Redirect Allowlist
Redirect Allowlist
#Overview
In the process of authenticating a user, the redirectURI parameter is utilized as a callback URL and will redirect users once the authentication is complete. For Magic, this is only relevant when using magic links or an OAuth provider (such as Google) as your user’s authentication method. For magic links, when using the loginWithMagicLink feature, you have the option to include a redirectURI value. If you do not include a redirectURI, the user will be asked to go back to the original tab to complete the login process. It's recommended to use a redirectURI for a smoother user experience.
#Configuration
- Go to the settings page of your app in the developer dashboard
- Toggle on your ‘redirect allowlist’
- Add your redirects and save your changes
#Format
Several redirect formats are supported, generically it may look similar to the following:
<scheme> "://" <host> [ ":" <port> ] <path>
For a detailed view of the URI syntax format, refer to this diagram.
#Mobile Linking
Linking in mobile applications refers to the ability to navigate users to a specific location within an application by clicking on a link. There are two main methods of linking in mobile apps: Deep linking and Universal Links (App Links on Android). We recommend using Universal Links/App Links for increased security in lieu of Deep Links.
View our guide on mobile links in your Magic Application
Some examples:
- Web:
https://example.linkhttps://example.link/path1
- iOS deep links:
myphotoapp:albumnameexpo://
- Android app links:
app://www.example.comapp://open.my.app
Format Notes:
- All paths have to be explicit, ie.
https://example.linkdoes not also whitelisthttps://example.link/path1 - Query strings and hash information are not taken into account when validating these URLs
- You can use wildcards at the subdomain level (e.g.: https://*.contoso.com)
#What happens if I don’t configure them?
If the redirects are not verified and whitelisted, there is a potential for attackers to drive users to malicious websites or phishing pages, and/or steal sensitive information such as login credentials. Due to this, the redirect allowlist is required and must be configured for your app. By whitelisting redirect URLs, application owners can ensure that users are only redirected to trusted and secure destinations.