Instead of matching only the <scheme>://<netloc> of the redirect_url with the URLs in trusted_dashboard, how about changing the check into <redirect_url>.startswith (<url in trusted_dashboard>)
this provides the flexibility to the deployer to make the validation loose by providing just the <scheme>://<netloc> or restrictive to check the full redirect URL.
Instead of matching only the <scheme>://<netloc> of the redirect_url with the URLs in trusted_dashboard, how about changing the check into <redirect_ url>.startswith (<url in trusted_dashboard>)
this provides the flexibility to the deployer to make the validation loose by providing just the <scheme>://<netloc> or restrictive to check the full redirect URL.