Skip to content

feat: support dynamic port matching for localhost redirect URIs#874

Open
roncodingenthusiast wants to merge 1 commit intoory:masterfrom
roncodingenthusiast:feat/localhost-loopback-port-matching
Open

feat: support dynamic port matching for localhost redirect URIs#874
roncodingenthusiast wants to merge 1 commit intoory:masterfrom
roncodingenthusiast:feat/localhost-loopback-port-matching

Conversation

@roncodingenthusiast
Copy link
Copy Markdown

@roncodingenthusiast roncodingenthusiast commented Apr 14, 2026
edited
Loading

Add localhost handling to isLoopbackAddress so that native OAuth 2.0 clients registering http://localhost/callback can use dynamic ports (e.g. http://localhost:54321/callback) for loopback redirect URIs.

Previously, isLoopbackAddress only used net.ParseIP which returns nil for the hostname "localhost", preventing port-flexible loopback matching. The existing hostname equality check in isMatchingAsLoopback prevents cross-matching between localhost and IP literals.

Related Issue or Design Document

#873

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

RFC 8252 §7.3 strictly defines loopback redirect URIs using IP literals only, and §8.3 says localhost is NOT RECOMMENDED. However, Fosite already accepts localhost as a valid loopback host for transport security purposes via IsLocalhost. This one-line change aligns isLoopbackAddress (used for port matching) with that existing decision, unblocking real-world MCP/OAuth clients that register http://localhost/callback by convention.

Test cases added:

  • http://localhost:9999/callback matches registered http://localhost/callback (dynamic port)
  • http://localhost/callback matches itself (exact match)
  • http://localhost:9999/callback does NOT match registered http://127.0.0.1/callback (hostname mismatch)
  • http://127.0.0.1:9999/callback does NOT match registered http://localhost/callback (hostname mismatch)

@roncodingenthusiast
feat: support dynamic port matching for localhost redirect URIs
91f22ad 
Add localhost handling to isLoopbackAddress so that native OAuth 2.0
clients registering http://localhost/callback can use dynamic ports
(e.g. http://localhost:54321/callback) per RFC 8252 Section 7.3.

Previously, isLoopbackAddress only used net.ParseIP which returns nil
for the hostname "localhost", preventing port-flexible loopback
matching. The existing hostname equality check in isMatchingAsLoopback
prevents cross-matching between localhost and IP literals.

Closes ory#873

Made-with: Cursor
@roncodingenthusiast roncodingenthusiast requested review from a team and aeneasr as code owners April 14, 2026 12:09
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@keegancsmith keegancsmith mentioned this pull request Apr 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roncodingenthusiast @CLAassistant