The latest articles on DEV Community by Christopher Oezbek (@christopher_oezbek). https://dev.to/christopher_oezbek https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2254507%2Ffc6ca373-530d-4ffb-ae8a-ba1ababf0866.png https://dev.to/christopher_oezbek en Christopher Oezbek Tue, 22 Oct 2024 22:01:49 +0000 https://dev.to/christopher_oezbek/mission-impossible-with-localhost-8dj https://dev.to/christopher_oezbek/mission-impossible-with-localhost-8dj <p>Did you know that browsers support using <code>localhost</code> subdomains such as <code>app.localhost</code> to access <code>127.0.0.1</code>?</p> <p>Do you also know that it is impossible to make those subdomains work with oauth?</p> <p>Of course, there is not a single culprit for this, but two:</p> <ol> <li>The Oauth providers such as Microsoft and Google won't allow you to define <a href="http://app.localhost" rel="noopener noreferrer">http://app.localhost</a> as the beginning of the callback URL. All callback URLs either must have https or must start with <a href="http://localhost" rel="noopener noreferrer">http://localhost</a> (and they are smart enough not to allow <a href="http://localhost.app.localhost" rel="noopener noreferrer">http://localhost.app.localhost</a>). So you can't receive a callback to <a href="http://app.localhost" rel="noopener noreferrer">http://app.localhost</a>. Only to <code>http://localhost</code>. </li> </ol> <p>You might think that's easy. Just callback to <a href="http://localhost" rel="noopener noreferrer">http://localhost</a> and then redirect back to <a href="http://app.localhost" rel="noopener noreferrer">http://app.localhost</a>. Unfortunately, this fails due to culprit 2:</p> <ol> <li>The browsers will not let you share cookies for <a href="http://app.localhost" rel="noopener noreferrer">http://app.localhost</a> and <a href="http://localhost" rel="noopener noreferrer">http://localhost</a> because they treat localhost as a special case. Even though they allow you to set cookies for localhost when you perform a request to <a href="http://localhost" rel="noopener noreferrer">http://localhost</a>, the browser won't allow you to define it as the <code>domain=localhost</code> when setting the cookie. Localhost is treated like a public suffix (just as <code>com</code> or <code>org</code>) and which you can't set cookies on.</li> </ol> <p>Such restrictions don't exist if you wanted to share cookies between <code>app1.foo.localhost</code> and <code>app2.foo.localhost</code>. There you could set both cookies for the domain <code>foo.localhost</code> and they would be shared between app1 and app2. But due to point 1. above (only <a href="http://localhost" rel="noopener noreferrer">http://localhost</a>) you can't use <a href="http://foo.localhost%60" rel="noopener noreferrer">http://foo.localhost`</a> as the shared callback URL.</p> <p>Other solutions are also out of the questions:</p> <ul> <li>lvh.me or editing of the /etc/hosts file won't help, because you still can't callback to them (no https).</li> </ul> <p>What remains are only paid options</p> <ul> <li>ngrok (need to pay for a static subdomain) or Cloudflare tunnels</li> </ul> <p>Compare with:</p> <p><a href="https://hackernoon.com/local-development-with-subdomains-mobile-testing-and-oauth-is-it-more-cost-effective?source=rss" rel="noopener noreferrer">https://hackernoon.com/local-development-with-subdomains-mobile-testing-and-oauth-is-it-more-cost-effective?source=rss</a></p> devops oauth webdev