Did you know that browsers support using localhost subdomains such as app.localhost to access 127.0.0.1?
Do you also know that it is impossible to make those subdomains work with oauth?
Of course, there is not a single culprit for this, but two:
- The Oauth providers such as Microsoft and Google won't allow you to define http://app.localhost as the beginning of the callback URL. All callback URLs either must have https or must start with http://localhost (and they are smart enough not to allow http://localhost.app.localhost). So you can't receive a callback to http://app.localhost. Only to
http://localhost.
You might think that's easy. Just callback to http://localhost and then redirect back to http://app.localhost. Unfortunately, this fails due to culprit 2:
- The browsers will not let you share cookies for http://app.localhost and http://localhost because they treat localhost as a special case. Even though they allow you to set cookies for localhost when you perform a request to http://localhost, the browser won't allow you to define it as the
domain=localhostwhen setting the cookie. Localhost is treated like a public suffix (just ascomororg) and which you can't set cookies on.
Such restrictions don't exist if you wanted to share cookies between app1.foo.localhost and app2.foo.localhost. There you could set both cookies for the domain foo.localhost and they would be shared between app1 and app2. But due to point 1. above (only http://localhost) you can't use http://foo.localhost` as the shared callback URL.
Other solutions are also out of the questions:
- lvh.me or editing of the /etc/hosts file won't help, because you still can't callback to them (no https).
What remains are only paid options
- ngrok (need to pay for a static subdomain) or Cloudflare tunnels
Compare with:
Top comments (0)