Merge pull request #593 from jvanasco/fix-585_client_id

JonathanHuot · web-flow · commit fabcf865a7f3 · 2018-09-21T23:40:59.000+02:00
PR for #585, `client_id` behavior with `prepare_request_body`
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,16 @@
 Changelog
 =========
 
+Unreleased
+------------------
+
+* OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (#585)
+* OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
+  support sending or omitting the `client_id` via a new `include_client_id` kwarg.
+  By default this is included. The method will also emit a DeprecationWarning if
+  a `client_id` parameter is submitted; the already configured `self.client_id`
+  is the preferred option. (#585)
+
 2.1.0 (2018-05-21)
 ------------------
 
diff --git a/oauthlib/oauth2/rfc6749/clients/backend_application.py b/oauthlib/oauth2/rfc6749/clients/backend_application.py
@@ -30,15 +30,26 @@ class BackendApplicationClient(Client):
     no additional authorization request is needed.
     """
 
-    def prepare_request_body(self, body='', scope=None, **kwargs):
+    def prepare_request_body(self, body='', scope=None,
+                             include_client_id=None, **kwargs):
         """Add the client credentials to the request body.
 
         The client makes a request to the token endpoint by adding the
         following parameters using the "application/x-www-form-urlencoded"
         format per `Appendix B`_ in the HTTP request entity-body:
 
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
         :param scope:   The scope of the access request as described by
                         `Section 3.3`_.
+
+        :param include_client_id: `True` to send the `client_id` in the body of
+                                  the upstream request. Default `None`. This is
+                                  required if the client is not authenticating
+                                  with the authorization server as described
+                                  in `Section 3.2.1`_.
+        :type include_client_id: Boolean
+
         :param kwargs:  Extra credentials to include in the token request.
 
         The client MUST authenticate with the authorization server as
@@ -56,5 +67,7 @@ def prepare_request_body(self, body='', scope=None, **kwargs):
         .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3
         .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1
         """
+        kwargs['client_id'] = self.client_id
+        kwargs['include_client_id'] = include_client_id
         return prepare_token_request('client_credentials', body=body,
                                      scope=scope, **kwargs)
diff --git a/oauthlib/oauth2/rfc6749/clients/base.py b/oauthlib/oauth2/rfc6749/clients/base.py
@@ -254,7 +254,8 @@ def prepare_token_request(self, token_url, authorization_response=None,
         :param redirect_url: The redirect_url supplied with the authorization
         request (if there was one).
 
-        :param body: Request body (URL encoded string).
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
 
         :param kwargs: Additional parameters to included in the request.
 
@@ -286,7 +287,8 @@ def prepare_refresh_token_request(self, token_url, refresh_token=None,
 
         :param refresh_token: Refresh token string.
 
-        :param body: Request body (URL encoded string).
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
 
         :param scope: List of scopes to request. Must be equal to
         or a subset of the scopes granted when obtaining the refresh
diff --git a/oauthlib/oauth2/rfc6749/clients/legacy_application.py b/oauthlib/oauth2/rfc6749/clients/legacy_application.py
@@ -38,7 +38,8 @@ class LegacyApplicationClient(Client):
     def __init__(self, client_id, **kwargs):
         super(LegacyApplicationClient, self).__init__(client_id, **kwargs)
 
-    def prepare_request_body(self, username, password, body='', scope=None, **kwargs):
+    def prepare_request_body(self, username, password, body='', scope=None,
+                             include_client_id=None, **kwargs):
         """Add the resource owner password and username to the request body.
 
         The client makes a request to the token endpoint by adding the
@@ -47,8 +48,16 @@ def prepare_request_body(self, username, password, body='', scope=None, **kwargs
 
         :param username:    The resource owner username.
         :param password:    The resource owner password.
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
         :param scope:   The scope of the access request as described by
                         `Section 3.3`_.
+        :param include_client_id: `True` to send the `client_id` in the body of
+                                  the upstream request. Default `None`. This is
+                                  required if the client is not authenticating
+                                  with the authorization server as described
+                                  in `Section 3.2.1`_.
+        :type include_client_id: Boolean
         :param kwargs:  Extra credentials to include in the token request.
 
         If the client type is confidential or the client was issued client
@@ -68,5 +77,7 @@ def prepare_request_body(self, username, password, body='', scope=None, **kwargs
         .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3
         .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1
         """
+        kwargs['client_id'] = self.client_id
+        kwargs['include_client_id'] = include_client_id
         return prepare_token_request('password', body=body, username=username,
                                      password=password, scope=scope, **kwargs)
diff --git a/oauthlib/oauth2/rfc6749/clients/service_application.py b/oauthlib/oauth2/rfc6749/clients/service_application.py
@@ -72,7 +72,8 @@ def prepare_request_body(self,
                              issued_at=None,
                              extra_claims=None,
                              body='', 
-                             scope=None, 
+                             scope=None,
+                             include_client_id=None,
                              **kwargs):
         """Create and add a JWT assertion to the request body.
 
