[PR #1012] [CLOSED] feat: RFC 8252 loopback interface redirection support #1023

New Issue

Closed

opened 2026-02-04 21:11:33 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-04 21:11:33 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/1012
Author: @savely-krasovsky
Created: 10/8/2025
Status: ❌ Closed

Base: main ← Head: rfc8252-special-case

---

📝 Commits (3)

• 0e96991 feat: RFC 8252 loopback interface redirection support
• b826867 Merge branch 'main' into rfc8252-special-case
• 3fc9f0b Merge branch 'main' into rfc8252-special-case

📊 Changes

3 files changed (+118 additions, -18 deletions)

View changed files

📝 backend/internal/service/oidc_service.go (+2 -18)
📝 backend/internal/utils/string_util.go (+48 -0)
📝 backend/internal/utils/string_util_test.go (+68 -0)

📄 Description

Support for special Callback URL case which is primary used by Desktop Native Applications.
https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Their unique feature is that they can use any ephemeral port they want. So it could be 23821 or 54231. Of course they send it in redirect_url. Until recently it was possible to set http://127.0.0.1:* and http://[::1]:* (or http://localhost:*) to work around this but now it's impossible due to the new form validation:

But still it presets a huge vulnerability, since http://localhost:* basically allows to craft authorization URL with callback URL like this: http://localhost:password@malicious-host.com/authorization_code_stealer.

Fortunately RFC 8252 defines this special case by specifying that ephemeral port could be completely random and authorization server should allow any arbitrary port.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/1012 **Author:** [@savely-krasovsky](https://github.com/savely-krasovsky) **Created:** 10/8/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `rfc8252-special-case` --- ### 📝 Commits (3) - [`0e96991`](https://github.com/pocket-id/pocket-id/commit/0e969913f117e7c611418806bbcc86cc16f0b0e3) feat: RFC 8252 loopback interface redirection support - [`b826867`](https://github.com/pocket-id/pocket-id/commit/b8268673cfb4ee3f86a5a26af43fffc409943756) Merge branch 'main' into rfc8252-special-case - [`3fc9f0b`](https://github.com/pocket-id/pocket-id/commit/3fc9f0b40b574d29b16dcdeeae830425d6a293d7) Merge branch 'main' into rfc8252-special-case ### 📊 Changes **3 files changed** (+118 additions, -18 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/service/oidc_service.go` (+2 -18) 📝 `backend/internal/utils/string_util.go` (+48 -0) 📝 `backend/internal/utils/string_util_test.go` (+68 -0) </details> ### 📄 Description Support for special Callback URL case which is primary used by Desktop Native Applications. https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 Their unique feature is that they can use any ephemeral port they want. So it could be 23821 or 54231. Of course they send it in `redirect_url`. Until recently it was possible to set `http://127.0.0.1:*` and `http://[::1]:*` (or `http://localhost:*`) to work around this but now it's impossible due to the new form validation: <img width="637" height="222" alt="image" src="https://github.com/user-attachments/assets/94d68b91-47b3-4598-b437-0cc77807670a" /> But still it presets a huge vulnerability, since `http://localhost:*` basically allows to craft authorization URL with callback URL like this: `http://localhost:password@malicious-host.com/authorization_code_stealer`. Fortunately RFC 8252 defines this special case by specifying that ephemeral port could be completely random and authorization server should allow any arbitrary port. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-04 21:11:33 +03:00

OVERLORD closed this issue 2026-02-04 21:11:35 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#1023