PingOne

Redirect URIs

A redirect URI is the address to which PingOne forwards the OIDC response after authentication. For flexibility in configuring the redirect URI, you can use patterns and loopback IP redirects.

Wildcards in redirect URIs

You can choose to allow a wildcard in the redirect URI. Rather than entering an exact URI, you can use a wildcard to include multiple paths using one entry. You can use only one wildcard in the path and query portions of the URI, that is, the portion of the URI after the authority. Only one wildcard is allowed per URI. The * operator is the only supported wildcard. Learn more in Editing an application.

An example path showing a wildcard in the redirect URI

Fragment is not applicable because redirect URIs can’t contain fragments, following the OAuth 2.0 Authorization Framework specification.

Example

An application is configured with a Redirect URI entry of:

https://www.example.com/th*/callback
redirect_urivalue in the authorization request Result

https://www.example.com/this/callback

PingOne accepts the provided redirect_uri value because this matches  the th* pattern.

https://www.example.com/that/callback

PingOne accepts the provided redirect_uri value because that matches the th* pattern.

https://www.example.com/oidc/callback

PingOne rejects the provided redirect_uri value because oidc does not match the th* pattern. PingOne returns Redirect URI mismatch to the application.

For security reasons, we recommend that you use a hardcoded URL (exact match), but the wildcard option can give you flexibility if you need it.

Loopback IP redirect URIs

PingOne supports any valid port for loopback IP redirect URIs. Native applications that can open a port on the loopback network interface without needing special permissions can use the loopback interface to receive the OAuth redirect.

To use a loopback URI, specify the Authority URL as a loopback IP address or localhost, and the port that the client is listening on. The Scheme must be HTTP or HTTPS. For more information, see Loopback Interface Redirection in the OAuth 2.0 for Native Apps RFC.

Example 1

An application is configured with a Redirect URI entry of:

http://127.0.0.1/cb
redirect_urivalue in the authorization request Result

http://127.0.0.1/cb

PingOne accepts the provided redirect_uri value because it is an exact match.

http://127.0.0.1:8080/cb

PingOne accepts the provided redirect_uri value because port 8080 is a valid port.

http://127.0.0.1:80/cb

PingOne accepts the provided redirect_uri value because port 80 is a valid port.

https://127.0.0.1/cb

PingOne rejects the provided redirect_uri value because https:// does not match the expected scheme of http:/. PingOne returns Redirect URI mismatch to the application.

Example 2

An application is configured with a Redirect URI entry of:

http://127.0.0.1:8080/cb
redirect_urivalue in the authorization request Result

http://127.0.0.1:8080/cb

PingOne accepts the provided redirect_uri value because it is an exact match.

http://127.0.0.1:9080/cb

PingOne rejects the provided redirect_uri value because port 9080 does not match the expected port 8080. PingOne returns Redirect URI mismatch to the application.

http://127.0.0.1:80/cb

PingOne rejects the provided redirect_uri value because port 80 does not match the expected port 8080. PingOne returns Redirect URI mismatch to the application.