Use loopback ip (127.0.0.1) instead of localhost

[dreverri]

RFC8252 recommends using the loopback ip instead of localhost: https://datatracker.ietf.org/doc/html/rfc8252#section-8.3

Also, bind to an automatically chosen port rather than a fixed port.

[danielgtaylor]

@dreverri thanks for the PR! I did not know that 127.0.0.1 is recommended over localhost, so thank you for that!

As for the random port, this seems to not work well with auth systems that require pre-registration of allowed callback URLs. Any thoughts on that?

[danielgtaylor]

For example, see https://community.auth0.com/t/random-local-ports-on-redirect-uri/28623

[dreverri]

@danielgtaylor sorry for not getting back sooner. Regarding the port, it should probably default to its current value (8484) but allow the user to override it. A value of 0 would choose a random port.

[dreverri]

What's the best way to allow the user to configure the port?

[danielgtaylor]

@dreverri you could try adding a --rsh-port parameter for this purpose!

[danielgtaylor]

I actually tried to implement the 127.0.0.1 fix by itself, but it was breaking any OAuth server which didn't explicitly have 127.0.0.1 in the set of allowed redirect URLs. I'm going to close this for now and we should revisit if we can find a way to not break or when we are ready for some major breaking changes.