OAuth testing on localhost results in "redirect_uri must use https"

We are trying to test OAuth integration locally, and getting “The redirect_uri must use https for security reasons.” (http://import2.d.pr/dLph/19NUyAOc). Is there a way to develop OAuth integrations locally without setting up the HTTPS web server?

thanks!
Anton

12 Replies 12
New Member

We have the same issue too - this worked last week using http://localhost:..., but I think a change was silently introduced so that this no longer works. Problem is that I don’t know if we’ll be able to use https here - does anyone know of a workaround?

Reply
0 Upvotes
New Member

Guys I’m getting the same issue… How can we develop locally? Do we need to setup an ssl certificate for localhost?

Reply
0 Upvotes
HubSpot Employee

@Tamas_Pal

Yes, or you can use any site as a redirect — ex. https://www.hubspot.com

Reply
0 Upvotes
New Member

Thanks for the reply. How would work with the OAuth 2 flow? E,g. the user authorizes our app to use their HS portal. I need to redirect to our app so that I can grab the code parameter from the url, that’s how I can the authorization was successful. What are your thoughts on this? :slight_smile:

Reply
0 Upvotes
HubSpot Employee

@Tamas_Pal I was referring to your question about how to develop locally and for testing. When you push it live you will need to have an encrypted web server to host your front-end app. While you are building out your tool I would use https://www.hubspot.com and then when you go live you will need to set up your server for production.

Reply
0 Upvotes

This is quite annoying, many OAuth implementations allow non-https redirect URLs for localhost/127.0.0.1. Using a random https URL as redirect doesn’t really work because then we have to manually grab the parameters to decode them

Reply
0 Upvotes
HubSpot Employee

@Ka-Hing_Cheung

You can always create a self-signed certificate for testing purposes. That way you won’t have to manually grab the parameters to decode.

New Member

I guess you can go for the ngrok please check the document, you can use the localhost in https using tunneling.

Reply
0 Upvotes
New Member

May I add another “me too” for bringing back the http exception for localhost? My dev server doesn’t use/need SSL, and there are literally hundreds of OAuth2 providers I’ve used that allow non-SSL for localhost redirects.

Reply
0 Upvotes
New Member

I also find this absurd. Google and many other OAuth2 providers allow http:// for localhost. Developers need this to simplify robust solutions with automated test suites etc.

Reply
0 Upvotes
Community Manager

Hi all,

This was recently updated; the OAuth2 redirect URI can now be served over http if the host is localhost. See the details here:

Reply
0 Upvotes
Highlighted
Top Advisor | Gold Partner

If using Laravel with Valet, run this command in terminal.

valet secure my-test-project

{my-test-project} is by default served @ http://my-test-project.test 

Be sure to leave off the TLD when running the command 

Reply
0 Upvotes