requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Remove client_id and client_secret from body (generated via prepare_r…

Open DmitryPaschenko opened this issue 7 years ago • 6 comments

Remove client_id and client_secret from body (generated via prepare_request_body) if HTTPBasicAuth used.

Usage:

token = oauth.fetch_token( token_url='token_url_here', code='code_here', client_id='client_id_here', client_secret='client_secret_here' )

DmitryPaschenko avatar Aug 14 '18 08:08 DmitryPaschenko

Coverage Status

Coverage remained the same at 88.025% when pulling 3dc13ad81b5f570e572f0c23e4a7ed5c72bd4034 on DmitryPaschenko:fetch_token_without_auth into f8e741dc6a87eecf94e0948b66fe142a79c56fb9 on requests:master.

coveralls avatar Aug 14 '18 08:08 coveralls

Hi @DmitryPaschenko, the problem in this is that it takes out client_id from kwargs but it can still be present in self._client property. So, if you use OAuth2Session(client_id=xx) it will still be taken in account.

@jvanasco is working on a wider patch in oauthlib https://github.com/oauthlib/oauthlib/pull/593 and requests-oauthlib (PR TBC).

JonathanHuot avatar Sep 17 '18 16:09 JonathanHuot

@JonathanHuot the concept in current implementation is not good to understand. Here are my thoughts:

There are two types of requests:

  1. using client information to get token
  2. using token to request other things

For "using token to request other things", currently, requests-oauthlib is using auth parameter which is great.

Why not use the auth feature in fetch_token too? Currently, it only happens in some cases like here https://github.com/requests/requests-oauthlib/blob/master/requests_oauthlib/oauth2_session.py#L291

From the later RFCs, we can understand fetching access token in this way:

we use client authentication information to exchange access token.

There are several methods for client authentication:

  1. none (just client_id)
  2. client_secret_basic (client_id and client_secret in header, using "basic" auth)
  3. client_secret_post (client_id and client_secret in payload "body")

For fetching token, this is usually called token_endpoint_auth_method.

You can get some inspiration from Authlib. Checkout

  1. https://github.com/lepture/authlib/blob/master/authlib/oauth2/client.py
  2. https://github.com/lepture/authlib/blob/master/authlib/oauth2/auth.py
  3. https://github.com/lepture/authlib/blob/master/authlib/client/oauth2_session.py

When fetching token, we just pass an auth parameter, this auth will decide where to add the client_id or client_secret. For instance:

auth = ClientAuth(client_id, client_secret, 'client_secret_basic')

This auth will add client_id, client_secret in header.

auth = ClientAuth(client_id, client_secret, 'client_secret_post')

This auth will add client_id, client_secret in body.

lepture avatar Sep 17 '19 14:09 lepture

Why not use the auth feature in fetch_token too?

unless I am missing something, fetch_token already accepts an auth

It is defined as

    :param auth: An auth tuple or method as accepted by `requests`.

the block you cited only creates a HTTP Basic Auth header if the auth parameter was not provided and the requires/is-intended-to-have the header.

jvanasco avatar Sep 17 '19 18:09 jvanasco

@jvanasco I mean, for client_secret_post and none we can also use auth.

lepture avatar Sep 17 '19 23:09 lepture

I am sorry for wildly misinterpreting your original message. I didn't have enough coffee this morning - but I understand it now.

you should probably create a new issue ticket with your above content. I think this PR ticket is a candidate to be closed, because it should have been made obsolete by PR #593 last year.

jvanasco avatar Sep 17 '19 23:09 jvanasco