From c663aa1c75762318a5a226754ab11c199602e852 Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 11 Dec 2013 16:32:12 +0100
Subject: [PATCH 1/7] Basic implementation

---
 oauth2_provider/views/base.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index e46e532c5..27b8246c3 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -103,6 +103,14 @@ def form_valid(self, form):
     def get(self, request, *args, **kwargs):
         try:
             scopes, credentials = self.validate_authorization_request(request)
+
+            if True:
+                uri, headers, body, status = self.create_authorization_response(
+                        request=self.request, scopes=" ".join(scopes),
+                        credentials=credentials, allow=True)
+                self.success_url = uri
+                return HttpResponseRedirect(self.success_url)
+
             kwargs['scopes_descriptions'] = [oauth2_settings.SCOPES[scope] for scope in scopes]
             kwargs['scopes'] = scopes
             # at this point we know an Application instance with such client_id exists in the database

From 7e26c50c29dd0c32cf9328bb1a82694a51afcaf3 Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 11 Dec 2013 16:45:18 +0100
Subject: [PATCH 2/7] Hardcoded list

---
 oauth2_provider/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index 27b8246c3..7a27edce9 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -104,7 +104,7 @@ def get(self, request, *args, **kwargs):
         try:
             scopes, credentials = self.validate_authorization_request(request)
 
-            if True:
+            if request.GET['redirect_uri'] in ['http://test.local:8001/callback']:
                 uri, headers, body, status = self.create_authorization_response(
                         request=self.request, scopes=" ".join(scopes),
                         credentials=credentials, allow=True)

From 9a85a67183ebbd2805da74b18c05f306b5962f0d Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 11 Dec 2013 16:58:26 +0100
Subject: [PATCH 3/7] Moved the no-auth uris to the oauthsettings

---
 oauth2_provider/settings.py   | 1 +
 oauth2_provider/views/base.py | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index eb8c8701a..efcb8bf9f 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -95,6 +95,7 @@ def __init__(self, user_settings=None, defaults=None, import_strings=None, manda
         self.defaults = defaults or {}
         self.import_strings = import_strings or ()
         self.mandatory = mandatory or ()
+        self.uris_without_auth = ['http://test.local:8001/callback']
 
     def __getattr__(self, attr):
         if attr not in self.defaults.keys():
diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index 7a27edce9..8972d9618 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -104,7 +104,8 @@ def get(self, request, *args, **kwargs):
         try:
             scopes, credentials = self.validate_authorization_request(request)
 
-            if request.GET['redirect_uri'] in ['http://test.local:8001/callback']:
+            # If the callback URI does not require authorization; immediately return a response
+            if request.GET['redirect_uri'] in oauth2_settings.uris_without_auth:
                 uri, headers, body, status = self.create_authorization_response(
                         request=self.request, scopes=" ".join(scopes),
                         credentials=credentials, allow=True)

From e14ddb8a985ece471f20ef9185ec367a6840b18d Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 11 Dec 2013 17:05:27 +0100
Subject: [PATCH 4/7] Removed test data

---
 oauth2_provider/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index efcb8bf9f..1ba5cdc6f 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -95,7 +95,7 @@ def __init__(self, user_settings=None, defaults=None, import_strings=None, manda
         self.defaults = defaults or {}
         self.import_strings = import_strings or ()
         self.mandatory = mandatory or ()
-        self.uris_without_auth = ['http://test.local:8001/callback']
+        self.uris_without_auth = ['']
 
     def __getattr__(self, attr):
         if attr not in self.defaults.keys():

From eabb3472ae782075bd4b5d021cd496f3a0c5782c Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 18 Dec 2013 13:50:04 +0100
Subject: [PATCH 5/7] Better settings integration for allowed uris

---
 oauth2_provider/settings.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index 1ba5cdc6f..09465ef52 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -55,6 +55,10 @@
     'OAUTH2_VALIDATOR_CLASS',
 )
 
