Consider allowing localhost in redirect_uri

[git9999999]

Expected Behavior
It should be possible to Overwrite the with a Config properties, to allow the use of localhost as Redirect Host.

Current Behavior
I am not a oauth2 specialist, and i am sure there are good reasons to prevent that behaviour by default. But for local development, people are use the enter the url localhost:4200 and not 127.0.0.1:4200

Current Code

	String requestedRedirectHost = requestedRedirect.getHost();
		if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
			// While redirect URIs using localhost (i.e.,
			// "http://localhost:{port}/{path}") function similarly to loopback IP
			// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
			return false;
		}
		if (!isLoopbackAddress(requestedRedirectHost)) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7
			// When comparing client redirect URIs against pre-registered URIs,
			// authorization servers MUST utilize exact string matching.
			return registeredClient.getRedirectUris().contains(requestedRedirectUri);
		}

Context

1. I took me a long time to realize that localhost is not allowed.
2. for local development is common to use localhost not 127.0.0.1

PS: In any case please add a Log statement that tell the Developers, if the use localhost, that this is the reason for the auth error they will suffer.

[jgrandja]

@git9999999 The reason "localhost" is not allowed is documented in the code:

// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1

Please review the link for full details.

Either way, we do need to improve the error message / notification for this scenario.

I'm going to close this as a duplicate of gh-680. Feel free to add additional comments there.

[thomasletsch]

I can understand all the reasoning behind this settings, but I would like to emphasis one the points git9999999 made:

For local development it is very normal to use "localhost" as host name where all is running. Especially since a lot use docker containers running locally. The hard dis-allowance of localhost as redirect uri leads to the workaround of using http://127.0.0.1 as redirect uri in our case. imho this was not intended :-)

Anyway the spec uses the word not recommended and not not allowed. Not recommended sounds to me as you can do it, we warn you, but its your own risk. Perhaps someone has to enable this feature with a custom setting.

[tobias-meyer]

I have to agree with @thomasletsch .

Section 9.7.1 is a recommendation on how to implement the client endpoint to receive the redirect and it tells you that as the native app developer you should not make your app listen on localhost, but rather just 127.0.0.1.

Section 9.7.1 is no recommendation, that the authorization server should actively prevent the usage of localhost (in legitimate scenarios where the given arguments against using localhost don't apply). The section also says "Clients should open the network port only when starting the authorization request and close it once the response is returned.", which is another clear indication that it is not aimed at a web server which runs locally and of course constantly listens for requests.

I would even question whether disallowing localhost is a sensible default, but definitely it is not appropriate to not even allow the usage of localhost by means of a configuration property.

[jgrandja]

@git9999999 @thomasletsch @tobias-meyer Based on the upvotes in the original comment, I'm reopening this issue.

It's obviously causing issues for our users and that's not our intention. We do want to adhere to secure defaults, hence the reason for the current implementation.

However, we also want the framework to be easy to use during development.

We will look into this and come up with an easier solution to work with.

[git9999999]

Hi Joe
Thank a lot for reconsidering this issue. It is the coolest Christmas present for me this year :-)
Wish you all merry Christmas
G

[jgrandja]

No worries @git9999999. Enjoy the holidays!

[Chr3is]

As per https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata

"[...]Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname[...]"

[tinolazreg]

Any timeline on this issue? :)

[jgrandja]

@tinolazreg We're targeting the 1.1.0 release. See the release dates.

[rafallezanko]

Hi @jgrandja , I have met the same error when I tried to redirect to mobile app. I use custom URL scheme (com.duendesoftware.demo:/oauthredirect) and code inside class OAuth2AuthorizationCodeRequestAuthenticationValidator does not allow to do redirect back to mobile app.

My diagnose is that UriComponentsBuilder.fromUriString builds UriComponents where getHost() method returns null and it makes that the variable requestedRedirectHost is null.

For local tests I commented all code inside method: OAuth2AuthorizationCodeRequestAuthenticationValidator .validateRedirectUri and then the flow works fine.

Do you consider fix it in the 1.1.0 release? I hope so! ;)

UriComponents requestedRedirect = null;
try {
	requestedRedirect = UriComponentsBuilder.fromUriString(requestedRedirectUri).build();
} catch (Exception ex) { }
if (requestedRedirect == null || requestedRedirect.getFragment() != null) {
	throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
			authorizationCodeRequestAuthentication, registeredClient);
}

String requestedRedirectHost = requestedRedirect.getHost();
if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
	// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-9.7.1
	// While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}")
	// function similarly to loopback IP redirects described in Section 10.3.3,
	// the use of "localhost" is NOT RECOMMENDED.
	OAuth2Error error = new OAuth2Error(
			OAuth2ErrorCodes.INVALID_REQUEST,
			"localhost is not allowed for the redirect_uri (" + requestedRedirectUri + "). " +
					"Use the IP literal (127.0.0.1) instead.",
			"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-9.7.1");
	throwError(error, OAuth2ParameterNames.REDIRECT_URI,
			authorizationCodeRequestAuthentication, registeredClient);
}

Best regards and have a nice day! :)
Rafał

[jgrandja]

Thanks for the additional info @rafallezanko. Yes, we will address this before the 1.1.0 release.

[jgrandja]

@git9999999 @thomasletsch @tobias-meyer

I reviewed the relevant specifications and although the use of localhost is NOT RECOMMENDED, it does not explicitly state that it is prohibited. Based on this, the current implementation is too strict and therefore I will apply the required changes to allow for localhost in the redirect_uri. This will be back-ported to the 0.4.x branch.

[rafallezanko]

@jgrandja I think your fix does not allow to provide custom URL scheme eg. mobile device (com.duendesoftware.demo:/oauthredirect).

Can you check please? The following code in class OAuth2AuthorizationCodeRequestAuthenticationValidator does not allow to provide custom URL scheme.

			UriComponents requestedRedirect = null;
			try {
				requestedRedirect = UriComponentsBuilder.fromUriString(requestedRedirectUri).build();
			} catch (Exception ex) { }
			if (requestedRedirect == null || requestedRedirect.getFragment() != null) {
				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
						authorizationCodeRequestAuthentication, registeredClient);
			}

Should I open new issue?

[jgrandja]

@rafallezanko I just tried it and com.duendesoftware.demo:/oauthredirect works.

[rafallezanko]

Perfect, thank you for fast feedback.