Allow more "localhost" hostnames for client redirect URLs for SSO logins

[zzJinux]

Since #41833, localhost, 127.0.0.1, and ::1 are the only http: scheme hostnames allowed for client redirect URLs. Please consider allowing more:

• All addresses in the 127/8 block, which are guaranteed to be loopback by the Internet Standard.
• *.localhost domains, which can't be registered in the Internet DNS.

I use IP addresses other than 127.0.0.1 in the 127/8 block and add *.localhost entries to /etc/hosts to easily manage many local addresses.

I believe there is no security concern to consider since these hostnames are as safe as 127.0.0.1 and localhost.

[webvictim]

I haven't tested this, but I think you can actually override the allowed list of hostnames/IPs using these hidden settings in your connector:

spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - "*.localhost"
    insecure_allowed_cidr_ranges:
      - "127.0.0.1/8"

Docs: https://goteleport.com/docs/admin-guides/access-controls/sso/sso/#changing-callback-address

[zzJinux]

That requires admin access (or does it?). I'm suggesting this feature from the tsh users side.

I clarified I'm referring to the http: scheme URLs only.

[webvictim]

Yes, editing an SSO connector is something that would have to be done by a cluster admin.

[zzJinux]

Sorry, my bad. I knew it had nothing to do with tsh implementation but stated it wrong. I'm suggesting adding those hostnames to the hardcoded whitelist: https://github.com/gravitational/teleport/pull/44556/files#diff-63f73ee0c848453da23b86e44acec6b92c2d14380c8f86cae265138e9b7f7c56R962-R965