oauthlib icon indicating copy to clipboard operation
oauthlib copied to clipboard

Published 20 hours ago verified publisher icon oauthlib

Is the *request.client.client_id* attribute really necessairy?

Open AdorablePotato opened this issue 8 years ago • 3 comments

Hi,

thank you for this great library.

I implemented the request validator as described in the documentation, but I get this exception after executing the authenticate_client method:

Authenticate client must set the request.client.client_id attribute in authenticate_client.

https://github.com/idan/oauthlib/blob/master/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py#L374

Is there a difference between request.client_id and request.client.client_id? I think the line of code should be

if not hasattr(request, 'client_id'):

AdorablePotato avatar Sep 01 '15 19:09 AdorablePotato

Hello, I have the same error. And I don't understand how can client_id can be an attribute of request.client if client is just a param extracted from the query string (ie, a string itself) So I also think this should be:

if not hasattr(request, 'client_id'):

Bramas avatar Jan 18 '16 00:01 Bramas

In AuthorizationCodeGrant::validateTokenRequest, we have

        if self.request_validator.client_authentication_required(request):
            if not self.request_validator.authenticate_client(request):
                log.debug('Client authentication failed, %r.', request)
                raise errors.InvalidClientError(request=request)
        elif not self.request_validator.authenticate_client_id(request.client_id, request):

            log.debug('Client authentication failed, %r.', request)
            raise errors.InvalidClientError(request=request)

        if not hasattr(request.client, 'client_id'):
            raise NotImplementedError('Authenticate client must set the '
                                      'request.client.client_id attribute '
                                      'in authenticate_client.')

The error comes from the last if but:

In authenticate_client_id function the doc says:

        Note, while not strictly necessary it can often be very convenient
        to set request.client to the client object associated with the
        given client_id.

So actually request.client can have an attribut client_id but this must be set in authenticate_client_id or in authenticate_client This should be indicated correctly in the doc! We should replace while not strictly necessary by it is strictly necessary

Bramas avatar Jan 18 '16 11:01 Bramas

I think that request.client_id must be the only field used by oauthlib, and request.client structure and its fields should be at the implementor discretion.

I'm suggesting to remove the need of request.client.client_id in 3.x.x breaking release.

Others ?

JonathanHuot avatar Jul 31 '18 15:07 JonathanHuot