From b123283ba3d41acb3e787fdf68bd5907972b4bad Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Sun, 6 Mar 2022 09:24:34 -0800
Subject: Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. (#803)

* Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT.

* Add unit test for validating issuer.
---
 oauthlib/oauth2/rfc6749/endpoints/metadata.py   |  4 ++--
 tests/oauth2/rfc6749/endpoints/test_metadata.py | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/oauthlib/oauth2/rfc6749/endpoints/metadata.py b/oauthlib/oauth2/rfc6749/endpoints/metadata.py
index d43a824..a2820f2 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/metadata.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/metadata.py
@@ -10,7 +10,7 @@ import copy
 import json
 import logging
 
-from .. import grant_types
+from .. import grant_types, utils
 from .authorization import AuthorizationEndpoint
 from .base import BaseEndpoint, catch_errors_and_unavailability
 from .introspect import IntrospectEndpoint
@@ -68,7 +68,7 @@ class MetadataEndpoint(BaseEndpoint):
                 raise ValueError("key {} is a mandatory metadata.".format(key))
 
         elif is_issuer:
-            if not array[key].startswith("https"):
+            if not utils.is_secure_transport(array[key]):
                 raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key]))
             if "?" in array[key] or "&" in array[key] or "#" in array[key]:
                 raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key]))
diff --git a/tests/oauth2/rfc6749/endpoints/test_metadata.py b/tests/oauth2/rfc6749/endpoints/test_metadata.py
index d93f849..22cf4ba 100644
--- a/tests/oauth2/rfc6749/endpoints/test_metadata.py
+++ b/tests/oauth2/rfc6749/endpoints/test_metadata.py
@@ -135,3 +135,13 @@ class MetadataEndpointTest(TestCase):
         sort_list(metadata.claims)
         sort_list(expected_claims)
         self.assertEqual(sorted(metadata.claims.items()), sorted(expected_claims.items()))
+
+    def test_metadata_validate_issuer(self):
+        with self.assertRaises(ValueError):
+            endpoint = TokenEndpoint(
+                None, None, grant_types={"password": None},
+            )
+            metadata = MetadataEndpoint([endpoint], {
+                "issuer": 'http://foo.bar',
+                "token_endpoint": "https://foo.bar/token",
+            })
-- 
cgit v1.2.1