Allow Authorization
as CORS header and OAuth minor fixes
#2298
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR:
Allows to use implicit grant: it was not possible because we always had aActually, you can usesecret
set on anOAuth2Client
, due to the waydefault
works on a MongoEngine field. Implicit grant won't work if there's a secret set on the client. A Boolean fieldis_implicit
is now available to bypass thesecret
logic.client.secret = ''
and it works fine 馃槵Flask-OAuthlib
syntax to the newauthlib
one. Set expiration time to 10 days for implicit grant tokens, vs 1 hour for the lib default. Set expiration time to 30 days for other grants, as we used to specify withOAUTH2_PROVIDER_TOKEN_EXPIRES_IN
.Authorization
header as allowedPREFLIGHT_HEADERS
, w/o this the implicit grant workflow is useless on a web app.To be considered:
OAUTH2_PROVIDER_ERROR_ENDPOINT
andOAUTH2_REFRESH_TOKEN_GENERATOR
are probably unused, but I'm not sure how to migrate those toauthlib
.