Add a method to the OAuth2Request object to obtain all the values for the keys in form + args data as a list. This helps detects repetition of request parameters. Also, add a django and flask test for the same.
What kind of change does this PR introduce? (check at least one)
[x] Bugfix
[ ] Feature
[ ] Code style update
[ ] Refactor
[ ] Other, please describe:
Does this PR introduce a breaking change? (check one)
[x] Yes
[ ] No
If yes, please describe the impact and migration path for existing applications:
Possible breaking change for applications because clients that were repeating parameters in the request will now get an InvalidRequest error instead of successful authorization.
I don't see a reason why any client would do it intentionally but its enough of a concern, maybe we can add a flag or config to AuthorizationEndpointMixin to conditionally enable the check.
[x] You consent that the copyright of your pull request source code belongs to Authlib's author.
Section 3.1 of the RFC6749 says "Request and response parameters MUST NOT be included more than once."
Add a method to the OAuth2Request object to obtain all the values for the keys in form + args data as a list. This helps detects repetition of request parameters. Also, add a django and flask test for the same.
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
If yes, please describe the impact and migration path for existing applications:
Possible breaking change for applications because clients that were repeating parameters in the request will now get an InvalidRequest error instead of successful authorization.
I don't see a reason why any client would do it intentionally but its enough of a concern, maybe we can add a flag or config to AuthorizationEndpointMixin to conditionally enable the check.