Menu
Should I avoid using http://localhost:3000 as a callback url in Auth0 (particularly in a dev or stage environment)?
I understand that there is a potential for attacks using a POST http request utilizing the localhost url. However, is that a consideration I would need to make for a development or stage environment?
359
These types of tools will give you a url to your localhost port, which you can use as the account and/or app callback URL while you're testing.
Callback URLs are the URLs that Auth0 invokes after the authentication process. Auth0 redirects back to this URL and appends additional parameters to it, including an access code which will be exchanged for an id_token , access_token and refresh_token .
Use local domains with Auth0 If you're developing your application locally, you can use localhost and other domains inaccessible by Auth0 (such as those on an intranet) as callback URLs.
A callback URL is a URL in your application where Auth0 redirects the user after they have authenticated. The callback URL for your app must be added to the Allowed Callback URLs field in your Application Settings. If this field is not set, users will be unable to log in to the application and will get an error.
Actually a very good question, although in reality the best answer is the (common sense) obvious answer. Yes, it is a bad idea to use http://localhost although the tradeoffs of convenience and practicality still make it an often used anti-pattern. And yes, that even includes Auth0 official documentation when explaining samples to keep things simple to understand...
Unfortunately, localhost receives special treatment from so many parties (including web browsers) that it is generally a good idea to avoid it. Here are just some reasons to consider avoiding localhost:
1). All your traffic is unencrypted (http), so sniffing your credentials is trivial (not specific to localhost but def. worth mentioning if you have the opportunity to introduce https do so).
2). The callback localhost is an easy collision point, especially where the initiation of the authentication, and callback are separated.
3). Due to poor deployment practices, or (unintentional) ignorance, often if localhost callbacks are setup in DEV envs, they end up being pasted into the PRD envs. too.
4). Testing SSO locally fails if both your apps are running on localhost even ports are different.
5). Embedded login that depends on the new co/authenticate endpoint (Cross Origin flow) cannot have localhost in the allowed web origins field (either set via Management API or Dashboard). See here for more info - you can setup a local hosts alias, in which case it makes sense to also update the callback url to be the same.
6). localhost gets "special" attention by user agents (incl. web browsers) that can cause unnecessary interference (broad statement, but true).
7). Auth0 now supports Custom Domains. If you set up a custom domain, say id.mysite.com then to test locally you can make an alias in your hosts file eg. app1.mysite.com - in which case it makes sense to use the mysite.com domain in all your settings that reference the domains involved, including your callback value.
All said and done, the reality is you are only working on Dev, and you have to get your work done. One suggestion would be rather than use localhost, simply set up an alias for 127.0.0.1 in your local hosts file eg. 127.0.0.1 app1.mysite.com. It won't avoid all the risks listed above, including usage of http, but it will avoid some of the pitfalls. Not going to try and defend its security benefits other than to say it makes it harder to guess what might be in your white-listed allowed callback urls list.
147
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
