[openstreetmap/openstreetmap-website] Add localhost to allowed http redirect_uris for OAuth (PR #4287)
Sam
notifications at github.com
Tue Dec 12 15:02:54 UTC 2023
I understand your concerns.
OAuth RFC does in fact [recommend not to use localhost](https://datatracker.ietf.org/doc/html/rfc8252#section-7.3), but use `127.0.0.1` instead.
However, due to:
- Improved developer experience (easy, flexible)
- Small attack surface
using the `localhost` loopback address for OAuth callbacks during development is a common accepted approach:
[Google](https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation)
[Microsoft](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#supported-schemes)
[Amazon](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html)
I'm sure I could find many more.
I updated so that `localhost` and `127.0.0.1` are hardcoded, so devs should not get the idea to extend to additional domains in the future.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4287#issuecomment-1852212018
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4287/c1852212018 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231212/4476741d/attachment.htm>
More information about the rails-dev
mailing list