simpleauth icon indicating copy to clipboard operation
simpleauth copied to clipboard

Published 20 hours ago verified publisher icon x1ddos

support HTTP Basic Authentication for client authentication

Open mikanmarusan opened this issue 12 years ago • 3 comments
trafficstars

Hi, crhym3

It seems that simpleauth supports using client_id / client_secret in the request-body for client authentication.

Howerver, OAuth 2.0 protocol says,

http://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes)

Please support the HTTP Basic authentication scheme for client authentication, especailly at token endpoint

mikanmarusan avatar Aug 11 '13 10:08 mikanmarusan

Hey @mikanmarusan could you clarify which part of the code you are referring to? I suspect you're talking about _get_*_user_info methods but wanted to make sure.

x1ddos avatar Aug 22 '13 07:08 x1ddos

Hi, @crhym3 Sorry for the late reply.

I am referring to the _oauth2_callback function in the SimpleAuthHandler class, https://github.com/crhym3/simpleauth/blob/84620d3db5670a20108d14d5021a42b69020c1e8/simpleauth/handler.py#L216-234

mikanmarusan avatar Sep 21 '13 13:09 mikanmarusan

@mikanmarusan care to provide a PR?

x1ddos avatar Sep 03 '14 07:09 x1ddos