Allow http:// loopback redirect URIs for native OAuth apps (RFC 8252)

[Copilot]

Native apps (CLI tools, desktop apps) require http://localhost callback servers for OAuth flows per RFC 8252 §7.3. Current validation rejects all http:// URIs, blocking this standard pattern.

Changes

• Modified validateRedirectUri to allow http:// for loopback addresses (127.0.0.1, [::1], localhost)
• Fragment, wildcard, and whitelist checks still apply to loopback URIs
• Non-loopback URIs continue to require https://

Example OAuth client configuration now supported:

const client = {
  redirectUris: [
    "http://127.0.0.1:8080/callback",  // Now allowed
    "http://localhost:3000/callback",  // Now allowed
    "http://[::1]:9000/callback"       // Now allowed
  ]
};

This completes native app OAuth support alongside existing PKCE and public client features.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support http://localhost redirect URIs for native/CLI OAuth apps (RFC 8252)</issue_title>
<issue_description>## Use Case

CLI tools and native desktop apps that use OAuth PKCE with a local callback server to authenticate users. The standard flow is:

1. CLI starts a local HTTP server on a random port (e.g. http://127.0.0.1:8765/callback)
2. CLI opens the browser to the OAuth authorization URL
3. User authorizes the app in the browser
4. Browser redirects to the local callback server with the authorization code
5. CLI exchanges the code for a token using PKCE (no client secret needed)

This is the recommended approach for native apps per RFC 8252 Section 7.3 (Loopback Interface Redirection).

Current Limitation

validateRedirectUri in server/utils/oauth/OAuthInterface.ts calls:

if (!isUrl(uri, { requireHttps: true })) {
  return false;
}

The isUrl function in shared/utils/urls.ts unconditionally blocks http:// protocol when requireHttps: true:

if (requireHttps && url.protocol === "http:") {
  return false;
}

This means http://127.0.0.1:PORT/callback and http://localhost:PORT/callback are rejected, even though they are the standard mechanism for native app OAuth.

Suggested Fix

Add a loopback exception in validateRedirectUri before the isUrl check:

async validateRedirectUri(uri, client) {
  // ...existing checks...

  // Allow loopback redirects for native/CLI apps (RFC 8252 §7.3)
  const url = new URL(uri);
  const isLoopback = url.hostname === '127.0.0.1' 
    || url.hostname === '[::1]' 
    || url.hostname === 'localhost';
  
  if (!isLoopback && !isUrl(uri, { requireHttps: true })) {
    return false;
  }

  return true;
}

Per RFC 8252, loopback redirects:

• MUST use http (not https) since TLS certificates cannot be obtained for loopback addresses
• SHOULD use 127.0.0.1 (IPv4) or [::1] (IPv6) rather than localhost to avoid DNS resolution issues
• The port MAY vary between requests (the authorization server should allow any port)

Context

Outline already supports the other half of native app OAuth:

• PKCE (code_challenge / code_challenge_method in the authorize endpoint)
• Public clients that don't require a client secret (feat: Allow PKCE clients to refresh tokens #10769)

The only missing piece for full native app support is allowing http:// redirect URIs for loopback addresses.

References

• Implement OAuth PKCE browser login Doist/outline-cli#7</issue_description>

Comments on the Issue (you are @copilot in this section)

@tommoor Seems pretty reasonable 👍

• Fixes Support http://localhost redirect URIs for native/CLI OAuth apps (RFC 8252) #11254

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}