aliev / aioauth

Asynchronous OAuth 2.0 provider for Python 3
https://aliev.me/aioauth
MIT License
213 stars 19 forks source link

`invalid_client` response is missing `application/json` content-type #85

Closed benreinhold-nm closed 1 year ago

benreinhold-nm commented 1 year ago

The errors produced when passing invalid client credentials have a JSON body but not an application/json content-type (as prescribed by RFC 6749, Section 5.2). The cause for this is this line where the empty header directory "overwrites" the default_headers in the base class constructor.

Originally I wanted to make a quick PR to fix this, but there seems to be a test testing explictly for the content-type-less response header which is why I wanted to check here first that I'm not missing something.

aliev commented 1 year ago

Thanks for the great find!

Indeed, there should be the content-type: application/json in response headers. I think there was a mistake in line number that you sent. Instead of HTTPHeaderDict() there should be default_headers.

Hey @tdg5, I made a PR #86 any objections regarding of these changes?