diff --git a/mta-multi-tenant.yaml b/mta-multi-tenant.yaml
index 50631f6d..c247356c 100644
--- a/mta-multi-tenant.yaml
+++ b/mta-multi-tenant.yaml
@@ -77,6 +77,7 @@ modules:
       keep-existing-routes: true
     properties:
       TENANT_HOST_PATTERN: ^(.*)-${default-uri} # testing only, use custom domain with wildcard for production
+      CHECK_X_FORWARDED_HOST_IN_LOGIN_CALLBACK: true
     requires:
     - name: srv-api
       group: destinations
@@ -90,7 +91,7 @@ modules:
       - name: app-api
         properties:
           app-url: '${default-url}'
-          app-domain: '${domain}'
+          app-uri: '${default-uri}'
 # --------------------- RESOURCES ---------------------
 resources:
 # -----------------------------------------------------
@@ -104,7 +105,7 @@ resources:
         xsappname: bookshop-mt-${org}-${space}
         oauth2-configuration:
           redirect-uris:
-          - https://*.~{app-api/app-domain}/**
+          - https://*-~{app-api/app-uri}/** # be as explicit as possible, but keep the wildcard for the tenant subdomain
     requires:
       - name: app-api
   - name: bookshop-mt-service-manager
diff --git a/mta-single-tenant.yaml b/mta-single-tenant.yaml
index 07d0692a..2128cb06 100644
--- a/mta-single-tenant.yaml
+++ b/mta-single-tenant.yaml
@@ -58,6 +58,8 @@ modules:
     parameters:
       memory: 256M
       disk-quota: 512M
+    properties:
+      CHECK_X_FORWARDED_HOST_IN_LOGIN_CALLBACK: true
     requires:
     - name: srv-api
       group: destinations