search

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.49k stars 448 forks source link

OAuth2Client: use correct auth method for token introspection #662

Open AdamWill opened 1 month ago

AdamWill commented 1 month ago

When token introspection was introduced in 6f5d19a, using the code that previously only handled token revocation, the new _handle_token_hint method that does the work for both introspect_token and revoke_token kept using self.revocation_endpoint_auth_method unconditionally if no auth was passed in with the introspect or revoke request. This seems to be wrong, introspecting a token should use the token_endpoint_auth_method.

This leaves the fallback to revocation_endpoint_auth_method in _handle_token_hint because adjusting its signature to make auth compulsory would be awkward, but it's not expected ever to be used.

What kind of change does this PR introduce? (check at least one)

Does this PR introduce a breaking change? (check one)

AdamWill commented 1 month ago

As I work for Red Hat I cannot agree to "consent that the copyright of your pull request source code belongs to Authlib's author" without my employer's permission, but I think this change is too trivial to be copyrightable.