CA Siteminder all versions up to 12.8.8

No, it is not possible to use just localhost as the callback URI

According to RFC3986, in section 3.1.2.1 regarding the authentication request redirect URI:

redirect_uri

REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case.

Also, if the Client is a native application, it MAY use the http scheme with localhost or the IP loopback literals 127.0.0.1 or [::1] as the hostname. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.

SiteMinder implements this recommendation in regards the usage of https but it does not allow localhost for URI redirection irrespective of whether using http or https.

• To use http as a protocol the client type must be set as Confidential.
• Usage of localhost is however not supported in the current implementation of SiteMinder.
• There may be some workarounds available
  • Defining 127.0.0.1 <hostname>.<domainname> in the hosts table and then using <hostname>.<domainname> as the redirect_uri.
  • Or, changing the configuration of the application whose login you are trying to configure (for instance for kubectl see Usage)