Don't force redirect_uri to HTTPS

Fix: fedora-infra#35
Signed-off-by: Aurélien Bompard <[email protected]>

docs/changelog.rst

@@ -3,8 +3,19 @@ Changelog
 =========
 
 
-2.0.3 (2023-09-08
-=================
+UNRELEASED
+==========
+
+- Restore the ``OVERWRITE_REDIRECT_URI`` configuration option as
+  ``OIDC_OVERWRITE_REDIRECT_URI``.
+- The ``redirect_uri`` that is generated and sent to the ID provider is no longer
+  forced to HTTPS, because the `the OIDC spec`_ is actually only a strong
+  recommendation (:issue:`35`). You can use ``OVERWRITE_REDIRECT_URI`` if you want
+  to force it to HTTPS (or any other URL).
+
+
+2.0.3 (2023-09-08)
+==================
 
 Fixed
 -----

flask_oidc/__init__.py

@@ -54,7 +54,6 @@
     "OIDC_ID_TOKEN_COOKIE_TTL",
     "OIDC_COOKIE_SECURE",
     "OIDC_OPENID_REALM",
-    "OVERWRITE_REDIRECT_URI",
     "OIDC_CALLBACK_ROUTE",
     "OIDC_USERINFO_URL",
 )
@@ -133,6 +132,18 @@ def init_app(self, app, prefix=None):
         app.config.setdefault("OIDC_RESOURCE_SERVER_ONLY", False)
         app.config.setdefault("OIDC_CALLBACK_ROUTE", None)
 
+        if "OVERWRITE_REDIRECT_URI" in app.config:
+            warnings.warn(
+                "The 'OVERWRITE_REDIRECT_URI' configuration value has been replaced by "
+                "'OIDC_OVERWRITE_REDIRECT_URI', please update your configuration.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            app.config.setdefault(
+                "OIDC_OVERWRITE_REDIRECT_URI", app.config["OVERWRITE_REDIRECT_URI"]
+            )
+        app.config.setdefault("OIDC_OVERWRITE_REDIRECT_URI", None)
+
         app.config.setdefault("OIDC_SCOPES", "openid email")
         if "openid" not in app.config["OIDC_SCOPES"]:
             raise ValueError('The value "openid" must be in the OIDC_SCOPES')

flask_oidc/views.py

@@ -47,12 +47,14 @@
 
 @auth_routes.route("/login", endpoint="login")
 def login_view():
-    if current_app.config["OIDC_CALLBACK_ROUTE"]:
+    if current_app.config["OIDC_OVERWRITE_REDIRECT_URI"]:
+        redirect_uri = current_app.config["OIDC_OVERWRITE_REDIRECT_URI"]
+    elif current_app.config["OIDC_CALLBACK_ROUTE"]:
         redirect_uri = (
             f"https://{request.host}{current_app.config['OIDC_CALLBACK_ROUTE']}"
         )
     else:
-        redirect_uri = url_for("oidc_auth.authorize", _external=True, _scheme="https")
+        redirect_uri = url_for("oidc_auth.authorize", _external=True)
     session["next"] = request.args.get("next", request.root_url)
     return g._oidc_auth.authorize_redirect(redirect_uri)
 

tests/test_flask_oidc.py

@@ -57,7 +57,7 @@ def test_signin(test_app, client, mocked_responses, dummy_token):
     token_query = parse_qs(mocked_responses.calls[1][0].body)
     assert token_query == {
         "grant_type": ["authorization_code"],
-        "redirect_uri": ["https://localhost/authorize"],
+        "redirect_uri": ["http://localhost/authorize"],
         "code": ["mock_auth_code"],
         "client_id": ["MyClient"],
         "client_secret": ["MySecret"],
@@ -348,3 +348,17 @@ def test_oidc_callback_route(make_test_app):
         resp = client.get("/dummy_cb?dummy_arg=dummy_value")
     assert resp.status_code == 302
     assert resp.location == "/authorize?dummy_arg=dummy_value"
+
+
+def test_oidc_overwrite_redirect_uri_deprecated(make_test_app):
+    with pytest.warns():
+        app = make_test_app({"OVERWRITE_REDIRECT_URI": "http://localhost/dummy_cb"})
+    assert app.config.get("OIDC_OVERWRITE_REDIRECT_URI", "http://localhost/dummy_cb")
+
+
+def test_oidc_overwrite_redirect_uri(make_test_app):
+    app = make_test_app({"OIDC_OVERWRITE_REDIRECT_URI": "http://localhost/dummy_cb"})
+    client = app.test_client()
+    resp = client.get("/login")
+    assert resp.status_code == 302
+    assert "redirect_uri=http%3A%2F%2Flocalhost%2Fdummy_cb" in resp.location