Closed maurerbot closed 1 year ago
Looks like I needed to use client_secret_post
. Strange that this isn't the default though. Basic auth is less common and less supported.
Looks like I needed to use
client_secret_post
. Strange that this isn't the default though. Basic auth is less common and less supported.
According rfc6749 section-2.3.1
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
So, it's not recommended to set client_secret_post
as default.
Basic is recommended, so it is the default.
Describe the bug
The authorize_access_token method with the OAuth2.0 clients need to send
client_id
andclient_secret
to exchange the code for an access token. It is sending thecode
,grant_type
, andredirect_url
only.Reproduce
Using https://rollup.id as the OAuth app provider and the flask client (https://docs.authlib.org/en/latest/client/flask.html). When calling
authorize_access_token
Rollup is not receiving theclient_id
orclient_secret