Merge pull request #342 from g10f/master

send no state in the access token response

examples/skeleton_oauth2_web_application_server.py

@@ -64,7 +64,7 @@ def authenticate_client_id(self, client_id, request, *args, **kwargs):
 
     def validate_code(self, client_id, code, client, request, *args, **kwargs):
         # Validate the code belongs to the client. Add associated scopes,
-        # state and user to request.scopes, request.state and request.user.
+        # state and user to request.scopes and request.user.
         pass
 
     def confirm_redirect_uri(self, client_id, code, redirect_uri, client, *args, **kwargs):

oauthlib/oauth2/rfc6749/grant_types/authorization_code.py

@@ -383,7 +383,7 @@ def validate_token_request(self, request):
                       request.client_id, request.client, request.scopes)
             raise errors.InvalidGrantError(request=request)
 
-        for attr in ('user', 'state', 'scopes'):
+        for attr in ('user', 'scopes'):
             if getattr(request, attr, None) is None:
                 log.debug('request.%s was not set on code validation.', attr)
 

oauthlib/oauth2/rfc6749/request_validator.py

@@ -342,8 +342,8 @@ def validate_code(self, client_id, code, client, request, *args, **kwargs):
         """Ensure the authorization_code is valid and assigned to client.
 
         OBS! The request.user attribute should be set to the resource owner
-        associated with this authorization code. Similarly request.scopes and
-        request.state must also be set.
+        associated with this authorization code. Similarly request.scopes
+        must also be set.
 
         :param client_id: Unicode client identifier
         :param code: Unicode authorization code