Redirect Allowlist

Redirect Allowlist

#Overview

In the process of authenticating a user, the redirectURI parameter is utilized as a callback URL and will redirect users once the authentication is complete. For Magic, this is only relevant when using magic links or an OAuth provider (such as Google) as your user’s authentication method. For magic links, when using the loginWithMagicLink feature, you have the option to include a redirectURI value. If you do not include a redirectURI, the user will be asked to go back to the original tab to complete the login process. It's recommended to use a redirectURI for a smoother user experience.

Any redirect URIs are only checked against your domain allowlist and by default, any domain is allowed until configured otherwise.

#Configuration

  1. Go to the settings page of your app in the developer dashboard
  2. Toggle on your ‘redirect allowlist’
  3. Add your redirects and save your changes

#Format

Several redirect formats are supported, generically it may look similar to the following:

  • <scheme> "://" <host> [ ":" <port> ] <path>

For a detailed view of the URI syntax format, refer to this diagram.

#Mobile Linking

Linking in mobile applications refers to the ability to navigate users to a specific location within an application by clicking on a link. There are two main methods of linking in mobile apps: Deep linking and Universal Links (App Links on Android). We recommend using Universal Links/App Links for increased security in lieu of Deep Links.

View our guide on mobile links in your Magic Application

Some examples:

Format Notes:

  • All paths have to be explicit, ie. https://example.link does not also whitelist https://example.link/path1
  • Query strings and hash information are not taken into account when validating these URLs
  • You can use wildcards at the subdomain level (e.g.: https://*.contoso.com)

#What happens if I don’t configure them?

If the redirects are not verified and whitelisted, there is a potential for attackers to drive users to malicious websites or phishing pages, and/or steal sensitive information such as login credentials. By whitelisting redirect URLs, application owners can ensure that users are only redirected to trusted and secure destinations.

note

If you have configured your domain allowlist and have not toggled on your redirect allowlist, Magic will use your domain allowlist as fallback to verify any redirects. This is a convenience feature to help migrate existing customer, however we highly recommended not relying on this behaviour and explicitly configuring your redirect allowlist.