From 1c7d0d040c39a775018ab3dac56b96a1959a245c Mon Sep 17 00:00:00 2001
From: Doug Bitting <doug@bittingclan.com>
Date: Thu, 6 Jun 2013 12:38:32 -0700
Subject: [PATCH] Some uses of OAuth2 make use of string tokens or the
 callbackURL.  These should not be parsed as if they were actual URLs.  This
 change provides a way to avoid the URL parsing by checking for a
 "parseCallbackURL" configuration option.  By default this option is true,
 which maintains backward compatibility.

---
 lib/passport-oauth/strategies/oauth2.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/passport-oauth/strategies/oauth2.js b/lib/passport-oauth/strategies/oauth2.js
index 718a17b..347a056 100644
--- a/lib/passport-oauth/strategies/oauth2.js
+++ b/lib/passport-oauth/strategies/oauth2.js
@@ -100,9 +100,14 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
     //       query parameters, and should be propagated to the application.
     return this.fail();
   }
-  
+
+  // Not all callbackURLs should be parsed.  For example, certain Google+ OAuth flows
+  // make use of a callbackURL of "postmessage."  This should not be considered a relative URL,
+  // but simple a string token.  To avoid parsing a callbackURL, specify parseCallbackURL: false
+  // in the options config object that's used to authenticate
   var callbackURL = options.callbackURL || this._callbackURL;
-  if (callbackURL) {
+  var parseCallbackURL = (options.parseCallbackURL === undefined) || options.parseCallbackURL;
+  if (callbackURL && parseCallbackURL) {
     var parsed = url.parse(callbackURL);
     if (!parsed.protocol) {
       // The callback URL is relative, resolve a fully qualified URL from the