From 3b6be54ab967d9ac6174fae97b5368c1d9f6c6c3 Mon Sep 17 00:00:00 2001
From: Jonathan Huot <jonathan.huot@thomsonreuters.com>
Date: Mon, 30 Jul 2018 14:48:24 +0200
Subject: Call get_default_redirect_uri if no redirect_uri in token req

---
 .../rfc6749/grant_types/authorization_code.py       | 11 +++++++++++
 .../endpoints/test_credentials_preservation.py      | 21 +++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
index 0660263..1ad6727 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
@@ -420,6 +420,17 @@ class AuthorizationCodeGrant(GrantTypeBase):
         # REQUIRED, if the "redirect_uri" parameter was included in the
         # authorization request as described in Section 4.1.1, and their
         # values MUST be identical.
+        if request.redirect_uri is None:
+            request.using_default_redirect_uri = True
+            request.redirect_uri = self.request_validator.get_default_redirect_uri(
+                request.client_id, request)
+            log.debug('Using default redirect_uri %s.', request.redirect_uri)
+            if not request.redirect_uri:
+                raise errors.MissingRedirectURIError(request=request)
+        else:
+            request.using_default_redirect_uri = False
+            log.debug('Using provided redirect_uri %s', request.redirect_uri)
+
         if not self.request_validator.confirm_redirect_uri(request.client_id, request.code,
                                                            request.redirect_uri, request.client,
                                                            request):
diff --git a/tests/oauth2/rfc6749/endpoints/test_credentials_preservation.py b/tests/oauth2/rfc6749/endpoints/test_credentials_preservation.py
index 0eb719f..50c2956 100644
--- a/tests/oauth2/rfc6749/endpoints/test_credentials_preservation.py
+++ b/tests/oauth2/rfc6749/endpoints/test_credentials_preservation.py
@@ -116,3 +116,24 @@ class PreservationTest(TestCase):
         self.assertRaises(errors.MissingRedirectURIError,
                 self.mobile.create_authorization_response,
                 auth_uri + '&response_type=token', scopes=['random'])
+
+    def test_default_uri_in_token(self):
+        auth_uri = 'http://example.com/path?state=xyz&client_id=abc'
+        token_uri = 'http://example.com/path'
+
+        # authorization grant
+        h, _, s = self.web.create_authorization_response(
+                auth_uri + '&response_type=code', scopes=['random'])
+        self.assertEqual(s, 302)
+        self.assertIn('Location', h)
+        self.assertTrue(h['Location'].startswith(self.DEFAULT_REDIRECT_URI))
+
+        # confirm_redirect_uri should return true if the redirect uri
+        # was not given in the authorization AND not in the token request.
+        self.validator.confirm_redirect_uri.return_value = True
+        code = get_query_credentials(h['Location'])['code'][0]
+        self.validator.validate_code.side_effect = self.set_state('xyz')
+        _, body, s = self.web.create_token_response(token_uri,
+                body='grant_type=authorization_code&code=%s' % code)
+        self.assertEqual(s, 200)
+        self.assertEqual(self.validator.confirm_redirect_uri.call_args[0][2], self.DEFAULT_REDIRECT_URI)
-- 
cgit v1.2.1