+# List of callback urls that don't need to be authenticated
+URLS_WITHOUT_AUTH = (
+)
+
 
 def perform_import(val, setting_name):
     """
@@ -90,12 +94,12 @@ class OAuth2ProviderSettings(object):
     and return the class, rather than the string literal.
     """
 
-    def __init__(self, user_settings=None, defaults=None, import_strings=None, mandatory=None):
+    def __init__(self, user_settings=None, defaults=None, import_strings=None, mandatory=None, urls_without_auth=None):
         self.user_settings = user_settings or {}
         self.defaults = defaults or {}
         self.import_strings = import_strings or ()
         self.mandatory = mandatory or ()
-        self.uris_without_auth = ['']
+        self.uris_without_auth = urls_without_auth or ()
 
     def __getattr__(self, attr):
         if attr not in self.defaults.keys():
@@ -127,4 +131,4 @@ def validate_setting(self, attr, val):
             raise AttributeError("OAuth2Provider setting: '%s' is mandatory" % attr)
 
 
-oauth2_settings = OAuth2ProviderSettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS, MANDATORY)
+oauth2_settings = OAuth2ProviderSettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS, MANDATORY, URLS_WITHOUT_AUTH)

From f2d027cb40604a62cde90165e9516eb580aefc16 Mon Sep 17 00:00:00 2001
From: Tom Naessens <siloxtom@gmail.com>
Date: Wed, 18 Dec 2013 13:59:52 +0100
Subject: [PATCH 6/7] Lets be consistent

---
 oauth2_provider/settings.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index 09465ef52..9abdf2874 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -56,7 +56,7 @@
 )
 
 # List of callback urls that don't need to be authenticated
-URLS_WITHOUT_AUTH = (
+URIS_WITHOUT_AUTH = (
 )
 
 
@@ -94,12 +94,12 @@ class OAuth2ProviderSettings(object):
     and return the class, rather than the string literal.
     """
 
-    def __init__(self, user_settings=None, defaults=None, import_strings=None, mandatory=None, urls_without_auth=None):
+    def __init__(self, user_settings=None, defaults=None, import_strings=None, mandatory=None, uris_without_auth=None):
         self.user_settings = user_settings or {}
         self.defaults = defaults or {}
         self.import_strings = import_strings or ()
         self.mandatory = mandatory or ()
-        self.uris_without_auth = urls_without_auth or ()
+        self.uris_without_auth = uris_without_auth or ()
 
     def __getattr__(self, attr):
         if attr not in self.defaults.keys():
@@ -131,4 +131,4 @@ def validate_setting(self, attr, val):
             raise AttributeError("OAuth2Provider setting: '%s' is mandatory" % attr)
 
 
-oauth2_settings = OAuth2ProviderSettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS, MANDATORY, URLS_WITHOUT_AUTH)
+oauth2_settings = OAuth2ProviderSettings(USER_SETTINGS, DEFAULTS, IMPORT_STRINGS, MANDATORY, URIS_WITHOUT_AUTH)

From 4c8cbe3fbff464af8edabb27fe544982df0eb8c2 Mon Sep 17 00:00:00 2001
From: Tom Naessens <Tom.Naessens@UGent.be>
Date: Sun, 6 Apr 2014 19:12:32 +0200
Subject: [PATCH 7/7] Added an extra check

---
 oauth2_provider/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index 8972d9618..9a4f526fe 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -105,7 +105,7 @@ def get(self, request, *args, **kwargs):
             scopes, credentials = self.validate_authorization_request(request)
 
             # If the callback URI does not require authorization; immediately return a response
-            if request.GET['redirect_uri'] in oauth2_settings.uris_without_auth:
+            if 'redirect_uri' in request.GET and request.GET['redirect_uri'] in oauth2_settings.uris_without_auth:
                 uri, headers, body, status = self.create_authorization_response(
                         request=self.request, scopes=" ".join(scopes),
                         credentials=credentials, allow=True)