@@ -97,20 +98,32 @@ def prepare_request_body(self,
         :param issued_at: A unix timestamp of when the JWT was created.
                           Defaults to now, i.e. ``time.time()``.
 
-        :param not_before: A unix timestamp after which the JWT may be used.
-                           Not included unless provided.
-
-        :param jwt_id: A unique JWT token identifier. Not included unless
-                       provided.
-
         :param extra_claims: A dict of additional claims to include in the JWT.
 
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
+
         :param scope: The scope of the access request.
 
-        :param body: Request body (string) with extra parameters.
+        :param include_client_id: `True` to send the `client_id` in the body of
+                                  the upstream request. Default `None`. This is
+                                  required if the client is not authenticating
+                                  with the authorization server as described
+                                  in `Section 3.2.1`_.
+        :type include_client_id: Boolean
+
+        :param not_before: A unix timestamp after which the JWT may be used.
+                           Not included unless provided. *
+
+        :param jwt_id: A unique JWT token identifier. Not included unless
+                       provided. *
 
         :param kwargs: Extra credentials to include in the token request.
 
+        Parameters marked with a `*` above are not explicit arguments in the
+        function signature, but are specially documented arguments for items
+        appearing in the generic `**kwargs` keyworded input.
+
         The "scope" parameter may be used, as defined in the Assertion
         Framework for OAuth 2.0 Client Authentication and Authorization Grants
         [I-D.ietf-oauth-assertions] specification, to indicate the requested
@@ -168,6 +181,8 @@ def prepare_request_body(self,
         assertion = jwt.encode(claim, key, 'RS256')
         assertion = to_unicode(assertion)
 
+        kwargs['client_id'] = self.client_id
+        kwargs['include_client_id'] = include_client_id
         return prepare_token_request(self.grant_type,
                                      body=body,
                                      assertion=assertion,
diff --git a/oauthlib/oauth2/rfc6749/clients/web_application.py b/oauthlib/oauth2/rfc6749/clients/web_application.py
@@ -8,6 +8,8 @@
 """
 from __future__ import absolute_import, unicode_literals
 
+import warnings
+
 from ..parameters import (parse_authorization_code_response,
                           parse_token_response, prepare_grant_uri,
                           prepare_token_request)
@@ -85,24 +87,30 @@ def prepare_request_uri(self, uri, redirect_uri=None, scope=None,
         return prepare_grant_uri(uri, self.client_id, 'code',
                                  redirect_uri=redirect_uri, scope=scope, state=state, **kwargs)
 
-    def prepare_request_body(self, client_id=None, code=None, body='',
-                             redirect_uri=None, **kwargs):
+    def prepare_request_body(self, code=None, redirect_uri=None, body='',
+                             include_client_id=True, **kwargs):
         """Prepare the access token request body.
 
         The client makes a request to the token endpoint by adding the
         following parameters using the "application/x-www-form-urlencoded"
         format in the HTTP request entity-body:
 
-        :param client_id:   REQUIRED, if the client is not authenticating with the
-                            authorization server as described in `Section 3.2.1`_.
-
         :param code:    REQUIRED. The authorization code received from the
                         authorization server.
 
         :param redirect_uri:    REQUIRED, if the "redirect_uri" parameter was included in the
                                 authorization request as described in `Section 4.1.1`_, and their
                                 values MUST be identical.
 
+        :param body: Existing request body (URL encoded string) to embed parameters
+                     into. This may contain extra paramters. Default ''.
+
+        :param include_client_id: `True` (default) to send the `client_id` in the
+                                  body of the upstream request. This is required
+                                  if the client is not authenticating with the
+                                  authorization server as described in `Section 3.2.1`_.
+        :type include_client_id: Boolean
+
         :param kwargs: Extra parameters to include in the token request.
 
         In addition OAuthLib will add the ``grant_type`` parameter set to
@@ -120,12 +128,31 @@ def prepare_request_body(self, client_id=None, code=None, body='',
             >>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar')
             'grant_type=authorization_code&code=sh35ksdf09sf&foo=bar'
 
