I haven’t thought this all the way through, but this smells funny to me. Suppose I work for the Acme Corporation, and I’ve set up my HR app with Okta. For the app’s dev environment, I’ve added http://localhost:3434 to my login redirect URIs config. Since any machine can call itself localhost, isn’t there some risk that a nefarious actor could masquerade behind the legitimacy of the Acme Corp logo and login screen? Even though the credentials themselves wouldn’t be compromised (because they only ever pass through Okta’s hands), couldn’t the Acme/Okta login give users a false sense of security about the authenticity of the site they are using, resulting in employees being fooled into providing sensitive information to an outsider?
If there are not security implications around the redirect URIs, why does the setting exist at all? Why not allow any site which has the Okta client ID to redirect?
Thanks for engaging in this thought experiment with me!