3

IETF RFCs seem to contradict each other when it comes to OAuth2 native app redirect URIs. From the IETF RFC: The OAuth 2.0 Authorization Framework, Section 3.1.2.1:

The redirection endpoint SHOULD require the use of TLS as described in Section 1.6 when the requested response type is "code" or "token", or when the redirection request will result in the transmission of sensitive credentials over an open network

Meanwhile from IETF RFC: OAuth 2.0 for Native Apps, Section 8.3:

Loopback interface redirect URIs use the "http" scheme (i.e., without Transport Layer Security (TLS)). This is acceptable for loopback interface redirect URIs as the HTTP request never leaves the device.

The problem is muddied even further by the fact that the former of the two RFCs above also discourages the use of the localhost hostname, recommending instead an IP literal like 127.0.0.1 instead:

While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on work interfaces other than the loopback interface.

The prospect of creating a TLS certificate (required for HTTPS) for a loopback interface hostname like localhost seems difficult enough according to Let's Encrypt let alone doing so for an IP literal like 127.0.0.1 (impossible??).

I notice that Plain HTTP is used for native app loopback URL examples from OAuth.com and even an example desktop OAuth2 client from one of the authors of the above RFC (William Denniss) illustrates the use of an HTTP-based loopback redirect endpoint. So why would the primary RFC recommend against it?

Perhaps native desktop apps consitute an exception to the SHOULD require the use of TLS statement above, but even Amazon Cognito (an OAuth2 Authorization Server implementation) enforces the use of HTTPS for all redirect URIs other than http://localhost (i.e. including loopback IP literals like http://127.0.0.1):

Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only

So it seems I am forced to use http://localhost, violating the IETFs recommendation, in order to circumvent Cognito's HTTPS enforcement.

Thus my question:

Should an OAuth2 native desktop client use HTTPS loopback redirect URIs, and if so how?

Related Stackoverflow post

Rowan
  • 51
  • 4
  • Localhost is not an "open network" - if your browser requests a localhost address, the request doesn't go to a network. It's handled by your operating system's TCP/IP stack. – Ján Halaša Dec 07 '21 at 08:55
  • Indeed, which is why the second quote above says using HTTP on localhost is acceptable. Nevertheless there is the contradiction with the first RFC, as well as Cognito's implementation. – Rowan Dec 07 '21 at 09:49
  • 1
    You're not wrong, but the RECOMMENDED http://127.0.0.1 loopback redirect URI support could likely be a low priority feature for Cognito. Sadly, incomplete authorization server implementations aren't anything new. I've been frustrated by Okta's lack of variable ports in localhost callbacks for native apps, and that's a MUST in the RFC. – Andrew Wasielewski Dec 07 '21 at 16:20

0 Answers0