This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

a.b.localhost redirect URIs in OIDC/OAuth2.0 authentication

Posted on 01-19-2023 03:47 AM
av_vroomly
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

When developing a website relying on OIDC/OAuth2.0 login, it is possible without much difficulty to authenticate against a local environment, as long as the local environment has a valid Client ID, much like any other environment.

One can even put restrictions on such a Client ID, restricting the redirect URIs to use it with to something like "https://localhost:8000/accounts/google/login/callback/"

This is all nice and good, and works exactly like one might expect.

 

Now, you might have a more complex local dev setup, with multiple websites, a reverse-proxy with host-based filetering, etc. For such a situation (and many others), RFC 6761 allows the use of any DNS ending in localhost, and encourages local resolvers to always return loopback queries for such queries (https://www.rfc-editor.org/rfc/rfc6761#section-6.3)

It is nowadays considered good practice to use such domains for local development environments, instead of manually adding entries to local hosts files, making a local network's DNS hijack a (hopefully invalid) TLD, or any other hacky way to get a DNS resolver to return something to use for your local dev environment.

As far as I can tell, all major OS/browsers implement this behavior.

 

Google OIDC/OAuth2.0 login, however, does not support it.

When authenticating to a redirect URI such as "https://mywebsite.localhost:8000/accounts/google/login/callback/", it returns the following message :

"You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one or more Google validation rules.
If you are a developer of [app_name] see error details.
Error 400: invalid_request"
 
This happens even with an unrestricted OAuth Client ID, and the GCP console refuses such a redirect URI with the following message :
"Invalid Redirect: must end with a public top-level domain (such as .com or .org). Invalid Redirect: must use a domain that is a valid top private domain ."
 
 
I'm assuming this is a conscious design choice, but if so, it's puzzling me. Google clearly means to allow developers to be able to login on localhost websites, but then, what reason is there to forbid **.localhost ?
1 1 4,005
Topic Labels
1 REPLY 1
Top Solution Authors
View all