@@ -39,6 +39,9 @@ def login(auth_type):
3939 redirect_uri = "{}://{}{}" .format (urlparse (request .referrer ).scheme ,
4040 urlparse (request .referrer ).netloc ,
4141 url_for ('oauth2.callback' , auth_type = auth_type .lower ()))
42+ # Persist redirect_uri for callback token exchange to avoid
43+ # reverse proxy Host normalization causing redirect_uri mismatch.
44+ session [f'{ auth_type .lower ()} _redirect_uri' ] = redirect_uri
4245 qs = urlencode ({
4346 'client_id' : config ['client_id' ],
4447 'redirect_uri' : redirect_uri ,
@@ -63,12 +66,16 @@ def callback(auth_type):
6366 if 'code' not in request .values :
6467 return abort (401 , 'code is invalid' )
6568
69+ redirect_uri = session .get (f'{ auth_type .lower ()} _redirect_uri' ) or session .get (
70+ f'{ auth_type } _redirect_uri' ) or url_for (
71+ 'oauth2.callback' , auth_type = auth_type .lower (), _external = True )
72+
6673 response = requests .post (config ['token_url' ], data = {
6774 'client_id' : config ['client_id' ],
6875 'client_secret' : config ['client_secret' ],
6976 'code' : request .values ['code' ],
7077 'grant_type' : current_app .config [f'{ auth_type } _GRANT_TYPE' ],
71- 'redirect_uri' : url_for ( 'oauth2.callback' , auth_type = auth_type . lower (), _external = True ) ,
78+ 'redirect_uri' : redirect_uri ,
7279 }, headers = {'Accept' : 'application/json' })
7380 if response .status_code != 200 :
7481 current_app .logger .error (response .text )
@@ -126,6 +133,7 @@ def logout(auth_type):
126133 "acl" in session and session .pop ("acl" )
127134 "uid" in session and session .pop ("uid" )
128135 f'{ auth_type } _state' in session and session .pop (f'{ auth_type } _state' )
136+ f'{ auth_type } _redirect_uri' in session and session .pop (f'{ auth_type } _redirect_uri' )
129137 "next" in session and session .pop ("next" )
130138
131139 redirect_url = url_for ('oauth2.login' , auth_type = auth_type , _external = True , next = request .referrer )
0 commit comments