Allow custom schemes in rediect_uri

[RodneyRichardson]

The current implementation only supports http, https, and ftp as valid URI schemes. (The validate_uri function has been updated to allow others, but it fails a check by django.http.HttpResponseRedirect later on).

I would suggest adding a new setting (ALLOWED_REDIRECT_URI_SCHEMES), which defaults to to the existing value of ['http', 'https'].

I will create a branch and a pull request for this.
https://github.com/RodneyRichardson/django-oauth-toolkit/tree/allow-custom-uri-schemes

[Geekfish]

When building an open API where you want to allow people to redirect to things like their own non-browser app, then you may want to allow ANY uri scheme. I don't know if ALLOWED_REDIRECT_URI_SCHEMES covers this use case.

[RodneyRichardson]

Fair point. It was to get a balance between "safe"/approved schemes, and opening it up entirely. This meets my needs entirely (where I want to redirect to a non-browser app written by a small number of arbitrary 3rd parties, but I control the server-side and issue the client IDs and redirect URIs). I'd be interested if someone has a different concrete use case.

As a small aside, it also helps detect typographical errors in the redirect URI.

[Geekfish]

@RodneyRichardson I think most people would fall into the use case that your PR is covering, it's a very useful feature as it is.
My comment is more to open conversation about whether giving the ability to open up to any URL scheme might also be reasonable (probably work for another PR). I think in a development platform where people are allowed to register their own apps then a free url scheme can be convenient.
Reg implementing that, maybe setting ALLOWED_REDIRECT_URI_SCHEMES to an empty list could signify that appropriately, if this gets merged.

[RodneyRichardson]

Perhaps a future PR extending ALLOWED_REDIRECT_URI_SCHEMES to use regular expression(s) would cover both cases nicely.