search

pysnippet / fastapi-oauth2

Easy to integrate OAuth2 authentication with support for several identity providers.
https://docs.pysnippet.org/fastapi-oauth2
MIT License
48 stars 7 forks source link

🐛 Bug Report - query param `client_secret` is missing even though `client_secret` is registered in the OAuth2Config #37

Closed kkh-147-17-3 closed 3 months ago

kkh-147-17-3 commented 3 months ago

Bug description

Hi, I was trying to integrate KakaoOAuth2 and had to apply client_secret for the authentication. The provider(Kakao) says the client_secret for KakaoOauth2 is not mandatory but is recommended for the security purpose. Therefore, I set my application to use that. Unfortunately, KakaoOauth2 does not work only when the client_secret is configured.

According to the official Kakao developer website, the client_secret must be in the request body as query parameter when the application is configured to utilize client_secret. Otherwise, it returns unauthorization response.

I looked through the codes and found out that the client_secret is not in the query parameters when POST requesting the token end point.

Reproduction URL

No response

Reproduction steps

  1. Add application at the Kakao Developer Website and configure the application to use client_secret as below Screenshot 2024-03-13 at 3 50 31 PM

  2. Add configuration in the fastapi code. Screenshot 2024-03-13 at 3 53 21 PM

  3. Send the request /oauth2/kakao/authorize

  4. After step 3, I receieved the following error

    {"detail":"(invalid_client) Bad client credentials"}

Screenshots

The original codes are as follows (fastapi_oauth2.core.py -> OAuth2Core:token_data):

Screenshot 2024-03-13 at 3 38 37 PM

I guess the client_secretshould be in the oauth2_query_params so that the variable content can contain client_secret as a query parameter.

After I changed the code to put client_secret inside the query params, the authentication process worked as normal. Screenshot 2024-03-13 at 3 35 51 PM

Logs

No response

Browsers

No response

OS

No response

ArtyomVancyan commented 3 months ago

Hi @kkh-147-17-3, please replace the os.getenv("OAUTH2_KAKAO_CLIENT_ID") and os.getenv("OAUTH2_KAKAO_CLIENT_SECRET") with their actual values so we ensure the problem is not in reading an environment variable. Also, you did not mention the client_id in the issue description, which makes me think you don't use it at all. Please try to reproduce the issue with the hardcoded values and tell the result.

kkh-147-17-3 commented 3 months ago

Thank you for the prompt reply. I tried again with the hardcoded client_id and client_secret. Yet, the issue has not been resolved.

Screenshot 2024-03-13 at 6 17 39 PM

You can find that client_id and client_secret were successfully assigned as below in the debug view. Screenshot 2024-03-13 at 6 24 48 PM

The problem seems to be that the only parameter client_id is from WebApplicationClient class object when prepare_request_body is called, not `client_secret.

Screenshot 2024-03-13 at 6 29 40 PM

ArtyomVancyan commented 3 months ago

Do you face a similar issue with the AppleIdAuth you have configured? If it works for Apple, then you can compare the objects by debugging, but I don't think the WebApplicationClient can be the problem. Also, it's a possibility that the Kakao backend has some issues, try to find issues in social-core. I would also check if scopes are compatible with the identity provider.

kkh-147-17-3 commented 3 months ago

Sadly I don't have any Apple developer account, so I removed the AppleIdAuth config and set only the KakaoOAuth2 instead. My project's python version was initially set to be 3.12 so I switched my python version to 3.11 as well. But the authentication process still did not work. I tried google-oauth2 with client_id and client_secret, and it worked well.

I have a Spring Boot project which depends on spring-boot-starter-oauth2-client, and it contains Kakao Oauth2 authentication process that has same client_id and client_secret. The authorization process works as normal. In this case, I set the project's environment variable spring.security.oauth2.client.registration.kakao.client-authentication-method to client_secret_post so that the client_secret can be included in the POST request body as a query parameter. On the contrary, the Google Oauth2's setting is client_secret_basic where client_secret is not included as a parameter.

Lastly, I guess scopes are the not problem in this case as I can check it by the provider's error screen whether the wrong scopes are configured.

ArtyomVancyan commented 3 months ago

Okay, I see, the problem is in the KakaoOAuth2 implementation. The request you are describing is an ordinary form data POST request. I am not sure how the request is sent by KakaoOAuth2 but it is surely fixable. I will try to fix it using your Kakao's client_id and client_secret, it seems it got deprecated and no one cares about it :) Please do not remove your client credentials that you shared in the above screenshot so I can use them to help you solve your problem. If you already did, please provide new credentials.

kkh-147-17-3 commented 3 months ago

Of course, I am happy to hear that! I will not change the KakaoOauth2 credential provided. Please let me know if you have any problems regarding the credential :)

ArtyomVancyan commented 3 months ago

@kkh-147-17-3, I have investigated the issue, and it turns out that basic auth does not cover the client_secret, and it still needs to be passed. So, I fixed the issue, which is available in the latest release. Thank you very much for pointing out the issue and allowing me to use your OAuth credentials for development purposes.