🐛 Bug Report - query param client_secret is missing even though client_secret is registered in the OAuth2Config

[kkh-147-17-3]

Bug description

Hi, I was trying to integrate KakaoOAuth2 and had to apply client_secret for the authentication. The provider(Kakao) says the client_secret for KakaoOauth2 is not mandatory but is recommended for the security purpose. Therefore, I set my application to use that.
Unfortunately, KakaoOauth2 does not work only when the client_secret is configured.

According to the official Kakao developer website, the client_secret must be in the request body as query parameter when the application is configured to utilize client_secret. Otherwise, it returns unauthorization response.

I looked through the codes and found out that the client_secret is not in the query parameters when POST requesting the token end point.

Reproduction URL

No response

Reproduction steps

1. Add application at the Kakao Developer Website and configure the application to use client_secret as below
   

2. Add configuration in the fastapi code.
   

3. Send the request /oauth2/kakao/authorize

4. After step 3, I receieved the following error

{"detail":"(invalid_client) Bad client credentials"}

Screenshots

The original codes are as follows (fastapi_oauth2.core.py -> OAuth2Core:token_data):

I guess the client_secretshould be in the oauth2_query_params so that the variable content can contain client_secret as a query parameter.

After I changed the code to put client_secret inside the query params, the authentication process worked as normal.

Logs

No response

Browsers

No response

OS

No response

[ArtyomVancyan]

Hi @kkh-147-17-3, please replace the os.getenv("OAUTH2_KAKAO_CLIENT_ID") and os.getenv("OAUTH2_KAKAO_CLIENT_SECRET") with their actual values so we ensure the problem is not in reading an environment variable. Also, you did not mention the client_id in the issue description, which makes me think you don't use it at all. Please try to reproduce the issue with the hardcoded values and tell the result.

[kkh-147-17-3]

Thank you for the prompt reply. I tried again with the hardcoded client_id and client_secret. Yet, the issue has not been resolved.

You can find that client_id and client_secret were successfully assigned as below in the debug view.

The problem seems to be that the only parameter client_id is from WebApplicationClient class object when prepare_request_body is called, not `client_secret.

[ArtyomVancyan]

Do you face a similar issue with the AppleIdAuth you have configured? If it works for Apple, then you can compare the objects by debugging, but I don't think the WebApplicationClient can be the problem. Also, it's a possibility that the Kakao backend has some issues, try to find issues in social-core. I would also check if scopes are compatible with the identity provider.

[kkh-147-17-3]

Sadly I don't have any Apple developer account, so I removed the AppleIdAuth config and set only the KakaoOAuth2 instead. My project's python version was initially set to be 3.12 so I switched my python version to 3.11 as well. But the authentication process still did not work. I tried google-oauth2 with client_id and client_secret, and it worked well.

I have a Spring Boot project which depends on spring-boot-starter-oauth2-client, and it contains Kakao Oauth2 authentication process that has same client_id and client_secret. The authorization process works as normal. In this case, I set the project's environment variable spring.security.oauth2.client.registration.kakao.client-authentication-method to client_secret_post so that the client_secret can be included in the POST request body as a query parameter. On the contrary, the Google Oauth2's setting is client_secret_basic where client_secret is not included as a parameter.

Lastly, I guess scopes are the not problem in this case as I can check it by the provider's error screen whether the wrong scopes are configured.

[ArtyomVancyan]

Okay, I see, the problem is in the KakaoOAuth2 implementation. The request you are describing is an ordinary form data POST request. I am not sure how the request is sent by KakaoOAuth2 but it is surely fixable. I will try to fix it using your Kakao's client_id and client_secret, it seems it got deprecated and no one cares about it :) Please do not remove your client credentials that you shared in the above screenshot so I can use them to help you solve your problem. If you already did, please provide new credentials.

[kkh-147-17-3]

Of course, I am happy to hear that! I will not change the KakaoOauth2 credential provided. Please let me know if you have any problems regarding the credential :)

[ArtyomVancyan]

@kkh-147-17-3, I have investigated the issue, and it turns out that basic auth does not cover the client_secret, and it still needs to be passed. So, I fixed the issue, which is available in the latest release. Thank you very much for pointing out the issue and allowing me to use your OAuth credentials for development purposes.