Why localhost is not recommended as an allowed callback or origin for production?

tal.auth · July 21, 2020, 8:07pm

it is interfering with the development process in my company and was wondering what are the cons of opening localhost as an allowed url in production.

john.gateley · July 22, 2020, 1:38pm

Hi @tal.auth

Just a couple of quick thoughts: you can hijack local host via /etc/hosts (or the equivalent) or by killing a listening process and putting your own there. That makes it insecure.

John

tal.auth · July 22, 2020, 2:07pm

thnx for the response john. Not sure i understand what you are saying. changing locahost to point to the production url but where? at the user’s computer or at the deployment machine? i can think of maybe of the repository code leaking and somebody can deploy locally the same site and authentication will be successful. is that what you’re saying? Also what do you mean by killing a process and putting your own? in what machine?

john.gateley · July 23, 2020, 3:25pm

Consider a callback URL: https://localhost:1234/callback?code=blah

Your app is running on localhost at port 1234.

Approach 1:
Attacker changes your /etc/hosts and does
localhost 7.7.7.7

This will then redirect the code not to 127.0.0.1 but to 1234

Approach 2:
Attacker finds your app, kills it, and runs their own listening on 127.0.0.1 port 1234

After some thinking, auth code flow requires a secure backend. localhost cannot be considered a secure backend (it is actually the same as the frontend). So that is why.

John

pv252n · September 22, 2020, 7:41am

Hello John, for training purposes, I need to create an auth0 account and test changes on my local machine, therefore I need to give http://localhost instead of https. In this case how do I go about using my auth0 account because in Settings, it does not allow me to save callback url with http.
Thank You in advance.

markd · December 6, 2020, 8:36pm

Where in settings is it not allowing you to use http://? You can use http:// for settings like callback URL. Not recommended for prod obviously but you can use it for local testing.

konrad.sopala · December 7, 2020, 1:41pm

It seems that we’re kinda forcing it on the user:

Screenshot 2020-12-07 at 14.41.25

markd · December 8, 2020, 1:16am

I wonder if that is due to different versions of the tenant software? I have lots of test / demo apps that use http://localhost:XXXX.

konrad.sopala · December 8, 2020, 12:57pm

Let me check that with appropriate team and get back to you soon!

arnaud16 · January 10, 2022, 8:10am

@john.gateley regarding the Approach 1 you mentioned, what difference does it make if the app is located on a remote server ?

In my understanding, assuming an attacker can edit /etc/hosts, they can map any host to their IP:
7.7.7.7 my.remote.server

Did I miss something ?
Tanks

matthew5 · December 14, 2022, 5:49pm

@john.gateley On this page Test Applications Locally it says For example, during development, you could use http://localhost:3000/callback as the callback URL. I just wanted to clarify that section. When it says “during development” does that mean, in a pre-production environment?