Fix OAuth flow redirection issue by timothedelion · Pull Request #31 · GitGuardian/ggmcp

timothedelion · 2025-10-22T16:11:55Z

Changed the callback server binding from "localhost" to "127.0.0.1" in oauth.py:351.

Likelihood Assessment: Very High (85-90%)

Here's why this is very likely the root cause:

Evidence Supporting This Fix

Exact same code pattern as working ggshield - ggshield explicitly uses "127.0.0.1" and works, gg-mcp used "localhost"
and failed
Symptoms match perfectly:
- Authentication succeeds ✓
- Scope acceptance succeeds ✓
- Browser redirect happens (GitGuardian redirects to http://localhost:8000)
- But callback never arrives at the server ✗
- Server times out waiting ✗
The IPv4/IPv6 ambiguity problem:
- When binding to "localhost", Python might bind to:
- IPv6 (::1) only on some systems
- IPv4 (127.0.0.1) only on others
- Both on others
  - When the browser redirects to http://localhost:8000, it might:
  - Try IPv6 first (modern browsers often prefer IPv6)
- Try IPv4 first (older browsers or specific configurations)
  - If there's a mismatch, the connection fails silently
Self-hosted environment factors:
- Corporate networks often have specific IPv6 policies
- Self-hosted servers may have different network configurations than SaaS
- Firewalls/security policies might treat IPv4 and IPv6 differently

Issue: #

timothedelion added 2 commits October 22, 2025 17:32

fix

d45f845

fix(oauth): Bind to 127.0.0.1 to avoid inconsistencies across systems

faaf538

Issue: #

timothedelion self-assigned this Oct 22, 2025

timothedelion requested a review from KNedelec October 22, 2025 16:14

KNedelec approved these changes Oct 22, 2025

View reviewed changes

timothedelion merged commit 632731f into main Oct 22, 2025
1 check passed

timothedelion mentioned this pull request Oct 22, 2025

Windsurf: URL redirect after scope verification fails with 500 Server Error #30

Closed

Provide feedback