authorize_access_token not sending client_id and client_secret

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

https://authlib.org/

BSD 3-Clause "New" or "Revised" License

4.49k stars 448 forks source link

authorize_access_token not sending client_id and client_secret #536

Closed maurerbot closed 1 year ago

maurerbot commented 1 year ago

Describe the bug

The authorize_access_token method with the OAuth2.0 clients need to send client_id and client_secret to exchange the code for an access token. It is sending the code, grant_type, and redirect_url only.

Reproduce

Using https://rollup.id as the OAuth app provider and the flask client (https://docs.authlib.org/en/latest/client/flask.html). When calling authorize_access_token Rollup is not receiving the client_id or client_secret

maurerbot commented 1 year ago

Looks like I needed to use client_secret_post. Strange that this isn't the default though. Basic auth is less common and less supported.

birdhackor commented 1 year ago

Looks like I needed to use client_secret_post. Strange that this isn't the default though. Basic auth is less common and less supported.

According rfc6749 section-2.3.1

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

So, it's not recommended to set client_secret_post as default.

lepture commented 1 year ago

Basic is recommended, so it is the default.