is it secure to use ngork for a redirect uri for o

Let me make this clear from the beginning: I'm a complete noob regarding oauth2 and not a dev (just monkey interested in tech stuff) so the question might be silly. If so please don't hesitate to smash the monkey as he truly deserved it...

Since I wanted to get a better understanding of how oauth2 is working I wanted to setup slack within emacs. This is not my first project with oauth2. I managed to get offlineimap working with gmail using oauth2. However, google did one step automatically with which I'm struggeling right now for slack.

My question is all about the redirect url. Google did setup this for me pointing to my localhost. Now slack doesn't do the job for me and since my localhost isn't reachable form the outside (of my home network) I need to setup a way to securely get to my localhost.

How does google set this up?

I came across ngork which looks to me like a solution to my problem. Again, I've never heard / used it before. I think I would be able to get that stuff up and running but I would like to know:

Is this a safe and secure solution? To what should I pay attention?

"Is this a safe and secure solution?" is a very broad question and you can surely find a lot of discussion and opinions on this forum on how safe VPN tunnels for HTTP are in general and ngrok is in particular.

So the answer is: it depends on what your requirements are. Any other answer will be opinionated or will have to make assumptions about your requirements, which you have not specified.

Having said that:

If you want to use it for local development (incl. Oauth) ngrok appears to be safe enough to be recommend by the Slack team for local development (see tutorial).
If you want to use it for a production environment and/or in a company network I would recommend to verify with the responsible IT security officer before using it. However, it is a professional and well-known product used by many companies, so you should have a fair chance that it gets approved.

I have not used Google Oauth, but in my experience with other Oauth services its pretty standard that its calling you via a redirect URL.