skip oauthlib absolute-uri check

because we want to allow relative redirect uri for internal oauth
2025-10-17 15:03:02 +00:00 · 2018-09-10 17:11:06 +02:00
parent df74ff68ab
commit b84e929e8c
2 changed files with 12 additions and 13 deletions
--- a/jupyterhub/apihandlers/auth.py
+++ b/jupyterhub/apihandlers/auth.py
@@ -113,7 +113,7 @@ class OAuthHandler:
        (uri, http_method, body, headers)
        """
        return (
-            self.make_absolute_redirect_uri(self.request.uri),
+            self.request.uri,
            self.request.method,
            self.request.body,
            self.request.headers,
@@ -125,6 +125,9 @@ class OAuthHandler:
        internal redirect uris, e.g. `/user/foo/oauth_handler`
        are allowed in jupyterhub, but oauthlib prohibits them.
        Add `$HOST` header to redirect_uri to make them acceptable.
+
+        Currently unused in favor of monkeypatching
+        oauthlib.is_absolute_uri to skip the check
        """
        redirect_uri = self.get_argument('redirect_uri')
        if not redirect_uri or not redirect_uri.startswith('/'):
--- a/jupyterhub/oauth/provider.py
+++ b/jupyterhub/oauth/provider.py
@@ -17,6 +17,13 @@ from .. import orm
 from ..utils import url_path_join, hash_token, compare_token


+# patch absolute-uri check
+# because we want to allow relative uri oauth
+# for internal services
+from oauthlib.oauth2.rfc6749.grant_types import authorization_code
+authorization_code.is_absolute_uri = lambda uri: True
+
+
 class JupyterHubRequestValidator(RequestValidator):

    def __init__(self, db):
@@ -485,18 +492,7 @@ class JupyterHubRequestValidator(RequestValidator):
        if orm_client is None:
            app_log.warning("No such oauth client %s", client_id)
            return False
-        if '://' in redirect_uri and '://' not in orm_client.redirect_uri:
-            # default internal "/path/only" redirect uri
-            # confirm it matches our Host header and protocol of Referer
-            expected = "{}://{}{}".format(
-                urlparse(request.headers.get('Referer', '')).scheme,
-                request.headers.get('Host', '[missing Host]'),
-                orm_client.redirect_uri,
-            )
-        else:
-            expected = orm_client.redirect_uri
-
-        if redirect_uri == expected:
+        if redirect_uri == orm_client.redirect_uri:
            return True
        else:
            app_log.warning("Redirect uri %s != %s", redirect_uri, orm_client.redirect_uri)