OIDC callback listener binds to all IP addresses on the system by default

[ianferguson]

The OIDC callback listener does not currently specify an IP address or name to bind the listener to:

vault-plugin-auth-jwt/cli.go

Line 97 in 716d11f

listener, err := net.Listen("tcp", ":"+port)

The golang net package documentation specifies that not providing a host or ip address results in the following behavior:

if the host in the address parameter is empty or a literal unspecified IP address, Listen listens on all available unicast and anycast IP addresses of the local system.

This results in users on OS X seeing a pop up dialog box asking Do you want the application “vault” to accept incoming network connections? when they execute vault login -method=oidc because the listener is attempting to bind to non-localhost ip's.

By default it might be preferable for most use cases to bind only to localhost by default, and update the code linked above to read listener, err := net.Listen("tcp", "localhost:"+port).

Changing the value to "localhost:"+port may cause problems for the use cases #80 was added to support, so likely a listenaddress parameter should be made available so that those use cases can override a default localhost value.

I've opened PR #86 with a possible fix for this

[kalafut]

Fixed in #86