6

Should I avoid using http://localhost:3000 as a callback url in Auth0 (particularly in a dev or stage environment)?

I understand that there is a potential for attacks using a POST http request utilizing the localhost url. However, is that a consideration I would need to make for a development or stage environment?

Zze
  • 18,229
  • 13
  • 85
  • 118
Talis Lazdins
  • 105
  • 1
  • 1
  • 7
  • 1
    Why do **you** think you should avoid it? – Zze Mar 08 '18 at 22:18
  • I understand that there is a potential for attacks using a POST http request utilizing the localhost url. However, is that a consideration I would need to make for a development or stage environment? – Talis Lazdins Mar 08 '18 at 22:22

1 Answers1

9

Actually a very good question, although in reality the best answer is the (common sense) obvious answer. Yes, it is a bad idea to use http://localhost although the tradeoffs of convenience and practicality still make it an often used anti-pattern. And yes, that even includes Auth0 official documentation when explaining samples to keep things simple to understand...

Unfortunately, localhost receives special treatment from so many parties (including web browsers) that it is generally a good idea to avoid it. Here are just some reasons to consider avoiding localhost:

1). All your traffic is unencrypted (http), so sniffing your credentials is trivial (not specific to localhost but def. worth mentioning if you have the opportunity to introduce https do so).

2). The callback localhost is an easy collision point, especially where the initiation of the authentication, and callback are separated.

3). Due to poor deployment practices, or (unintentional) ignorance, often if localhost callbacks are setup in DEV envs, they end up being pasted into the PRD envs. too.

4). Testing SSO locally fails if both your apps are running on localhost even ports are different.

5). Embedded login that depends on the new co/authenticate endpoint (Cross Origin flow) cannot have localhost in the allowed web origins field (either set via Management API or Dashboard). See here for more info - you can setup a local hosts alias, in which case it makes sense to also update the callback url to be the same.

6). localhost gets "special" attention by user agents (incl. web browsers) that can cause unnecessary interference (broad statement, but true).

7). Auth0 now supports Custom Domains. If you set up a custom domain, say id.mysite.com then to test locally you can make an alias in your hosts file eg. app1.mysite.com - in which case it makes sense to use the mysite.com domain in all your settings that reference the domains involved, including your callback value.

All said and done, the reality is you are only working on Dev, and you have to get your work done. One suggestion would be rather than use localhost, simply set up an alias for 127.0.0.1 in your local hosts file eg. 127.0.0.1 app1.mysite.com. It won't avoid all the risks listed above, including usage of http, but it will avoid some of the pitfalls. Not going to try and defend its security benefits other than to say it makes it harder to guess what might be in your white-listed allowed callback urls list.

arcseldon
  • 35,523
  • 17
  • 121
  • 125
  • Thanks for the robust and detailed reply. Much appreciated. I had begun investigating other possible solutions and found a service called ngrok which provides a secure tunnel to localhost. Have you had any experience with such services? – Talis Lazdins Mar 15 '18 at 17:52
  • Hi @TalisLazdins - Interesting. Yes I have used ngrok alot for personal testing when I need a call back to my local machine - see my SOF answer here - https://stackoverflow.com/a/34659560/1882064 – arcseldon Mar 15 '18 at 20:47
  • 1
    Corporate policy at my place of work (auth0) disallows usage of ngrok for security reasons :( So, whilst i agree it is a really helpful development aid - for instance you could write a Custom DB connection that calls an API - and use the ngrok URL to point to your local machine running the API and talking to a DB etc - just bear in mind it also suffers from potential security implications too. It will (by default) open both an http and https endpoint, you can configure that to use strict https. As you are proxying (even ssl) traffic via NGROK servers - they can see everything (credentials) – arcseldon Mar 15 '18 at 20:47
  • @TalisLazdins - be grateful if you'd mark the answer as correct if you have found it helpful - an indication to others to trust the answer. any other questions feel free to ask away of course. – arcseldon Mar 15 '18 at 20:48