Is it possible to configure a “MACHINE TO MACHINE” application to use a random port in the redirect_uri parameter?
The use case is the following, I have a CLI app that allows you to do OAuth/OIDC but it wants to listen in a random port (127.0.0.1:0) so it can work on most environments. This use case works on other identity providers like Google or Microsoft, but it does not work on Auth0. I get a “Callback URL mismatch” error unless I specify the right port in “Allowed Callback URLs”
The app already supports the device flow, and it’s going to be possible to set a fixed port, but I was wondering if it was possible to do it in the same way we do it in other identity providers.
Ok, so it seems that it’s not supported.
Curious though: if the CLI supports device flow, what is it listening on that port for? Because the callback wouldn’t go to to the CLI but to the (most likely) web browser where the code was entered (either on the same machine as the CLI or it could also be a barcode displayed in the terminal that’s been scanned via mobile for example). The CLI just need to poll, but no need to listen for anything.
Sample CLI with Device Flow, no webserver spun up, only polling:
The app, step, is a toolchain for working with multiple auth and crypto-related standards, the OAuth specific command can be used for example by developers to tests their integrations or authenticate other flows within the app. And I think the M2M flow is the one with less friction for the user.
Ok, in case of M2M and thus client credentials grant, then the fixed port would be needed.
@mathiasconradt I’ve been reviewing the RFCs, and in the “Loopback Interface Redirection” section of RFC8252, OAuth 2.0 for Native Apps, they state the following:
The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.
Good point, and good finding. I will check this internally with the product team.
I checked internally and it’s currently not supported, as not all IETF specs are necessarily supported/implemented in the Auth0 platform. However, I added it as proposal to our internal product backlog (no ETD or guarantee of implementation given at this time though).
Thanks for looking into this. We implemented an option to listen in a specific port.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.