I'm currently working on creating a plugin which would allow its users to interact with their Salesforce accounts via REST API.
Since the code would be residing on end-user servers I cannot use the client_secret, so I figured that using the User-Agent flow is the thing I'm looking for.
The problem is, however, I cannot get the redirect to work, since I get a "redirect_uri_mismatch" error. It works if I specify the CallbackURL in my Connected App settings, but since this is a plugin that clients can install on their sites, I cannot know their URI's before hand.
Is it possible to allow any url to be a redirect_uri?
If not - what are my alternatives? I can't make the client secret safe.

I'm currently working on creating a plugin which would allow its users to interact with their Salesforce accounts via REST API.
Since the code would be residing on end-user servers I cannot use the client_secret, so I figured that using the User-Agent flow is the thing I'm looking for.
The problem is, however, I cannot get the redirect to work, since I get a "redirect_uri_mismatch" error. It works if I specify the CallbackURL in my Connected App settings, but since this is a plugin that clients can install on their sites, I cannot know their URI's before hand.
Is it possible to allow any url to be a redirect_uri?
If not - what are my alternatives? I can't make the client secret safe.