diff --git a/docs/changelog.rst b/docs/changelog.rst index 39f5e75..6f97097 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -3,8 +3,19 @@ Changelog ========= -2.0.3 (2023-09-08 -================= +UNRELEASED +========== + +- Restore the ``OVERWRITE_REDIRECT_URI`` configuration option as + ``OIDC_OVERWRITE_REDIRECT_URI``. +- The ``redirect_uri`` that is generated and sent to the ID provider is no longer + forced to HTTPS, because the `the OIDC spec`_ is actually only a strong + recommendation (:issue:`35`). You can use ``OVERWRITE_REDIRECT_URI`` if you want + to force it to HTTPS (or any other URL). + + +2.0.3 (2023-09-08) +================== Fixed ----- diff --git a/flask_oidc/__init__.py b/flask_oidc/__init__.py index db577fb..5e984e4 100644 --- a/flask_oidc/__init__.py +++ b/flask_oidc/__init__.py @@ -54,7 +54,6 @@ "OIDC_ID_TOKEN_COOKIE_TTL", "OIDC_COOKIE_SECURE", "OIDC_OPENID_REALM", - "OVERWRITE_REDIRECT_URI", "OIDC_CALLBACK_ROUTE", "OIDC_USERINFO_URL", ) @@ -133,6 +132,18 @@ def init_app(self, app, prefix=None): app.config.setdefault("OIDC_RESOURCE_SERVER_ONLY", False) app.config.setdefault("OIDC_CALLBACK_ROUTE", None) + if "OVERWRITE_REDIRECT_URI" in app.config: + warnings.warn( + "The 'OVERWRITE_REDIRECT_URI' configuration value has been replaced by " + "'OIDC_OVERWRITE_REDIRECT_URI', please update your configuration.", + DeprecationWarning, + stacklevel=2, + ) + app.config.setdefault( + "OIDC_OVERWRITE_REDIRECT_URI", app.config["OVERWRITE_REDIRECT_URI"] + ) + app.config.setdefault("OIDC_OVERWRITE_REDIRECT_URI", None) + app.config.setdefault("OIDC_SCOPES", "openid email") if "openid" not in app.config["OIDC_SCOPES"]: raise ValueError('The value "openid" must be in the OIDC_SCOPES') diff --git a/flask_oidc/views.py b/flask_oidc/views.py index 1dafda9..b11c0a6 100644 --- a/flask_oidc/views.py +++ b/flask_oidc/views.py @@ -47,12 +47,14 @@ @auth_routes.route("/login", endpoint="login") def login_view(): - if current_app.config["OIDC_CALLBACK_ROUTE"]: + if current_app.config["OIDC_OVERWRITE_REDIRECT_URI"]: + redirect_uri = current_app.config["OIDC_OVERWRITE_REDIRECT_URI"] + elif current_app.config["OIDC_CALLBACK_ROUTE"]: redirect_uri = ( f"https://{request.host}{current_app.config['OIDC_CALLBACK_ROUTE']}" ) else: - redirect_uri = url_for("oidc_auth.authorize", _external=True, _scheme="https") + redirect_uri = url_for("oidc_auth.authorize", _external=True) session["next"] = request.args.get("next", request.root_url) return g._oidc_auth.authorize_redirect(redirect_uri) diff --git a/tests/test_flask_oidc.py b/tests/test_flask_oidc.py index f63bce4..6d02d6a 100644 --- a/tests/test_flask_oidc.py +++ b/tests/test_flask_oidc.py @@ -57,7 +57,7 @@ def test_signin(test_app, client, mocked_responses, dummy_token): token_query = parse_qs(mocked_responses.calls[1][0].body) assert token_query == { "grant_type": ["authorization_code"], - "redirect_uri": ["https://localhost/authorize"], + "redirect_uri": ["http://localhost/authorize"], "code": ["mock_auth_code"], "client_id": ["MyClient"], "client_secret": ["MySecret"], @@ -348,3 +348,17 @@ def test_oidc_callback_route(make_test_app): resp = client.get("/dummy_cb?dummy_arg=dummy_value") assert resp.status_code == 302 assert resp.location == "/authorize?dummy_arg=dummy_value" + + +def test_oidc_overwrite_redirect_uri_deprecated(make_test_app): + with pytest.warns(): + app = make_test_app({"OVERWRITE_REDIRECT_URI": "http://localhost/dummy_cb"}) + assert app.config.get("OIDC_OVERWRITE_REDIRECT_URI", "http://localhost/dummy_cb") + + +def test_oidc_overwrite_redirect_uri(make_test_app): + app = make_test_app({"OIDC_OVERWRITE_REDIRECT_URI": "http://localhost/dummy_cb"}) + client = app.test_client() + resp = client.get("/login") + assert resp.status_code == 302 + assert "redirect_uri=http%3A%2F%2Flocalhost%2Fdummy_cb" in resp.location