search

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.45k stars 445 forks source link

'Authorization' header not set by default, specifying header param in fetch_token doesn't guarantee header inclusion #569

Closed JamesKunstle closed 11 months ago

JamesKunstle commented 1 year ago

Describe the bug

This is w.r.t an OAuth2Session object in a Flask application communicating with a custom authorization server. Authorization with custom requests works fine with the same inputs.

The auth server we're communicating with implements the 'Authorization'-in-header requirement. That means that one of the headers for the access-token retrieval step must be {'Authorization': 'Client '}.

However, when we call this:

    token = client.fetch_token(
        url=<endpoint>, 
        authorization_response=request.url,
        headers={"Authorization": 'Client <client secret>'},
        grant_type="code")

The server replies that the application isn't an authorized client- the error is SPECIFIC to the header not being set correctly.

All packages are latest as of 8/8/23.

The desired behavior is for the header that is set in fetch_token to be propagated to the request, but it seems to be dropped.

lepture commented 1 year ago

@JamesKunstle you can pass a auth parameter in this case to resolve the issue for now.

def custom_auth(req):
    req.headers["Authorization"] = "Client ..."
    return req

token = client.fetch_token(..., auth=auth)