OAUTH: how can an atproto PDS do discovery for the localhost "global client ID"?

[sandhose]

The proposal says:

proposals/0004-oauth/README.md

Line 148 in a3a2994

Domain names used as client IDs **must** have a suffix registered in the [Public Suffix List][PSL]. The only exception to this rule is `localhost`, which **must** be used for local development only.

However, I don't see how localhost could be used for local development? This implies the PDS and the client runs on the same host, and that the client somehow listens with HTTPS on port 443, which usually requires root privileges to do

[matthieusieben]

When using localhost as client id, the metadata that will be used by the oauth provider will be an hard coded value (and never be fetched directly by the AS):

proposals/0004-oauth/README.md

Lines 191 to 208 in a3a2994

	#### Client metadata for local development
	When using `localhost` as client ID, the AS will not be able to resolve the client metadata using the method described above. Instead, the Authorization Server will use the following client metadata:
	```json
	{
	"client_id": "localhost",
	"client_name": "Native atproto client",
	"client_uri": "http://localhost/",
	"scope": "profile offline_access",
	"response_types": ["code", "code id_token"],
	"grant_types": ["authorization_code", "refresh_token"],
	"redirect_uris": ["http://127.0.0.1/", "http://[::1]/"],
	"token_endpoint_auth_method": "none",
	"application_type": "native",
	"dpop_bound_access_tokens": true
	}
	```

The port number of the redirect_uri will be ignored, allowing the dev server to run on any port.