Merge pull request #729 from azmeuk/714-redirect-uri-fragments

lepture · web-flow · commit 29fbe667fee1 · 2025-04-02T17:43:19.000+09:00
Forbid URL fragments in redirect_uris
diff --git a/authlib/common/urls.py b/authlib/common/urls.py
@@ -139,6 +139,8 @@ def extract_params(raw):
         return None
 
 
-def is_valid_url(url):
+def is_valid_url(url: str, fragments_allowed=True):
     parsed = urlparse.urlparse(url)
-    return parsed.scheme and parsed.hostname
+    return (
+        parsed.scheme and parsed.hostname and (fragments_allowed or not parsed.fragment)
+    )
diff --git a/authlib/oauth2/rfc7591/claims.py b/authlib/oauth2/rfc7591/claims.py
@@ -217,7 +217,7 @@ def validate_software_version(self):
     def _validate_uri(self, key, uri=None):
         if uri is None:
             uri = self.get(key)
-        if uri and not is_valid_url(uri):
+        if uri and not is_valid_url(uri, fragments_allowed=False):
             raise InvalidClaimError(key)
 
     @classmethod
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -12,8 +12,9 @@ Version 1.5.2
 
 **Unreleased**
 
+- Forbid fragments in ``redirect_uris``. :issue:`714`
 - Fix invalid characters in ``error_description``. :issue:`720`
-- Add ``claims_cls``` parameter for client's ``parse_id_token`` method.
+- Add ``claims_cls``` parameter for client's ``parse_id_token`` method. :issue:`725`
 
 
 Version 1.5.1
diff --git a/tests/flask/test_oauth2/test_client_registration_endpoint.py b/tests/flask/test_oauth2/test_client_registration_endpoint.py
@@ -654,3 +654,34 @@ def test_require_auth_time(self):
         rv = self.client.post("/create_client", json=body, headers=self.headers)
         resp = json.loads(rv.data)
         self.assertIn(resp["error"], "invalid_client_metadata")
+
+    def test_redirect_uri(self):
+        """RFC6749 indicate that fragments are forbidden in redirect_uri.
+
+            The redirection endpoint URI MUST be an absolute URI as defined by
+            [RFC3986] Section 4.3.  [...]  The endpoint URI MUST NOT include a
+            fragment component.
+
+        https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2
+        """
+        self.prepare_data()
+
+        # Nominal case
+        body = {
+            "redirect_uris": ["https://client.test"],
+            "client_name": "Authlib",
+        }
+        rv = self.client.post("/create_client", json=body, headers=self.headers)
+        resp = json.loads(rv.data)
+        self.assertIn("client_id", resp)
+        self.assertEqual(resp["client_name"], "Authlib")
+        self.assertEqual(resp["redirect_uris"], ["https://client.test"])
+
+        # Error case
+        body = {
+            "redirect_uris": ["https://client.test#fragment"],
+            "client_name": "Authlib",
+        }
+        rv = self.client.post("/create_client", json=body, headers=self.headers)
+        resp = json.loads(rv.data)
+        self.assertIn(resp["error"], "invalid_client_metadata")
