Edit: Seems like the redirect_uri stored in Session is not persisting across calls.
Using loginpass as an OAuth2 client and the authlib server from The Example Repo as the OAuth2 server.
Using this code in loginpass
bp = create_flask_blueprint(backend, oauth, handle_authorize)
app.register_blueprint(bp, url_prefix='/{}'.format(backend.OAUTH_NAME))
In the authorization step, loginpass sends out a redirect_uri parameter to the OAuth2 Server. The server responds with the auth code, and then loginpass requests a token, but does not include the redirect_uri.
OAuth2 raises an InvalidRequestError while processing the request because (per section 4.1.3 of RFC 6749)
redirect_uri REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.
The server code that raises InvalidRequestError
redirect_uri = self.request.redirect_uri
_redirect_uri = authorization_code.get_redirect_uri()
original_redirect_uri = _redirect_uri or None
if redirect_uri != original_redirect_uri:
raise InvalidRequestError('Invalid "redirect_uri" in request.')
The problem was that I was running the OAuth Server app on localhost as well as the OAuth Client app. They would overwrite each other's cookies which led to
The solution was to have the apps run on different domains - got by in this case with localhost vs 127.0.0.1.