(Security Flaw) `requests-oauthlib` sends `json` payloads while refreshing tokens

[slmtpz]

Walkthrough

When intercepting a request(), request-oauthlib doesn't take payload data passed with json parameter into account. This leads to kwargs having json parameter value. Notice that the same kwargs are passed to refresh_token() call. The data then is included in the body data to be sent to the identity provider's refresh token endpoint.

Security Problem

As of requests 2.4.2 POST data can be sent with json parameter. The data might include private information as it is intended for the POST body. The data then is further exposed to an identity provider when refreshing expired tokens if auto_refresh functionality is enabled while instantiating an OAuth2Session instance.

For the users

You can safely use data parameter to pass your POST data instead of json.

[JonathanHuot]

Hi, Thanks for the report, however I have difficulties to understand a concrete example and possible dev mistakes which can lead to info leaking. Based on the code highlights, it seems json is not used when calling requests library, no matter the content of kwargs.