Skip to main content

Handle Redirects And Allowlists

Doc type: How-to guide

Goal and scope

Implement safe redirect handling for hosted auth, where:

  • redirectUrl is the hosted-auth return target.
  • Sign-in redirects are completed through OAuth and returned to a registered redirect_uri.

Prerequisites and constraints

  • Hosted-auth return URLs must be HTTPS (https: only) and allowlisted.
  • OAuth redirect_uri values must exactly match one of the registered redirect URIs for your client_id.
  • OAuth Authorization Code + PKCE is required.

Steps

  1. Enter hosted auth with a redirectUrl.

    https://auth.yoyogroup.com/?redirectUrl=<encoded return URL>

  2. Validate the hosted redirectUrl target.

    • Require https for redirectUrl.
    • Ensure the host/path is allowlisted for your app.
    • Apply the same validation rules for logout redirects.

  3. Use OAuth authorize redirects for hosted sign-in.

    • Hosted auth continues the sign-in flow through OAuth.
    • OAuth returns to your registered redirect_uri with code (and optional state).
    https://auth-int.yoyogroup.com/api/oauth/authorize?response_type=code&client_id=<appId>&redirect_uri=https%3A%2F%2Fyour-app.yoyogroup.com%2Fauth%2Fcallback&code_challenge=<code_challenge>&code_challenge_method=S256&state=<state>

  4. Validate and exchange on the callback.

    • Verify state before exchanging code.
    • Exchange the code at /api/oauth/token using the exact same redirect_uri used at authorize time.
    • Reject or fail safely when redirect_uri does not exactly match the registered URI.

  5. Build logout redirects through the public logout endpoint.

    https://auth.yoyogroup.com/logout?redirectUrl=<encoded return URL>

Redirect state behavior

  • Hosted auth stores redirectUrl state in sessionStorage per tab, with a 15-minute TTL.
  • OAuth clients should store and validate state in their own app session before token exchange.

Validation and troubleshooting

  • If hosted-auth redirectUrl is not allowed, the portal falls back to a safe destination.
  • If OAuth redirect_uri is not registered exactly, authorization fails with invalid_request.
  • If you see loops, verify allowlists and ensure you only redirect when the session is missing.