Library version used

4.81.0 and 91a3647

.NET version

net10.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

I have a custom authorization server which requires public native clients to use loopback IP literals instead of "localhost" as recommended in RFC 8252 and draft-ietf-oauth-v2-1-14. When I try to get an access token with the following code, my system browser is left on a "Bad Request - Invalid Hostname" after completing authentication in the auth server.

Seems that the HttpListener only has a prefix for "localhost" and listening for authorization code response will fail with IP literal.

Relevant code snippets

var app = PublicClientApplicationBuilder.Create(clientId)
		.WithExperimentalFeatures()
		.WithOidcAuthority(authority)
		.WithRedirectUri($"http://127.0.0.1:{port}/")
		.Build();
var authResult = await app.AcquireTokenInteractive(scopes)
		.WithLoginHint(user)
		.WithUseEmbeddedWebView(false)
		.ExecuteAsync();

also occurs with

var app = PublicClientApplicationBuilder.Create(clientId)
		.WithExperimentalFeatures()
		.WithOidcAuthority(authority)
		.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
		.WithRedirectUri($"http://127.0.0.1:{port}/")
		.Build();
var authResult = await app.AcquireTokenInteractive(scopes)
		.WithLoginHint(user)
		.ExecuteAsync();

Expected behavior

MSAL should ideally bind to IP literals instead of localhost as recommended in the RFC.

More realistically, MSAL system browser flows should work with loopback IP literals in addition to localhost, since a lot of existing stuff likely depends on the current behavior.

Identity provider

Other

Regression

No response

Solution and workarounds

No response