Loopback Redirect Flow
A loopback redirect flow is an OAuth pattern where the redirect URI is a local loopback address (127.0.0.1) on an ephemeral port, used by native and desktop apps.
In plain English
A desktop app cannot register https://my-app.com/callback as its OAuth redirect URI, because there is no server at that URL under its control. The loopback flow works around it: the app starts a tiny local HTTP server on 127.0.0.1 at an ephemeral port, registers that as the redirect, opens the system browser for consent, and when the provider redirects, the app catches the code on localhost. Combine with PKCE and you have a secure native flow.
Google, Microsoft, and most serious providers explicitly support this pattern for installed apps. The flow avoids the security pitfalls of embedded webviews (where an attacker could harvest credentials) and of custom URL schemes (which can be hijacked by other apps). It is the canonical native-OAuth pattern in 2026.
Why it matters for Black Box
When Black Box shipped as a Tauri desktop app (pre-2026-04-23), it used loopback + PKCE for every Google connection. The pivot to web-app architecture replaced it with server-side OAuth, but the earlier implementation remains instructive for the native version and for any future CLI tooling.
Examples
- The gcloud CLI opening the browser and catching the redirect on a local port.
- VS Code's GitHub sign-in using the same loopback pattern.
- A Tauri app opening Google consent and receiving the code on
http://127.0.0.1:54321.