client tries to use Basic auth with OAuth server

ghost commented 1 year ago

The Linux client is a public client (in OAuth terminology) and thus shouldn't use Basic authentication to the /token endpoint. Since php-oauth2-server 7.5.0 this breaks as the server became more strict.

This is not an issue in the 4.x code base (eduvpn-common based) but is an issue in the 3.x client.

ghost commented 1 year ago

focal: python3-requests-oauthlib (1.0.0-1.1build1)
jammy: python3-requests-oauthlib (1.3.0+ds-0.1)
debian 11: python3-requests-oauthlib (1.0.0-1.1)
debian 12: python3-requests-oauthlib (1.3.0+ds-1)
EL8: 1.0.0
EL9: 1.3.0

https://github.com/requests/requests-oauthlib/blob/master/HISTORY.rst#v120-14-january-2019

OAuth2Session.fetch_token previously tried to guess how and where to provide "client" and "user" credentials incorrectly. This was incompatible with some OAuth servers and incompatible with breaking changes in oauthlib that seek to correctly provide the client_id. The older implementation also did not raise the correct exceptions when username and password are not present on Legacy clients.

So if the python3-requests-oauthlib library is too old, it is an issue...

ghost commented 1 year ago

Possible approaches:

Add workaround to server;
Try to make the client not use Basic authentication with older version of lib (toggle?)
Push out 4.x stable release

ghost commented 1 year ago

https://todo.sr.ht/~fkooman/php-oauth2-server/7

jwijenbergh commented 1 year ago

Client sends authorization basic header indeed:

echo -n 'org.eduvpn.app.linux:' | base64
b3JnLmVkdXZwbi5hcHAubGludXg6

jwijenbergh commented 1 year ago

Fixed in version 4, install instructions https://python-eduvpn-client.readthedocs.io/en/latest/installation.html

eduvpn / python-eduvpn-client

client tries to use Basic auth with OAuth server #515