Loopback Interface Redirection Help

Hi,

I’m implementing authentication for a cross-platform desktop app using authorization code grant flow with PKCE. As confirmed by the Auth0 blog post…

…it is no longer recommended to use an integrated web browser to perform native authentication. This means I should open the authorize url in the system browser, and that my desktop app must be able to retrieve the authorization code after the external login redirect.

Here’s my problem. Of the available options for obtaining the auth code, ‘Loopback Interface Redirection’ e.g. redirecting to the loopback address, seems to offer the most seamless login experience, but I can’t use it in production as Auth0 doesn’t allow a wildcard port number. If I hardcode a specific port to listen to, I have no guarantee it will be available on the client machine.

Quoting from the ‘OAuth 2.0 for Native Apps’ spec which Auth0 cites in the blog post…

The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.

As far as I can tell, Auth0 doesn’t support this, so I have to specify a fixed port in the ‘allowed callbacks’ setting. I can’t specify EVERY ephemeral port number, as there’s around 16000 of them! Neither can I use a custom URI scheme, as this would require my users to elevate the app to admin in order to register the scheme with the OS. It would also require the user to approve the scheme when the redirect happens in their browser, which feels clunky, and they might click ‘no’.

Does anyone know how I can work around this, or if/when Auth0 are planning to implement this?

Thanks

Tom

1 Like

Hi @Tom. I was under the impression that the loopback callback URLs accepted an asterisk in the port number, but I couldn’t get it to work. I’ll check with someone from engineering on Monday and I’ll get back to you.

1 Like

Hi again @Tom.
Unfortunately, we don’t support wildcards for the port in loopback callback URLs. You are correct in that this should be supported, so I’ll add a feature request on your behalf at Auth0: Secure access for everyone. But not just anyone..
I’ll link directly to this topic, as your user case and explanation are perfectly clear.