diff --git a/admin/server/auth/handlers.go b/admin/server/auth/handlers.go
index 486882f9ea8..ba8c736f34e 100644
--- a/admin/server/auth/handlers.go
+++ b/admin/server/auth/handlers.go
@@ -179,10 +179,8 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup
 	}
 
 	// If this is part of the custom domain login flow, save that info in the cookie since we need that info when handling the auth callback.
-	customDomainFlow := false
 	if b, err := strconv.ParseBool(r.URL.Query().Get("custom_domain_flow")); err == nil && b {
 		sess.Values[cookieFieldCustomDomainFlow] = b
-		customDomainFlow = b
 	}
 
 	// Save cookie
@@ -191,6 +189,12 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup
 		return
 	}
 
+	err := a.validateRedirectURL(r.Context(), redirect)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
 	// Redirect to <canonical-domain>/auth/login (custom domain flow)
 	host := originalHost(r)
 	if a.admin.URLs.IsCustomDomain(host) {
@@ -200,12 +204,6 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup
 		return
 	}
 
-	err := a.validateRedirectURL(r.Context(), redirect, customDomainFlow)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
 	// Redirect to auth provider (canonical domain flow)
 	redirectURL := a.oauth2.AuthCodeURL(state)
 	if signup {
@@ -596,7 +594,7 @@ func (a *Authenticator) authLogoutProvider(w http.ResponseWriter, r *http.Reques
 	// Validate and set custom redirect destination in cookie for when the logout flow is over (if any)
 	redirect := r.URL.Query().Get("redirect")
 	if redirect != "" {
-		err := a.validateRedirectURL(r.Context(), redirect, true)
+		err := a.validateRedirectURL(r.Context(), redirect)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
@@ -728,13 +726,10 @@ func (a *Authenticator) getAccessToken(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (a *Authenticator) validateRedirectURL(ctx context.Context, redirect string, allowCustomDomains bool) error {
+func (a *Authenticator) validateRedirectURL(ctx context.Context, redirect string) error {
 	if a.admin.URLs.IsSafeRedirectURL(redirect) {
 		return nil
 	}
-	if !allowCustomDomains {
-		return fmt.Errorf("redirect to %q is not allowed", redirect)
-	}
 
 	parsed, err := url.Parse(redirect)
 	if err != nil {