-
-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use client_id and client_secret as basic auth credentials if provided #229
Conversation
I think I'm happy with this change. @synasius, thoughts? |
@poswald @Lukasa Also it is worth checking if if (not auth) and client_id:
if not client_secret:
raise ValueError(...)
auth = requests.auth.HTTPBasicAuth(client_id, client_secret) what do you think? |
Agreed that we should check for the empty |
@Lukasa makes sense! 👍 |
@poswald Want to add that check for empty |
OK, I didn't realize that username/password are never used as the basic auth header. I'll look into making that change. As for the So when using the password grant type (Resource Owner Password Credentials Grant) and a public client, the The wording is a bit odd in that it's required but only if it's not blank:
It also is allowed to be blank in the DOT |
Ugh I hate the OAuth specification. Yes, you're right, it's not required. In that case, we want a defensive |
How are we looking now? |
@poswald Sorry, I think the summary of the above conversation is that we wanted to keep the fallback to the username:password case: it clearly helped some users. |
Gah, sorry I missed your comment there. OK, let me look at the spec again too while I'm at it. You're certainly not alone in thinking the spec is annoying. |
@poswald Heh, yeah, working with OAuth2 is always "fun". Thanks for putting in so much effort though, it's really appreciated! 🍮 |
So yeah, while it does look like authenticating user credentials in basic auth is not technically in the spec, who knows what servers are doing in the wild for people. This version fixes the issue without changing the behavior too much for people who weren't passing |
if client_id: | ||
log.debug('Encoding client_id "%s" with client_secret as Basic auth credentials.', client_id) | ||
client_secret = kwargs.get('client_secret', '') | ||
client_secret = client_secret if client_secret is not None else '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is actually superfluous with the .get
call above, and can be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strictly speaking I think it's not if your goal is to protect from passing None
to the basic auth function. The get
with a default is the default used if the key is missing. If someone calls fetch_token( ... client_secret=None, ... )
then after client_secret = kwargs.get('client_secret', '')
you'll find that client_secret
is None
:
>>> client_secret = {'client_secret': None}.get('client_secret', '')
>>> print client_secret
None
>>> client_secret = {}.get('client_secret', '')
>>> print client_secret
>>>
Unless I'm mistaken about None
not being possible or not needing to be protected against I think this is best. The other way I was considering was:
client_secret = {'client_secret': None}.get('client_secret', '') or ''
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mmm, yeah, so I was running under the assumption that client_secret
wouldn't be passed as None
, but now that you raise the possibility it occurs to me that I think some calls may default it that way. Let's leave this code in as defense-in-depth.
Oh god I hope no-one implements their server with reference to this codebase, there are so many hacks to get around non-standard behaviours that the client codebase doesn't make it at all clear what a server is supposed to do! One small note, and then I'll pull the trigger on this. =) |
Thanks @poswald! ✨ 🍰 ✨ |
Use client_id and client_secret as basic auth credentials if provided
This should fix issue #227
Open to review and suggestions if this will conflict with other grant flows.