Did you know that browsers support using localhost
subdomains such as app.localhost
to access 127.0.0.1
?
Do you also know that it is impossible to make those subdomains work with oauth?
Of course, there is not a single culprit for this, but two:
- The Oauth providers such as Microsoft and Google won't allow you to define http://app.localhost as the beginning of the callback URL. All callback URLs either must have https or must start with http://localhost (and they are smart enough not to allow http://localhost.app.localhost). So you can't receive a callback to http://app.localhost. Only to
http://localhost
.
You might think that's easy. Just callback to http://localhost and then redirect back to http://app.localhost. Unfortunately, this fails due to culprit 2:
- The browsers will not let you share cookies for http://app.localhost and http://localhost because they treat localhost as a special case. Even though they allow you to set cookies for localhost when you perform a request to http://localhost, the browser won't allow you to define it as the
domain=localhost
when setting the cookie. Localhost is treated like a public suffix (just ascom
ororg
) and which you can't set cookies on.
Such restrictions don't exist if you wanted to share cookies between app1.foo.localhost
and app2.foo.localhost
. There you could set both cookies for the domain foo.localhost
and they would be shared between app1 and app2. But due to point 1. above (only http://localhost) you can't use http://foo.localhost` as the shared callback URL.
Other solutions are also out of the questions:
- lvh.me or editing of the /etc/hosts file won't help, because you still can't callback to them (no https).
What remains are only paid options
- ngrok (need to pay for a static subdomain) or Cloudflare tunnels
Compare with:
Top comments (0)