auth.py - call to token endpoint still seems to use the deprecated implicit grant flow

[mgold-greenway]

I was trying to get the flask app running and noticed during the OAuth process that even after we get an auth code, the 'state' parameter used to obtain the auth code is then being sent by the flask app when POSTing to the auth server's token endpoint. In my case our token endpoint returns a 400 because it does not support the state parameter - which was used in the now-deprecated implicit grant flow. https://oauth.net/2/grant-types/implicit/

Commenting out the state param in auth.py - line 265, in _code_exchange_params() - was my workaround. Once I did that, my token endpoint issued me a token. But I think for the sake of completeness, support for PKCE is needed... https://oauth.net/2/pkce/ Is this a possibility?

[mgold-greenway]

One thing that helped me figure out what caused my 400 error was to add the following to my flask app. It prints the http headers, request and response in the console:

import http.client
http.client.HTTPConnection.debuglevel = 1

[ducu]

Hi @mgold-greenway, sure it's a possibility, pull requests welcome!