From 40051744cc4ba51768fe9bea15dc61e54f1d13d7 Mon Sep 17 00:00:00 2001
From: Matias Salles <matiassalles99@gmail.com>
Date: Wed, 10 Nov 2021 18:09:46 -0300
Subject: [PATCH 1/2] consider redirect uri when code or access token is passed
 via the request body, allow redirect uri via body also

---
 lib/omniauth/strategies/google_oauth2.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/google_oauth2.rb b/lib/omniauth/strategies/google_oauth2.rb
index 4cdb655..d6cb636 100644
--- a/lib/omniauth/strategies/google_oauth2.rb
+++ b/lib/omniauth/strategies/google_oauth2.rb
@@ -121,8 +121,9 @@ def get_access_token(request)
             request.body.rewind # rewind request body for downstream middlewares
             verifier = body && body['code']
             access_token = body && body['access_token']
+            redirect_uri ||= body && body['redirect_uri']
             if verifier
-              client_get_token(verifier, 'postmessage')
+              client_get_token(verifier, redirect_uri || 'postmessage')
             elsif verify_token(access_token)
               ::OAuth2::AccessToken.from_hash(client, body.dup)
             end

From 3942b6af34e0f85825cae3ac38b8e7b74bf22229 Mon Sep 17 00:00:00 2001
From: Matias Salles <matiassalles99@gmail.com>
Date: Tue, 23 Nov 2021 19:13:14 -0300
Subject: [PATCH 2/2] redirect uri via body test

---
 spec/omniauth/strategies/google_oauth2_spec.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/spec/omniauth/strategies/google_oauth2_spec.rb b/spec/omniauth/strategies/google_oauth2_spec.rb
index 2c909ad..5cb6007 100644
--- a/spec/omniauth/strategies/google_oauth2_spec.rb
+++ b/spec/omniauth/strategies/google_oauth2_spec.rb
@@ -641,6 +641,22 @@
       subject.build_access_token
     end
 
+    it 'reads the redirect uri from a json request body' do
+      body = StringIO.new(%({"code":"json_access_token", "redirect_uri":"sample"}))
+      client = double(:client)
+      auth_code = double(:auth_code)
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+
+      expect(auth_code).to receive(:get_token).with('json_access_token', { redirect_uri: 'sample' }, {})
+
+      subject.build_access_token
+    end
+
     it 'reads the access token from a json request body' do
       body = StringIO.new(%({"access_token":"valid_access_token"}))