Skip to main content

fastmcp.server.auth.redirect_validation

Utilities for validating client redirect URIs in OAuth flows. This module provides secure redirect URI validation with wildcard support, protecting against userinfo-based bypass attacks like http://localhost@evil.com.

Functions

matches_allowed_pattern 

matches_allowed_pattern(uri: str, pattern: str) -> bool
Securely check if a URI matches an allowed pattern with wildcard support. This function parses both the URI and pattern as URLs, comparing each component separately to prevent bypass attacks like userinfo injection. Patterns support wildcards: Security: Rejects URIs with userinfo (user:pass@host) which could bypass naive string matching (e.g., http://localhost@evil.com). Args:
  • uri: The redirect URI to validate
  • pattern: The allowed pattern (may contain wildcards)
Returns:
  • True if the URI matches the pattern

validate_redirect_uri 

validate_redirect_uri(redirect_uri: str | AnyUrl | None, allowed_patterns: list[str] | None) -> bool
Validate a redirect URI against allowed patterns. Args:
  • redirect_uri: The redirect URI to validate
  • allowed_patterns: List of allowed patterns. If None, all URIs are allowed (for DCR compatibility). If empty list, no URIs are allowed. To restrict to localhost only, explicitly pass DEFAULT_LOCALHOST_PATTERNS.
Returns:
  • True if the redirect URI is allowed