Expected Behavior
It should be possible to Overwrite the with a Config properties, to allow the use of localhost as Redirect Host.
Current Behavior
I am not a oauth2 specialist, and i am sure there are good reasons to prevent that behaviour by default. But for local development, people are use the enter the url localhost:4200 and not 127.0.0.1:4200
Current Code
String requestedRedirectHost = requestedRedirect.getHost();
if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
// While redirect URIs using localhost (i.e.,
// "http://localhost:{port}/{path}") function similarly to loopback IP
// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
return false;
}
if (!isLoopbackAddress(requestedRedirectHost)) {
// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7
// When comparing client redirect URIs against pre-registered URIs,
// authorization servers MUST utilize exact string matching.
return registeredClient.getRedirectUris().contains(requestedRedirectUri);
}
Context
- I took me a long time to realize that localhost is not allowed.
- for local development is common to use localhost not 127.0.0.1
PS: In any case please add a Log statement that tell the Developers, if the use localhost, that this is the reason for the auth error they will suffer.
Expected Behavior
It should be possible to Overwrite the with a Config properties, to allow the use of localhost as Redirect Host.
Current Behavior
I am not a oauth2 specialist, and i am sure there are good reasons to prevent that behaviour by default. But for local development, people are use the enter the url localhost:4200 and not 127.0.0.1:4200
Current Code
Context
PS: In any case please add a Log statement that tell the Developers, if the use localhost, that this is the reason for the auth error they will suffer.