+        `Section 3.2.1` also states:
+            In the "authorization_code" "grant_type" request to the token
+            endpoint, an unauthenticated client MUST send its "client_id" to
+            prevent itself from inadvertently accepting a code intended for a
+            client with a different "client_id".  This protects the client from
+            substitution of the authentication code.  (It provides no additional
+            security for the protected resource.)
+
         .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1
         .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1
         """
         code = code or self.code
+        if 'client_id' in kwargs:
+            warnings.warn("`client_id` has been deprecated in favor of "
+                          "`include_client_id`, a boolean value which will "
+                          "include the already configured `self.client_id`.",
+                          DeprecationWarning)
+            if kwargs['client_id'] != self.client_id:
+                raise ValueError("`client_id` was supplied as an argument, but "
+                                 "it does not match `self.client_id`")
+
+        kwargs['client_id'] = self.client_id
+        kwargs['include_client_id'] = include_client_id
         return prepare_token_request('authorization_code', code=code, body=body,
-                                     client_id=client_id, redirect_uri=redirect_uri, **kwargs)
+                                     redirect_uri=redirect_uri, **kwargs)
 
     def parse_request_uri_response(self, uri, state=None):
         """Parse the URI query for code and state.
diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py
@@ -87,7 +87,7 @@ def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None,
     return add_params_to_uri(uri, params)
 
 
-def prepare_token_request(grant_type, body='', **kwargs):
+def prepare_token_request(grant_type, body='', include_client_id=True, **kwargs):
     """Prepare the access token request.
 
     The client makes a request to the token endpoint by adding the
@@ -96,14 +96,38 @@ def prepare_token_request(grant_type, body='', **kwargs):
 
     :param grant_type: To indicate grant type being used, i.e. "password",
                        "authorization_code" or "client_credentials".
-    :param body: Existing request body to embed parameters in.
-    :param code: If using authorization code grant, pass the previously
-                 obtained authorization code as the ``code`` argument.
+
+    :param body: Existing request body (URL encoded string) to embed parameters
+                 into. This may contain extra paramters. Default ''.
+
+    :param include_client_id: `True` (default) to send the `client_id` in the
+                              body of the upstream request. This is required
+                              if the client is not authenticating with the
+                              authorization server as described in
+                              `Section 3.2.1`_.
+    :type include_client_id: Boolean
+
+    :param client_id: Unicode client identifier. Will only appear if
+                      `include_client_id` is True. *
+
+    :param client_secret: Unicode client secret. Will only appear if set to a
+                          value that is not `None`. Invoking this function with
+                          an empty string will send an empty `client_secret`
+                          value to the server. *
+
+    :param code: If using authorization_code grant, pass the previously
+                 obtained authorization code as the ``code`` argument. *
+
     :param redirect_uri: If the "redirect_uri" parameter was included in the
                          authorization request as described in
-                         `Section 4.1.1`_, and their values MUST be identical.
+                         `Section 4.1.1`_, and their values MUST be identical. *
+
     :param kwargs: Extra arguments to embed in the request body.
 
+    Parameters marked with a `*` above are not explicit arguments in the
+    function signature, but are specially documented arguments for items
+    appearing in the generic `**kwargs` keyworded input.
+
     An example of an authorization code token request body:
 
     .. code-block:: http
@@ -118,6 +142,19 @@ def prepare_token_request(grant_type, body='', **kwargs):
     if 'scope' in kwargs:
         kwargs['scope'] = list_to_scope(kwargs['scope'])
 
+    # pull the `client_id` out of the kwargs. 
+    client_id = kwargs.pop('client_id', None)
+    if include_client_id:
+        if client_id is not None:
+            params.append((unicode_type('client_id'), client_id))
+
+    # the kwargs iteration below only supports including boolean truth (truthy)
+    # values, but some servers may require an empty string for `client_secret`
+    client_secret = kwargs.pop('client_secret', None)
+    if client_secret is not None:
+        params.append((unicode_type('client_secret'), client_secret))
+
+    # this handles: `code`, `redirect_uri`, and other undocumented params
     for k in kwargs:
         if kwargs[k]:
             params.append((unicode_type(k), kwargs[k]))
@@ -144,7 +181,7 @@ def prepare_token_revocation_request(url, token, token_type_hint="access_token",
                             token types.  An authorization server MAY ignore
                             this parameter, particularly if it is able to detect
                             the token type automatically.
-    
+
     This specification defines two values for `token_type_hint`:
 
         * access_token: An access token as defined in [RFC6749],
diff --git a/tests/oauth2/rfc6749/clients/test_backend_application.py b/tests/oauth2/rfc6749/clients/test_backend_application.py
@@ -15,6 +15,7 @@
 class BackendApplicationClientTest(TestCase):
 
     client_id = "someclientid"
+    client_secret = 'someclientsecret'
     scope = ["/profile"]
     kwargs = {
         "some": "providers",
diff --git a/tests/oauth2/rfc6749/clients/test_legacy_application.py b/tests/oauth2/rfc6749/clients/test_legacy_application.py
diff --git a/tests/oauth2/rfc6749/clients/test_web_application.py b/tests/oauth2/rfc6749/clients/test_web_application.py
