cloudflare
Please follow the best practices for Loopback Interface Redirection and allow localhost with any port
Please see this section of the spec: https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
Native apps that are able to open a port on the loopback network interface without needing special permissions (typically, those on desktop operating systems) can use the loopback interface to receive the OAuth redirect.
Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on.
That is, "http://127.0.0.1:{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6. An example redirect using the IPv4 loopback interface with a randomly assigned port:
http://127.0.0.1:51004/oauth2redirect/example-providerAn example redirect using the IPv6 loopback interface with a randomly assigned port:
http://[::1]:61023/oauth2redirect/example-providerThe authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.
Clients SHOULD NOT assume that the device supports a particular version of the Internet Protocol. It is RECOMMENDED that clients attempt to bind to the loopback interface using both IPv4 and IPv6 and use whichever is available.
So if my redirect uri is http://127.0.0.1 or http://127.0.0.1:3000 in my client configuration, then the server should allow redirect_uri being http://127.0.0.1:3434 for example. Same goes for http://127.0.0.1/callback & http://127.0.0.1:3000/callback... which should allow http://127.0.0.1:6666/callback
Supporting this helps the client be robust and open an ephemeral port that should not be already used by another process.
Without this, we have had to workaround this in VS Code, which supports OAuth for MCP servers here: https://github.com/microsoft/vscode/blob/9c362d357f87edca0fced3e63e27cf9cb47df7dc/src/vs/base/common/oauth.ts#L673-L678
