Make the relay_state optional in the response.

[matejak]

If relay_state isn't part of the outgoing request, it won't come back as a response. In that case, the code wouldn't work.

I have renamed the relay_state to its semantic meaning redirect_to, and adjusted the code so that it conforms with the method's comments.

This behavior occurs when SERVER_NAME is not specified in the configuration, which also affects get_login_return_url though - in that case, no URL will pass the is_valid_redirect_url validation, as the code calls make_absolute_url which needs the server name set to work properly.

[mx-moth]

Thanks for this pull request!

[mx-moth]

As you've used request.form.get('RelayState') below, the type of this should now be Optional[str]

[mx-moth]

This should be get_default_login_return_url(), as get_login_return_url() will check request.args.get('next'), potentially allowing the IdP to inject its own redirect parameter. (Ignoring that the IdP could alter RelayState to achieve the same thing).

Both get_login_return_url() and get_default_login_return_url() can return None in their default implementations. In this case, it would be appropriate to raise an error in login_successful(), as there is nothing else we can do. If the developer has not overridden get_default_login_return_url() then there is no where to redirect to.

[matejak]

Thanks for your review!
As this is a web application, I am a bit reluctant to raise an error "by default". What about returning / as default login return URL, so it is not so easy to get a traceback?