It is currently disallowed to use redirect_urls of the form http://127.0.0.1 in published apps.

These give the error "insecureredirecturi".

These are allowed in unpublished apps.

Having a redirect to 127.0.0.1 is very useful for native apps which run on the users computer (eg rclone https://rclone.org ).

It is pretty much impossible to do https to 127.0.0.1 - you can't get a valid certificate for it. See this link for details: https://letsencrypt.org/docs/certificates-for-localhost/ - and also for reasons why using http://127.0.0.1 is treated as secure by browsers.

I'll describe how rclone, a native CLI app works. Rclone runs on the users computer - it runs a local webserver to get the auth details so the communications done over http are from the users browser to the users computer and never reach the LAN or Internet. Modern browsers treat http://127.0.0.1 as secure as the traffic never runs over the Internet or even the local network.

This is more secure than having to use an external https server which then redirects to http://127.0.0.1 as the credentials go straight to the CLI application and don't have to go over the Internet at all or travel through another server.

Note that almost all the other oauth providers that rclone supports allow http://127.0.0.1 redirect_urls, this includes Google Drive, Amazon Cloud Drive, Dropbox, Google Cloud Storage, Google Photos, Hubic, MailRu, pcloud, sharefile, Yandex (and more!)

So box is looking like the odd one out here!

Please implement this feature - thank you :-)