From 77b03164f7ee838e76ec6b565e5cda03f0571bfc Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 10 Feb 2026 14:54:37 -0600
Subject: Check only for the base URL and path.

To allow the client to pass flags to the redirect_uri that the
authorisation server has no interest in, check that only the "base"
url (protocol, hostname/netlog and path) are registered, ignoring any
query and fragment parameters.
---
 gn_auth/auth/authentication/oauth2/models/oauth2client.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gn_auth/auth/authentication/oauth2/models/oauth2client.py b/gn_auth/auth/authentication/oauth2/models/oauth2client.py
index 1639e2e..fe12ff9 100644
--- a/gn_auth/auth/authentication/oauth2/models/oauth2client.py
+++ b/gn_auth/auth/authentication/oauth2/models/oauth2client.py
@@ -2,6 +2,7 @@
 import json
 import datetime
 from uuid import UUID
+from urllib.parse import urlparse
 from functools import cached_property
 from dataclasses import asdict, dataclass
 from typing import Any, Sequence, Optional
@@ -135,7 +136,9 @@ class OAuth2Client(ClientMixin):
         """
         Check whether the given `redirect_uri` is one of the expected ones.
         """
-        return redirect_uri in self.redirect_uris
+        uri = urlparse(redirect_uri)._replace(
+            query="")._replace(fragment="").geturl()
+        return uri in self.redirect_uris
 
     @cached_property
     def response_types(self) -> Sequence[str]:
-- 
cgit 1.4.1