collinpreston
commented
1 year ago @omab This seems to still be an issue. Especially when trying to configure OIDC with Authentik
Open severi opened 6 years ago
collinpreston
commented
1 year ago @omab This seems to still be an issue. Especially when trying to configure OIDC with Authentik
davidhalter
commented
1 year ago The generic OIDC backend does not have this issue, because it overrides the ACCESS_TOKEN_METHOD. Note that changing this might have quite a few repercussions for other backends, because they subclass the OAuth2 backend. So maybe we should at least warn people that this has been changed.
However, I'm definitely for changing this one, because we should always adhere to the RFCs.
nijel
commented
1 year ago I agree. Actually, most backends do override ACCESS_TOKEN_METHOD. There are few backends which subclass from BaseOAuth2 and do not override ACCESS_TOKEN_METHOD though, so they are currently using GET.
According to the RFC (https://tools.ietf.org/html/rfc6749#section-3.2) the client MUST use POST method when making access token requests. The default value for ACCESS_TOKEN_METHOD conflicts with this (at least with OAUTH2).
https://github.com/python-social-auth/social-core/blob/563d0e5e97e9c5e6289609d09d2e7bf7c2f3165d/social_core/backends/oauth.py#L31