sourcegraph · keegancsmith · Apr 17, 2026 · Apr 14, 2026
diff --git a/authorize_helper.go b/authorize_helper.go
@@ -141,8 +141,11 @@ func isMatchingAsLoopback(requested *url.URL, registeredURI string) bool {
 	return false
 }
 
-// Check if address is either an IPv4 loopback or an IPv6 loopback.
+// Check if address is either an IPv4 loopback, an IPv6 loopback, or localhost.
 func isLoopbackAddress(hostname string) bool {
+	if hostname == "localhost" {
+		return true
+	}
 	return net.ParseIP(hostname).IsLoopback()
 }
 

diff --git a/authorize_helper_test.go b/authorize_helper_test.go
@@ -213,6 +213,28 @@ func TestDoesClientWhiteListRedirect(t *testing.T) {
 			isError:  false,
 			expected: "https://google.com/?foo=bar%20foo+baz",
 		},
+		{
+			client:   &fosite.DefaultClient{RedirectURIs: []string{"http://localhost/callback"}},
+			url:      "http://localhost:9999/callback",
+			expected: "http://localhost:9999/callback",
+			isError:  false,
+		},
+		{
+			client:   &fosite.DefaultClient{RedirectURIs: []string{"http://localhost/callback"}},
+			url:      "http://localhost/callback",
+			expected: "http://localhost/callback",
+			isError:  false,
+		},
+		{
+			client:  &fosite.DefaultClient{RedirectURIs: []string{"http://127.0.0.1/callback"}},
+			url:     "http://localhost:9999/callback",
+			isError: true,
+		},
+		{
+			client:  &fosite.DefaultClient{RedirectURIs: []string{"http://localhost/callback"}},
+			url:     "http://127.0.0.1:9999/callback",
+			isError: true,
+		},
 	} {
 		redir, err := fosite.MatchRedirectURIWithClientRedirectURIs(c.url, c.client)
 		assert.Equal(t, c.isError, err != nil, "%d: %+v", k, c)