public oauth client should always support localhost callback#3
Merged
Conversation
sks
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Public static OAuth clients defined in the Dex configuration currently do not support wildcard redirect URIs. This creates a compatibility issue when adding support for MCP clients that require fixed, non-localhost callback URLs, such as:
cursor://anysphere.cursor-mcp/oauth/callbackhttps://beta.app.kiro.dev/agent/mcp/callbackhttps://gamma.app.kiro.dev/agent/mcp/callbackhttps://app.kiro.dev/agent/mcp/callbackIf these redirect URIs are explicitly configured, OAuth clients that rely on localhost-based callback URLs will no longer be able to authenticate successfully.
Change
Enable support for any localhost callback URL for public static OAuth clients while continuing to allow explicitly configured redirect URIs required by MCP clients.
Motivation
This change ensures compatibility with both:
Without this change, adding support for MCP-specific redirect URIs would break authentication flows for clients that depend on localhost callbacks.