Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT.

oauthlib/oauth2/rfc6749/endpoints/metadata.py

@@ -10,7 +10,7 @@
 import json
 import logging
 
-from .. import grant_types
+from .. import grant_types, utils
 from .authorization import AuthorizationEndpoint
 from .base import BaseEndpoint, catch_errors_and_unavailability
 from .introspect import IntrospectEndpoint
@@ -68,7 +68,7 @@ def validate_metadata(self, array, key, is_required=False, is_list=False, is_url
                 raise ValueError("key {} is a mandatory metadata.".format(key))
 
         elif is_issuer:
-            if not array[key].startswith("https"):
+            if not utils.is_secure_transport(array[key]):
                 raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key]))
             if "?" in array[key] or "&" in array[key] or "#" in array[key]:
                 raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key]))

tests/oauth2/rfc6749/endpoints/test_metadata.py

@@ -135,3 +135,13 @@ def sort_list(claims):
         sort_list(metadata.claims)
         sort_list(expected_claims)
         self.assertEqual(sorted(metadata.claims.items()), sorted(expected_claims.items()))
+
+    def test_metadata_validate_issuer(self):
+        with self.assertRaises(ValueError):
+            endpoint = TokenEndpoint(
+                None, None, grant_types={"password": None},
+            )
+            metadata = MetadataEndpoint([endpoint], {
+                "issuer": 'http://foo.bar',
+                "token_endpoint": "https://foo.bar/token",
+            })