From e7b7bfddd65b41350c195552cb6b8504b691a846 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 26 Jul 2021 11:29:16 +0200 Subject: [PATCH] providers/oauth2: fix blank redirect_uri not working with TokenView Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/views/token.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index d192cba50..c97086f7a 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -126,7 +126,15 @@ class TokenParams: LOGGER.warning("Missing authorization code") raise TokenError("invalid_grant") - if self.redirect_uri not in self.provider.redirect_uris.split(): + allowed_redirect_urls = self.provider.redirect_uris.split() + if len(allowed_redirect_urls) < 1: + LOGGER.warning( + "Provider has no allowed redirect_uri set, allowing all.", + allow=self.redirect_uri.lower(), + ) + elif self.redirect_uri.lower() not in [ + x.lower() for x in allowed_redirect_urls + ]: LOGGER.warning( "Invalid redirect uri", uri=self.redirect_uri,