Private redirect URLs for OAuth2 fail validation

[scottatron]

I'm trying to start work on an app for my own purposes and want to use OAuth2. I'm also wanting to keep this within my private network.

Unfortunately I can't seem to add any redirect URLs to my app registration that are not 'localhost' or publicly routable addresses.

I'm currently using a dev server within my network to work on the app, so are expecting to access it from another client system in the network which makes using 'localhost' addresses difficult.

Is there any way I can register private redirect URLs that pass the validation when updating my app registration?

[sanmai]

May we ask you to share some examples of private redirect URLs?

[scottatron]

No problem...

I'm currently trying out Acorn, and when deploying an app, it creates a publicly resolvable DNS record for your application, but the actual record points to an IP address that is on my internal network (e.g. 192.168.88.0/24) so I can resolve the address and follow the redirects, but it cannot actually be reached from outside the network.

I've also tried using Tailscale hostnames for redirect URLs, as I use it within my network, but I'm guessing that the app registration page does some sort of connection check to validate the redirect URLs and cannot connect to the hostname.

I should also mention that I did manage to get a setup partially working using 'http://localhost:3000', however it seems that the redirect after getting the authorisation code doesn't include the port number, so I just get redirected to http://localhost/.... instead.

[scottatron]

I've done a little more tinkering to see if I can get this working and it appears that the address that the callback resolves to is not what's important—it seems to be failing on particular domains...

If I create a subdomain on a .com domain that I own, the app registration page happily accepts that, even if the DNS record doesn't actually exist.

If I create a subdomain on a .io domain that I own, this fails as before and the specific error on the field says "The url's domain is not valid".

Acorn—which I mentioned above, creates DNS records which end in alpha.on-acorn.io so they're failing in the same way. Tailscale's hostnames are <host>.<tailnet name>.ts.net and these are also failing with the same 'domain is not valid' error.

I haven't tried any other TLDs at this stage, but it seems to be a problem with the domain name validation more than anything.