Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider
To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I'm thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAuth/OIDC) or AssertionConsumer (SAML), publishing its client credentials and allowing CORS from localhost. This would allow them to get started and test with their own account without the need to setup the IdP for their specific application.
Are there any risks involved with that?
For any attack scenario I can imagine someone would either need to convince the victim to install software locally that would listen on localhost or intercept web requests (at which point it can compromise almost anything) or at least convince the victim to copy code from the browsers url bar after authentication (e.g. to get the OAuth authorization code). And in the end, my demo application would of course not release much info anyways. Probably just the username.
So is this something I can do safely?
