Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Client id always included in body of token request #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Diaoul opened this issue Oct 27, 2017 · 6 comments
Closed

Client id always included in body of token request #495

Diaoul opened this issue Oct 27, 2017 · 6 comments

Comments

@Diaoul
Copy link
Contributor

Diaoul commented Oct 27, 2017
edited
Loading

I use the WebApplication client and in prepare_request_body I noticed the client_id parameter is never used. However self.client_id is always passed down to prepare_token_request and thus always included in the body.

An unused parameter doesn't look good but maybe this is intended, I've only quickly read the RFC 6749. If this is the case it should at least be stated in the docstring.

The server here (I guess OpenAM) rejects queries when they contain the client_id in the body.
@duaneking
Copy link
Member

Oauth2 is a cluster; you can "follow the spec" and still get incompatible implementations... by design.

I'm not sure what the original intent was here; the OAUTH2 spec explicitly states that the format of the token itself is out of scope yet in this case sending that may help with auth in some way; Still, if it's not used it shouldn't be sent.

Does removing this break any of the big examples?

@Diaoul
Copy link
Contributor Author

Diaoul commented Oct 31, 2017

Sorry to disappoint but I have absolutely no idea... I only started using oauthlib a few days ago in my specific scenario at work.

I'm not sure how the client_id would be used by the server as it already gets it from HTTP basic authentication.

@Diaoul
Copy link
Contributor Author

Diaoul commented Nov 14, 2017

Do you have a test suite that I could run to help speed things up on this matter? In any case, the unused parameter should be used instead of self.client_id.

@Diaoul
Copy link
Contributor Author

Diaoul commented Nov 14, 2017

Just realized that the doc of this function is wrong but also doctests:

>>> from oauthlib.oauth2 import WebApplicationClient
>>> client = WebApplicationClient('your_id')
>>> client.prepare_request_body(code='sh35ksdf09sf')
'grant_type=authorization_code&code=sh35ksdf09sf'
>>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar')
'grant_type=authorization_code&code=sh35ksdf09sf&foo=bar'

Here is when I run it:

>>> from oauthlib.oauth2 import WebApplicationClient
>>> client = WebApplicationClient('your_id')
>>> client.prepare_request_body(code='sh35ksdf09sf')
'grant_type=authorization_code&client_id=your_id&code=sh35ksdf09sf'
>>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar')
'grant_type=authorization_code&client_id=your_id&foo=bar&code=sh35ksdf09sf'

@duaneking
Copy link
Member

When you modify that:

Do the tests run successfully and all pass?
What is the change in test coverage?

@Diaoul
Copy link
Contributor Author

Diaoul commented Nov 28, 2017

It only failed on test_request_body which is to be expected.

@Diaoul Diaoul mentioned this issue Nov 28, 2017
Merged
@JonathanHuot JonathanHuot mentioned this issue Sep 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Diaoul @duaneking