Build the OAuth redirect URL ourselves, rather than relying on undocumented Flask behavior

app.py

@@ -2,6 +2,7 @@ import logging
 import os
 import json
 
+from functools import partial
 from flask import Flask, request, Request, _request_ctx_stack
 from flask.ext.principal import Principal
 from flask.ext.login import LoginManager, UserMixin
@@ -21,6 +22,7 @@ from data.buildlogs import BuildLogs
 from data.archivedlogs import LogArchive
 from data.userevent import UserEventsBuilderModule
 from data.queue import WorkQueue, MetricQueueReporter
+from util import get_app_url
 from util.saas.analytics import Analytics
 from util.saas.exceptionlog import Sentry
 from util.names import urn_generator
@@ -173,5 +175,4 @@ class LoginWrappedDBUser(UserMixin):
   def get_id(self):
     return unicode(self._uuid)
 
-def get_app_url():
-  return '%s://%s' % (app.config['PREFERRED_URL_SCHEME'], app.config['SERVER_HOSTNAME'])
+get_app_url = partial(get_app_url, app.config)

data/model/oauth.py

@@ -8,8 +8,9 @@ from oauth2lib import utils
 
 from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User,
                            AccessToken, random_string_generator)
-from data.model import user
+from data.model import user, config
 from auth import scopes
+from util import get_app_url
 
 
 logger = logging.getLogger(__name__)
@@ -45,7 +46,10 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
       return False
 
   def validate_redirect_uri(self, client_id, redirect_uri):
-    if redirect_uri == url_for('web.oauth_local_handler', _external=True):
+    internal_redirect_url = '%s%s' % (get_app_url(config.app_config),
+                                      url_for('web.oauth_local_handler'))
+
+    if redirect_uri == internal_redirect_url:
       return True
 
     try:

util/__init__.py

@@ -0,0 +1,3 @@
+def get_app_url(config):
+  """ Returns the application's URL, based on the given config. """
+  return '%s://%s' % (config['PREFERRED_URL_SCHEME'], config['SERVER_HOSTNAME'])