Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Handle oauth_token (and other parameters) in POST request #114

nneonneo opened this Issue Jun 4, 2012 · 2 comments


None yet
3 participants

nneonneo commented Jun 4, 2012

I recently worked with an OAuth server that required a POST oauth_token parameter unrelated to the OAuth access token, in addition to the access token.

Currently, oauth2 has no way of properly dealing with this situation. There are actually a few problems: the OAuth oauth_token and the POST oauth_token must both be included in the hash (and thus carried through the Request object), the resulting authentication headers can only appear in the Authorization: header (and not in the POST body), and the POST body must still contain the original oauth_token after all this processing is done.

I worked around it with a gross hack (that only works for oauth_token), but I think that this needs to be fixed in general.

Might I suggest simply decoupling the oauth_ variables from GET and POST variables? They are intended to be separate sources of variables, anyway. In this envisioned redesign, Request might no longer extend dict, but instead just have three separate dicts for the OAuth variables, the GET variables (just stored in the URL) and POST variables (just stored as-is). Alternately, you could just have the POST variables never enter the Request dictionary, but instead live in a separate variable.


jaitaiwan commented Jul 29, 2015

@nneonneo Correct me if I'm wrong but this doesn't sound like it is conforming to spec... cc @joestump


joestump commented Aug 2, 2015

I think I'd need to see the hack and the use case before making a judgement on that. I do think it's against specification to use your own oauth_ variables though?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment