Consider allowing localhost in redirect_uri

[git9999999]

Expected Behavior
It should be possible to Overwrite the with a Config properties, to allow the use of localhost as Redirect Host.

Current Behavior
I am not a oauth2 specialist, and i am sure there are good reasons to prevent that behaviour by default. But for local development, people are use the enter the url localhost:4200 and not 127.0.0.1:4200

Current Code

	String requestedRedirectHost = requestedRedirect.getHost();
		if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
			// While redirect URIs using localhost (i.e.,
			// "http://localhost:{port}/{path}") function similarly to loopback IP
			// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
			return false;
		}
		if (!isLoopbackAddress(requestedRedirectHost)) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7
			// When comparing client redirect URIs against pre-registered URIs,
			// authorization servers MUST utilize exact string matching.
			return registeredClient.getRedirectUris().contains(requestedRedirectUri);
		}

Context

1. I took me a long time to realize that localhost is not allowed.
2. for local development is common to use localhost not 127.0.0.1

PS: In any case please add a Log statement that tell the Developers, if the use localhost, that this is the reason for the auth error they will suffer.

[jgrandja]

@git9999999 The reason "localhost" is not allowed is documented in the code:

// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1

Please review the link for full details.

Either way, we do need to improve the error message / notification for this scenario.

I'm going to close this as a duplicate of gh-680. Feel free to add additional comments there.

[thomasletsch]

I can understand all the reasoning behind this settings, but I would like to emphasis one the points git9999999 made:

For local development it is very normal to use "localhost" as host name where all is running. Especially since a lot use docker containers running locally. The hard dis-allowance of localhost as redirect uri leads to the workaround of using http://127.0.0.1 as redirect uri in our case. imho this was not intended :-)

Anyway the spec uses the word not recommended and not not allowed. Not recommended sounds to me as you can do it, we warn you, but its your own risk. Perhaps someone has to enable this feature with a custom setting.

[tobias-meyer]

I have to agree with @thomasletsch .

Section 9.7.1 is a recommendation on how to implement the client endpoint to receive the redirect and it tells you that as the native app developer you should not make your app listen on localhost, but rather just 127.0.0.1.

Section 9.7.1 is no recommendation, that the authorization server should actively prevent the usage of localhost (in legitimate scenarios where the given arguments against using localhost don't apply). The section also says "Clients should open the network port only when starting the authorization request and close it once the response is returned.", which is another clear indication that it is not aimed at a web server which runs locally and of course constantly listens for requests.

I would even question whether disallowing localhost is a sensible default, but definitely it is not appropriate to not even allow the usage of localhost by means of a configuration property.

[jgrandja]

@git9999999 @thomasletsch @tobias-meyer Based on the upvotes in the original comment, I'm reopening this issue.

It's obviously causing issues for our users and that's not our intention. We do want to adhere to secure defaults, hence the reason for the current implementation.

However, we also want the framework to be easy to use during development.

We will look into this and come up with an easier solution to work with.