Loopback Interface Redirection


Loopback Interface Redirection is defined in OAuth 2.0 for Native Apps (RFC 8252) section 7.3

Native apps that are able to open a port on the loopback network interface without needing special permissions (typically, those on desktop Operating Systems) can use the loopback interface to receive the OAuth redirect.

Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on.

That is,{port}/{path}
for IPv4, and
for IPv6. An example redirect using the IPv4 loopback interface with a randomly assigned port:

An example redirect using the IPv6 loopback interface with a randomly assigned port:

The Authorization Server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the Operating System at the time of the request.

Clients SHOULD NOT assume that the device supports a particular version of the Internet Protocol. It is RECOMMENDED that clients attempt to bind to the loopback interface using both IPv4 and IPv6 and use whichever is available.

More Information#

There might be more information for this subject on one of the following: