6

From my Django app, how to I redirect a user to somescheme://someurl.com?

To give you some context in case it helps, I have a working oauth2 server written in Python/Django and I need to allow users to register redirect_uris that have a custom URL scheme. This custom URL scheme is used for handling the redirect within native apps.

My first reaction was to use an HttpResponseRedirect, but this URL has a custom scheme and isn't HTTP so I'm guessing this is not what I want. Thanks in advance for any advice you can give.

Edit: I did try this and Django returns the response redirect correctly without throwing an error, but the browser does not redirect to this URL. I'm using Chrome to test this.

Edit 2: HttpResponseRedirect works fine in safari.

Spike
  • 4,642
  • 3
  • 28
  • 45
  • 1
    Have you tried it? The redirect response goes back to the client, so it might just work. – zmbq Sep 07 '12 at 23:11

2 Answers2

19

This actually should not work as Django is only allowing redirects to http, https and ftp by default for security reasons:

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/

I was having the same issue with OAuth and redirect to custom schemes.
Django (on Apache) is throwing 500's (django.core.exceptions.SuspiciousOperation) when redirecting to custom schemes. The solution is to create your own HttpResponseRedirect subclass or just do:

location = < your redirect URL >
res = HttpResponse(location, status=302)
res['Location'] = location
return res
Pascal
  • 16,319
  • 4
  • 56
  • 66
  • Thanks for the heads up! I haven't tried this yet but will mark it correct if I do and it works. I was on Django 1.4.0 which is probably why I didn't notice this problem. – Spike Dec 06 '12 at 16:17
  • Just to add to this, I found (for Django 1.6), that if you subclass `HttpResponseRedirect` you also need to add your custom protocol[s] to the `allowed_schemes` class variable, otherwise Django will still raise `SuspiciousOperation` – Tom Dalton Nov 28 '14 at 11:09
3

class HttpResponseRedirect

The first argument to the constructor is required -- the path to redirect to. This can >be a fully qualified URL (e.g. 'http://www.yahoo.com/search/') or an absolute path with no >domain (e.g. '/search/'). See HttpResponse for other optional constructor arguments. Note >that this returns an HTTP status code 302.

This is from here: https://docs.djangoproject.com/en/dev/ref/request-response/

It should work anyway from what I'm reading.

baordog
  • 1,564
  • 1
  • 16
  • 30