client-py icon indicating copy to clipboard operation
client-py copied to clipboard

Published 20 hours ago verified publisher icon smart-on-fhir

auth.py - call to token endpoint still seems to use the deprecated implicit grant flow

Open mgold-greenway opened this issue 2 years ago • 2 comments

I was trying to get the flask app running and noticed during the OAuth process that even after we get an auth code, the 'state' parameter used to obtain the auth code is then being sent by the flask app when POSTing to the auth server's token endpoint. In my case our token endpoint returns a 400 because it does not support the state parameter - which was used in the now-deprecated implicit grant flow. https://oauth.net/2/grant-types/implicit/

Commenting out the state param in auth.py - line 265, in _code_exchange_params() - was my workaround. Once I did that, my token endpoint issued me a token. But I think for the sake of completeness, support for PKCE is needed... https://oauth.net/2/pkce/ Is this a possibility?

mgold-greenway avatar Sep 02 '22 20:09 mgold-greenway

One thing that helped me figure out what caused my 400 error was to add the following to my flask app. It prints the http headers, request and response in the console:

import http.client
http.client.HTTPConnection.debuglevel = 1

mgold-greenway avatar Sep 02 '22 20:09 mgold-greenway

Hi @mgold-greenway, sure it's a possibility, pull requests welcome!

ducu avatar Sep 05 '22 08:09 ducu