I am trying to implement a Oauth2 provider server in Python from https://github.com/lepture/flask-oauthlib/tree/master/tests/oauth2/server.py code base but stuck when trying to do some redirect uri validation customization for the Oauth2 grant (type= authorization code) flow.
According to Oauth2.py, I should be able add a function called validate_redirect_uri() to do my own customized redirect_uri validation. However, after implementing "def validate_redirect_uri(self, redirect_uri):" in Grant class, found it was never invoked when I POST to /oauth/authorize with parameters like "response_type=code&client_id=confidential&redirect_uri=https%3A%2F%2fXXX.com%2Foauth%2Fcallback%3FXXX%3D111&state=11"
I am sure that the post is fine (scope was put to POST body so it was not missing) because if I only alter the redirect_uri to a NOT customized one, it grants just fine.
in Server.py:
@oauth.grantgetter
def get_grant(client_id, code):
return Grant.query.filter_by(client_id=client_id, code=code).first()
class Grant(db.Model):
def validate_redirect_uri(self, redirect_uri):
print('validate_redirect_uri:', redirect_uri,'\n')
if customizedValidateRedirectURI(redirect_uri)!=-1:
print('valid redirect uri')
return True
return False
def delete(self):
db.session.delete(self)
db.session.commit()
return self
in oauth2.py
def confirm_redirect_uri(self, client_id, code, redirect_uri, client,
*args, **kwargs):
"""Ensure client is authorized to redirect to the redirect_uri.
This method is used in the authorization code grant flow. It will
compare redirect_uri and the one in grant token strictly, you can
add a `validate_redirect_uri` function on grant for a customized
validation.
"""
client = client or self._clientgetter(client_id)
log.debug('Confirm redirect uri for client %r and code %r.',
client.client_id, code)
grant = self._grantgetter(client_id=client.client_id, code=code)
if not grant:
log.debug('Grant not found.')
return False
if hasattr(grant, 'validate_redirect_uri'):
return grant.validate_redirect_uri(redirect_uri)
"print('validate_redirect_uri:', redirect_uri,'\n')" was never printed so the function "validate_redirect_uri(self, redirect_uri)" never got invoked?