Fix failing Elixir AAI token refresh

[kysrpex]

Proposed changes

Refreshing Elixir AAI tokens fails with error An error occurred when refreshing user token: 401 Client Error: 401 for url: https://login.elixir-czech.org/oidc/token. The source of the HTTP 401 error is a malformed request. Closes #826, read the issue for details.

Types of changes

Please check the type of change your PR introduces:

• [ ] Release (new release request)
• [X] Bugfix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] Code style update (PEP8, lint, formatting, renaming, etc)
• [ ] Refactoring (no functional changes, no api changes)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [ ] Build related changes (build process, tests runner, etc)
• [ ] Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• [ ] Lint and unit tests pass locally with my changes
• [ ] I have added tests that prove my fix is effective or that my feature works
• [ ] I have added documentation to https://github.com/python-social-auth/social-docs

Other information

At the moment I just want to highlight the source of the problem and the solution, the patch is not properly integrated within the codebase, that's why the PR is a draft. For example, it is probably better to patch social_core.backends.oauth:BaseOAuth2.refresh_token.

[dBucik]

From the OP point of view, the authentication method for the token endpoint should be configurable and the refresh token grant should respect that setting. Specifically for the LS AAI (previously known as ELIXIR AAI), there are three types of authentication for the token endpoint:

• client_secret_basic (translates to Authorization: Basic client_id:client_secret header)
• client_Secret_post (translates to client_id: XYZ and client_secret: XYZ parameters in the POST request body)
• none (no authentication needed)

This method of authentication is specified in the metadata when registering the service.

So now to some more details. I think base classes support this already, it just needs some tweaks:

• it should load the method of the authentication from the configuration, not just from the list of auth methods supported by the OP and advertised in the OP metadata (https://github.com/python-social-auth/social-core/blob/4fd69435ef38dfc5b9d43ac98fbc4b3c0b745b5d/social_core/backends/open_id_connect.py#L64)
• if the authentication is via headers, it should be put here: https://github.com/python-social-auth/social-core/blob/4fd69435ef38dfc5b9d43ac98fbc4b3c0b745b5d/social_core/backends/oauth.py#L383
• if the authentication is via request body, this one should happen https://github.com/python-social-auth/social-core/blob/4fd69435ef38dfc5b9d43ac98fbc4b3c0b745b5d/social_core/backends/oauth.py#L447
• if the authentication is none, no action of the above is needed.