309a2f39e 100644 --- a/source/administration-guide/configure/integrations-configuration-settings.rst +++ b/source/administration-guide/configure/integrations-configuration-settings.rst @@ -176,6 +176,15 @@ In the System Console, enter URIs as a comma-separated list. When setting this v This setting applies only when :ref:`Enable dynamic client registration ` is enabled. +Redirect URIs are matched per URL component. Patterns support two wildcards: + +- ``*`` matches any characters except ``/`` (for example, a single path segment or a hostname label). +- ``**`` matches any characters including ``/`` (for example, a multi-segment path). + +Wildcards are applied within URL components only: host wildcards match against the host, path wildcards match against the path, and a wildcard in one component can't satisfy another component. For example, ``https://*.example.com/**`` matches ``https://app.example.com/callback`` but not ``https://attacker.example.net``. + +Query strings are matched only when the pattern explicitly includes one. A pattern without a query string (such as ``https://app.example.com/callback`` or ``https://app.example.com/**``) matches only redirect URIs that have no query string. To allow redirect URIs that carry query parameters, include a query component in the pattern, for example ``https://app.example.com/callback?tenant=*``. To allow a callback both with and without a query string, add both patterns. + +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"DCRRedirectURIAllowlist": []`` with string array input, such as ``["https://example.com/callback", "https://app.example.com/oauth"]``. | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+