From b8a9597feb226512949a6d05c30e22971a16d9d7 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Thu, 3 Feb 2022 17:11:22 -0800 Subject: [PATCH 1/2] Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. --- oauthlib/oauth2/rfc6749/endpoints/metadata.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/oauthlib/oauth2/rfc6749/endpoints/metadata.py b/oauthlib/oauth2/rfc6749/endpoints/metadata.py index d43a8247..4e2becdc 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/metadata.py +++ b/oauthlib/oauth2/rfc6749/endpoints/metadata.py @@ -16,6 +16,7 @@ from .introspect import IntrospectEndpoint from .revocation import RevocationEndpoint from .token import TokenEndpoint +from .utils import is_secure_transport log = logging.getLogger(__name__) @@ -68,7 +69,7 @@ def validate_metadata(self, array, key, is_required=False, is_list=False, is_url raise ValueError("key {} is a mandatory metadata.".format(key)) elif is_issuer: - if not array[key].startswith("https"): + if not is_secure_transport(array[key]): raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key])) if "?" in array[key] or "&" in array[key] or "#" in array[key]: raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key])) From 51b34cac90d5a9eb859f81255d0b3c24beb80d17 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Fri, 4 Feb 2022 09:05:26 -0800 Subject: [PATCH 2/2] Add unit test for validating issuer. --- oauthlib/oauth2/rfc6749/endpoints/metadata.py | 5 ++--- tests/oauth2/rfc6749/endpoints/test_metadata.py | 10 ++++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/oauthlib/oauth2/rfc6749/endpoints/metadata.py b/oauthlib/oauth2/rfc6749/endpoints/metadata.py index 4e2becdc..a2820f28 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/metadata.py +++ b/oauthlib/oauth2/rfc6749/endpoints/metadata.py @@ -10,13 +10,12 @@ import json import logging -from .. import grant_types +from .. import grant_types, utils from .authorization import AuthorizationEndpoint from .base import BaseEndpoint, catch_errors_and_unavailability from .introspect import IntrospectEndpoint from .revocation import RevocationEndpoint from .token import TokenEndpoint -from .utils import is_secure_transport log = logging.getLogger(__name__) @@ -69,7 +68,7 @@ def validate_metadata(self, array, key, is_required=False, is_list=False, is_url raise ValueError("key {} is a mandatory metadata.".format(key)) elif is_issuer: - if not is_secure_transport(array[key]): + if not utils.is_secure_transport(array[key]): raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key])) if "?" in array[key] or "&" in array[key] or "#" in array[key]: raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key])) diff --git a/tests/oauth2/rfc6749/endpoints/test_metadata.py b/tests/oauth2/rfc6749/endpoints/test_metadata.py index d93f849b..22cf4bae 100644 --- a/tests/oauth2/rfc6749/endpoints/test_metadata.py +++ b/tests/oauth2/rfc6749/endpoints/test_metadata.py @@ -135,3 +135,13 @@ def sort_list(claims): sort_list(metadata.claims) sort_list(expected_claims) self.assertEqual(sorted(metadata.claims.items()), sorted(expected_claims.items())) + + def test_metadata_validate_issuer(self): + with self.assertRaises(ValueError): + endpoint = TokenEndpoint( + None, None, grant_types={"password": None}, + ) + metadata = MetadataEndpoint([endpoint], { + "issuer": 'http://foo.bar', + "token_endpoint": "https://foo.bar/token", + })