authlib icon indicating copy to clipboard operation
authlib copied to clipboard
verified publisher icon lepture

OAuth2Client: use correct auth method for token introspection

Open AdamWill opened this issue 1 year ago • 1 comments

When token introspection was introduced in 6f5d19a, using the code that previously only handled token revocation, the new _handle_token_hint method that does the work for both introspect_token and revoke_token kept using self.revocation_endpoint_auth_method unconditionally if no auth was passed in with the introspect or revoke request. This seems to be wrong, introspecting a token should use the token_endpoint_auth_method.

This leaves the fallback to revocation_endpoint_auth_method in _handle_token_hint because adjusting its signature to make auth compulsory would be awkward, but it's not expected ever to be used.

What kind of change does this PR introduce? (check at least one)

  • [X] Bugfix

Does this PR introduce a breaking change? (check one)

  • [X] No
  • [ ] You consent that the copyright of your pull request source code belongs to Authlib's author.

AdamWill avatar Jul 19 '24 06:07 AdamWill

As I work for Red Hat I cannot agree to "consent that the copyright of your pull request source code belongs to Authlib's author" without my employer's permission, but I think this change is too trivial to be copyrightable.

AdamWill avatar Jul 19 '24 06:07 AdamWill

I have discussed with @lepture, and he is OK about the copyright thing.

azmeuk avatar Feb 21 '25 11:02 azmeuk