def get_default_redirect_uri(self, client_id, request, *args, **kwargs): """Returns the ``redirect_uri`` stored on the client with the given id.""" client = self.find_client(client_id) if client is not None: return render_url_template(client.redirect_uri, example_url=request.uri)
def _client_url(request): """Return the configured URL for the client.""" url = request.registry.settings.get("h.client_url", DEFAULT_CLIENT_URL) url = render_url_template(url, example_url=request.url) if request.feature("embed_cachebuster"): url += "?cachebuster=" + str(int(time.time())) return url
def validate_redirect_uri(self, client_id, redirect_uri, request, *args, **kwargs): """Validate that the provided ``redirect_uri`` matches the one stored on the client.""" client = self.find_client(client_id) if client is not None: # Check that we match after a potentially templated redirect_uri # has been templated out by our uri return redirect_uri == render_url_template( client.redirect_uri, example_url=redirect_uri) return False
def confirm_redirect_uri(self, client_id, code, redirect_uri, client, *args, **kwargs): """ Validate that the redirect_uri didn't get tampered with. RFC 6749 mandates checking the ``redirect_uri`` from when an authorization code gets created to when it is getting exchanged for an access token. The client can pass a ``redirect_uri`` in the token request, this should then be checked against the one that was used in the authorization request. We don't support non-registered redirect uris where the client can decide when it is doing the authorization request, so we just check that if the ``redirect_uri`` was included in the token request it matches the registered ``redirect_uri`` of the client. """ if not redirect_uri: return True # Check that we match after a potentially templated redirect_uri # has been templated out by our uri return redirect_uri == render_url_template( client.authclient.redirect_uri, example_url=redirect_uri)
def test_replaces_params(self, url_template, example_url, expected): assert uri.render_url_template(url_template, example_url) == expected