One of the problems we’re encountering with the use of review apps, is the OAuth2 authentication process. Each application gets a custom, unique URL (good), but the OAuth2 authentication flow requires an absolute URI to be registered for the client. This causes problems as we either need to (a) allow for registration of a client dynamically, at deploy time; or (b) configure our OAuth2 authentication server to allow for registration of wildcard-based redirect_uris (which is a violation of the OAUth2 specification).
What solutions do you use to handle this scenario? Is the registration of wildcard URIs not a major problem, given it’s a “Accept anything that matches this pattern” rule, and we still control that system?