From fb4b1a79f84faae25c9168fd84537bd9745305f1 Mon Sep 17 00:00:00 2001
From: Bhavya Jain <bhavya@stackgen.com>
Date: Thu, 11 Jun 2026 19:45:13 +0530
Subject: [PATCH 1/2] public oauth client should always support localhost
 callback

---
 server/oauth2.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/server/oauth2.go b/server/oauth2.go
index 37503db376..ae0c8e6d93 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -620,6 +620,11 @@ func validateRedirectURI(client storage.Client, redirectURI string) bool {
 			return true
 		}
 	}
+
+	if client.Public && isRedirectURILocalhost(redirectURI) {
+		return true
+	}
+
 	// For non-public clients or when RedirectURIs is set, we allow only explicitly named RedirectURIs.
 	// Otherwise, we check below for special URIs used for desktop or mobile apps.
 	if !client.Public || len(client.RedirectURIs) > 0 {
@@ -630,8 +635,12 @@ func validateRedirectURI(client storage.Client, redirectURI string) bool {
 		return true
 	}
 
-	// verify that the host is of form "http://localhost:(port)(path)", "http://localhost(path)" or numeric form like
-	// "http://127.0.0.1:(port)(path)"
+	return isRedirectURILocalhost(redirectURI)
+}
+
+// verify that the host is of form "http://localhost:(port)(path)", "http://localhost(path)" or numeric form like
+// "http://127.0.0.1:(port)(path)"
+func isRedirectURILocalhost(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 	if err != nil {
 		return false

From 2efc6976e8ace74d8c67db5493309774ab72e4a3 Mon Sep 17 00:00:00 2001
From: Bhavya Jain <bhavya@stackgen.com>
Date: Fri, 12 Jun 2026 06:13:26 +0530
Subject: [PATCH 2/2] fix-test

---
 server/oauth2_test.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/server/oauth2_test.go b/server/oauth2_test.go
index ea930cb36d..05be1c7e66 100644
--- a/server/oauth2_test.go
+++ b/server/oauth2_test.go
@@ -413,6 +413,13 @@ func TestValidRedirectURI(t *testing.T) {
 			redirectURI: "http://foo.com/bar/baz",
 			wantValid:   false,
 		},
+		{
+			client: storage.Client{
+				RedirectURIs: []string{"http://foo.com/bar"},
+			},
+			redirectURI: "http://localhost:991/bar",
+			wantValid:   false,
+		},
 		// These special desktop + device + localhost URIs are allowed by default.
 		{
 			client: storage.Client{
@@ -510,7 +517,7 @@ func TestValidRedirectURI(t *testing.T) {
 				RedirectURIs: []string{"http://foo.com/bar"},
 			},
 			redirectURI: "http://localhost:8080/",
-			wantValid:   false,
+			wantValid:   true,
 		},
 		{
 			client: storage.Client{
@@ -518,7 +525,7 @@ func TestValidRedirectURI(t *testing.T) {
 				RedirectURIs: []string{"http://foo.com/bar"},
 			},
 			redirectURI: "http://localhost:991/bar",
-			wantValid:   false,
+			wantValid:   true,
 		},
 		{
 			client: storage.Client{
@@ -526,7 +533,7 @@ func TestValidRedirectURI(t *testing.T) {
 				RedirectURIs: []string{"http://foo.com/bar"},
 			},
 			redirectURI: "http://localhost",
-			wantValid:   false,
+			wantValid:   true,
 		},
 		// These special desktop + device + localhost URIs can still be specified explicitly.
 		{