🐛 Bug Report - client authentication must only be provided using one mechanism

[twsl]

Bug description

I'm trying to implement my own oauth implementation.
Trying this with logto returns '(invalid_request) client authentication must only be provided using one mechanism'

fastapi-oauth2/src/fastapi_oauth2/core.py

Lines 111 to 124 in 33b42dc

	oauth2_query_params = dict(
	redirect_url=redirect_uri,
	client_secret=self.client_secret,
	authorization_response=authorization_response,
	)
	oauth2_query_params.update(request.query_params)
	token_url, headers, content = self._oauth_client.prepare_token_request(
	self._token_endpoint,
	**oauth2_query_params,
	)
	headers.update({"Accept": "application/json"})
	auth = httpx.BasicAuth(self.client_id, self.client_secret)

Here the client_secret is set both for the Authorization header and to the request body.

According to this post and other posts only one is supposed to be there. header seems to be preferred based on my limited knowledge.

Simply removing line 113 client_secret=self.client_secret, solves my problem

Reproduction URL

No response

Reproduction steps

1. Add middleware

class MyOAuth2(BaseOAuth2):
    name = "my"
    AUTHORIZATION_URL = os.getenv("AUTHORIZE_URL")
    ACCESS_TOKEN_URL = os.getenv("TOKEN_URL")
    REFRESH_TOKEN_URL = os.getenv("REFRESH_TOKEN_URL") or ""

app.add_middleware(
        OAuth2Middleware,
        config=OAuth2Config(
            allow_http=True,
            clients=[
                OAuth2Client(
                    backend=MyOAuth2,
                    client_id=os.getenv("CLIENT_ID") or "",
                    client_secret=os.getenv("CLIENT_SECRET") or "",
                    # redirect_uri=os.getenv("REDIRECT_URI"),
                    scope=scopes.split(" "),
                )
            ],
        ),
        callback=on_auth_success,
        on_error=on_auth_error,
    )

2. Navigate to /oauth2/my/authorize

Screenshots

No response

Logs

No response

Browsers

Firefox, Chrome

OS

Windows, Linux

[ArtyomVancyan]

I remember the client_secret added in the body as well in the scope of the #39 issue and it covered more cases than it did. The popular authentication providers cover this case as there are other oauth implementations and handlers out there. So, if I got you right, and you're implementing your own OAuth backend then you should probably ignore that field. In case you're using an existing OIDC backend like Keycloak, please let me know so I can reproduce the issue and generalize the code you mentioned.

[twsl]

I use logto which I linked in the original post. It can easily be set up as docker container. If you need any more details on the config for logto, please let me know.
I'll try to read up on the actual implementation to see how precise or ambiguous it is but it seems two client authentication methods would be present.

Edit:
Basic auth is required, in request body may be supported. Can't find anything explicit about the need to choose only one method, but probably only one should be used and basic is preferred:
https://www.rfc-editor.org/rfc/rfc6749.txt#:~:text=Including%20the%20client,the%0A%20%20%20request%20URI.

[ArtyomVancyan]

@twsl, thanks for the guide. I configured logto locally and fixed the issue. The version will be published after I fix the #53 issue as well. You can install it from the origin/master temporarily before I release the new version.