Default loopback redirect for enhanced security and compatibility

[narbit]

Does this issue occur when all extensions are disabled?: Yes/No

• VS Code Version: 1.104.1
• OS Version: Win 11 Enterprise 10.0.22631

Observation/problem:

Under OAuth 2.0 spec, an MCP (VSCode) client is a public client, as it cannot securely store a client secret. As a non-browser-based application, it aligns with the definition of a native client. Per RFC 8252, Section 8.3 - https://datatracker.ietf.org/doc/html/rfc8252#section-8.3, native clients should use loopback redirects (e.g., http://127.0.0.1:{port}) instead of localhost for enhanced security and compatibility:

While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.

Moreover, Microsoft Identity Platform makes a similar recommendation - https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#prefer-127001-over-localhost - stating that:

To prevent your app from breaking due to misconfigured firewalls or renamed network interfaces, use the IP literal loopback address 127.0.0.1 in your redirect URI instead of localhost.

Additionally, some OAuth2 providers may reject "localhost" due to security policies while DNS misconfigurations or overrides in "/etc/hosts" can cause issues.

Suggestion/enhancement:

Proposed change is to eliminate default localhost redirects in favor of using loopback IP redirects.