How can we pass the wildcard in redirect URI for registered Oauth client

Hi Team,
I have created a journey where in the last node i.e success URL I am passing the using the redirect URL as "https://host:port/…/…/./authorize/?scope=…&…&redirect_uri=https://xyz/xy?PID=ID

where ID we are getting in sharedstate and we are getting value of ID as dynamic based on diffferent user suppose like ID=09787398, ID=3456KLJ etc. but while running the success url in the browser I am getting as redirect_uri_mismatch error althouhg in the Oauth client redirect_uri I have kept as “https://xyz/xy?PID=” but we when I was trying to enable wildcard and using value as h…ps://xyz/xy?PID=* then its not saving and giving validation error.

Can you please let me know how can use wildcard because everytime ID will be different??
Note: If I am searching h…://xyz/xy?PID=9373463 directly with some ID in browser its working fine.

Hi @TanayAmgen

If I am understanding your use case correctly, the short answer here is that according to the AM documentation (Client application registration :: AM 7.5.0 - see Redirection URIs):

Redirection URI values … must be an exact match

I’m not sure I fully understand what you are trying to accomplish, but perhaps we could look at different ways to solve for your scenario.


Hi @TanayAmgen,

I encourage you to read draft-ietf-oauth-security-topics-29 to understand that the design you’re proposing undermines the OAuth2 security profile, and you’ll also understand why usage of wildcards in the redirect_uri, is not offered: it is highly unsecure.
A way you can achieve the same result is to use the state parameter in the initial OAuth flow /authorize request - it is passed back along to the redirect_uri. Make sure to store a random value -unguessable - concatenated with the ID value in order to provide a context to the redirect call. By doing this you achieve two things: by checking the random value, you ensure that the callback is legitimate, and at the same time you provide context to your application.



Thankyou @patrick_diligent and @mwtech