Yes, you can use wildcards in the

origins

field for the self-service Kratos passkey configuration. According to the [Ory documentation on Passkeys](https://www.ory.sh/docs/kratos/passwordless/passkeys#configuration), you can use wildcards in the origins field. Here's an example of how you can configure it:

yaml selfservice:   methods:     passkey:       enabled: true       config:         rp:           display_name: Your Application name           # Set 'id' to the top-level domain.           id: localhost           # Set 'origin' to the exact URL of the page that prompts the user to use WebAuthn. You must include the scheme, host, and port.           origins:             - <http://localhost:4455>             - https://*.<http://example.com|example.com>

In this example,

https://*.<http://example.com|example.com>

demonstrates the use of a wildcard in the origins field. This allows all subdomains of

<http://example.com|example.com>

to be valid origins for the passkey authentication. It's important to note that while wildcards are allowed, Ory recommends setting the CORS origins to be an exact match instead of a wildcard subdomain for better security. As stated in the [CORS documentation](https://www.ory.sh/docs/guides/cors): "To be on the safe side, Ory recommends setting the CORS origins to be an exact match instead of a wildcard subdomain." Remember that changing these settings in a production environment could potentially break existing users' logins, so it's advisable to test thoroughly in a development or staging environment first.

Based on the knowledge sources provided, it appears that the property

whitelisted_return_urls

is no longer used in the current versions of Ory Kratos. Instead, the property has been replaced with

allowed_return_urls

. This can be seen in the configuration examples from the [Ory Network issue #51](https://github.com/ory/network/issues/51) and the [Ory Kratos issue #4233](https://github.com/ory/kratos/issues/4233), where the configuration uses `allowed_return_urls`:

yaml selfservice:   allowed_return_urls:     - <http://127.0.0.1:3000>     - <http://127.0.0.1:4444>

Additionally, the [Ory Proxy documentation](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#ory-proxy) mentions: "The domain used in

return_to

must be an allow-listed URL set in the project configuration." This further confirms that the current terminology is "allow-listed" rather than "whitelisted". To ensure you're using the most up-to-date configuration, you should use

allowed_return_urls

instead of

whitelisted_return_urls

in your Ory Kratos configuration. If you're using an older version of Ory Kratos that still uses

whitelisted_return_urls

, I recommend updating to the latest version to ensure you have the most recent features and security updates.