Redirect URIs must match exactly. (#191)

* Test redirect_uri construction

This was a test marked as TODO.

* Remove duplicate test

* Add tests to exactly match redirect URIs

* Redirect URIs must match exactly.

To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:

Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).

oidc_provider/lib/endpoints/token.py

@@ -3,7 +3,6 @@ import hashlib
 import logging
 import re
 from django.contrib.auth import authenticate
-from oidc_provider.lib.utils.common import cleanup_url_from_query_string
 
 try:
     from urllib.parse import unquote
@@ -43,8 +42,7 @@ class TokenEndpoint(object):
 
         self.params['client_id'] = client_id
         self.params['client_secret'] = client_secret
-        self.params['redirect_uri'] = unquote(
-            self.request.POST.get('redirect_uri', '').split('?', 1)[0])
+        self.params['redirect_uri'] = self.request.POST.get('redirect_uri', '')
         self.params['grant_type'] = self.request.POST.get('grant_type', '')
         self.params['code'] = self.request.POST.get('code', '')
         self.params['state'] = self.request.POST.get('state', '')
@@ -93,8 +91,7 @@ class TokenEndpoint(object):
                 raise TokenError('invalid_client')
 
         if self.params['grant_type'] == 'authorization_code':
-            clean_redirect_uri = cleanup_url_from_query_string(self.params['redirect_uri'])
-            if not (clean_redirect_uri in self.client.redirect_uris):
+            if not (self.params['redirect_uri'] in self.client.redirect_uris):
                 logger.debug('[Token] Invalid redirect uri: %s', self.params['redirect_uri'])
                 raise TokenError('invalid_client')