`ui_locales` request parameter triggers `AttributeError` under certain circumstances

[jaap3]

Describe the bug

A valid authorization request, for a client that doesn't require consent, that includes the ui_locales parameter triggers AttributeError: 'list' object has no attribute 'split'.

To Reproduce

• Configure DOT, with OIDC enabled.
• Create an Application and set skip_authorization
• While logged in trigger an authorization request that includes the scope and ui_locales parameter, i.e.:
  /o/authorize/?response_type=code&client_id=test&scope=openid&ui_locales=de

Expected behavior

I expect the authorization request to succeed and the user to be redirected to the redirect_uri with a code response.

Version

django==5.1
django-oauth-toolkit==2.4.0
oauthlib==3.2.2

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context

I've written a testcase that triggers the issue, TestUILocalesParam.test_trusted_application_ui_locales_param is the one that fails:

from django.contrib.auth import get_user_model
from django.test import TestCase, override_settings
from django.urls import reverse

from oauth2_provider.models import get_application_model

UserModel = get_user_model()
Application = get_application_model()


@override_settings(OAUTH2_PROVIDER={
    "OIDC_ENABLED": True,
    "PKCE_REQUIRED": False,
    "SCOPES": {
        "openid": "OpenID connect",
    },
})
class TestUILocalesParam(TestCase):
    @classmethod
    def setUpTestData(cls):
        cls.application = Application.objects.create(
            name="Test Application",
            client_id="test",
            redirect_uris="https://www.example.com",
            client_type=Application.CLIENT_PUBLIC,
            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
        )
        cls.trusted_application = Application.objects.create(
            name="Trusted Application",
            client_id="trusted",
            redirect_uris="https://www.example.com",
            client_type=Application.CLIENT_PUBLIC,
            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
            skip_authorization=True,
        )
        cls.user = UserModel.objects.create_user("test_user")
        cls.url = reverse("oauth2_provider:authorize")

    def setUp(self):
        self.client.force_login(self.user)

    def test_application_ui_locales_param(self):
        response = self.client.get(
            f"{self.url}?response_type=code&client_id=test&scope=openid&ui_locales=de",
        )
        self.assertEqual(response.status_code, 200)

    def test_trusted_application_ui_locales_param(self):
        response = self.client.get(
            f"{self.url}?response_type=code&client_id=trusted&scope=openid&ui_locales=de",
        )
        self.assertEqual(response.status_code, 302)

My guess is that the call to self.create_authorization_response in

django-oauth-toolkit/oauth2_provider/views/base.py

Lines 194 to 198 in 9fceef1

	if application.skip_authorization:
	uri, headers, body, status = self.create_authorization_response(
	request=self.request, scopes=" ".join(scopes), credentials=credentials, allow=True
	)
	return self.redirect(uri, application)

triggers this issue because it tries to parse the request parameters for the second time, the first time is here:

django-oauth-toolkit/oauth2_provider/views/base.py

Line 149 in 9fceef1

scopes, credentials = self.validate_authorization_request(request)

[n2ygk]

Standard doc reference: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

[n2ygk]

@jaap3 A PR to fix this would be greatly appreciated