Added authorization header for token access #206
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds a Basic Auth header into `fetch_token`. Why? The relevant section of the OAuth 2.0 specification, [2.3.1. Client Password](https://tools.ietf.org/html/rfc6749#section-2.3.1) reads: > Clients in possession of a client password MAY use the > HTTP Basic authentication scheme... But for servers, it reads: > The authorization server MUST support the > HTTP Basic authentication scheme for authenticating clients > that were issued a client password. Clients MAY send Basic Auth, but servers MUST accept it. Before this commit, `fetch_token` DOES NOT use this scheme. Instead, it sends `client_id` and `client_secret` in the body. The spec says this about that: > Including the client credentials in the request-body > using the two parameters is NOT RECOMMENDED > and SHOULD be limited to clients unable to directly utilize > the HTTP Basic authentication scheme... But for servers, it reads: > The authorization server MAY support including > the client credentials in the request-body... Clients are NOT RECOMMENDED to send a body, and servers MAY accept it. So this client DOES something that is NOT RECOMMENDED. However, Fixing that would be a breaking change. Furthermore, this clearly works for non-compliant OAuth servers. "Ain't broke so don't fix it." A compliant server may accept Basic Auth and not a request-body. Which is the current case for Bitbucket. Before this commit, the following is a simple work-around: ``` # Fetch the access token basic_auth = HTTPBasicAuth(client_id, client_secret) bitbucket.fetch_token( token_uri, authorization_response=redirect_response, auth=basic_auth) ``` With a one line change (and 50+ lines of commit message), `fetch_token` is now more compliant and works with Bitbucket.
|
\o/ This change looks good to me, thanks @ibuchanan! ✨ 🍰 ✨ |
Lukasa
added a commit
that referenced
this pull request
Nov 20, 2015
Added authorization header for token access
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds a Basic Auth header into
fetch_token.Why?
The relevant section of the OAuth 2.0 specification, 2.3.1. Client Password reads:
But for servers, it reads:
Clients MAY send Basic Auth,
but servers MUST accept it.
Before this commit,
fetch_tokenDOES NOT use this scheme.Instead, it sends
client_idandclient_secretin the body.The spec says this about that:
But for servers, it reads:
Clients are NOT RECOMMENDED to send a body,
and servers MAY accept it.
So this client DOES something that is NOT RECOMMENDED.
However, Fixing that would be a breaking change.
Furthermore, this clearly works for non-compliant OAuth servers.
"Ain't broke so don't fix it."
A compliant server may accept Basic Auth and not a request-body.
Which is the current case for Bitbucket.
Before this commit, the following is a simple work-around:
With a one line change (and 50+ lines of commit message),
fetch_tokenis now more compliant and works with Bitbucket.