authorize_access_token() unintentionally send oauth_callback

[ko-zu]

Describe the bug

For oauth1 client with flask integration, OAuth.providername.authorize_access_token() send oauth header with oauth_callback field to access_token_url.
The uri in the unnecessary oauth_callback field was stored in flask session from previous authorize_redirect(redirect_uri) call.

Since there is no way to utilize oauth_callback after access_token_url step, the server SHOULD return 400 bad request for unsupported parameter according to rfc 5849, Section 3.2. Verifying Requests.

Error Stacks

I found hatena (Japanese social bookmark service) follows this SHOULD statement and fails to complete authorization.

File "./oauth.py", line 143, in hatena_authorized
  token = oauth.hatena.authorize_access_token()
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/integrations/flask
_client/remote_app.py", line 76, in authorize_access_token
  token = self.fetch_access_token(**params)
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/integrations/base_
client/remote_app.py", line 102, in fetch_access_token
  token = client.fetch_access_token(token_endpoint, **kwargs)
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/oauth1/client.py",
line 142, in fetch_access_token
  return self._fetch_token(url, **kwargs)
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/oauth1/client.py",
line 159, in _fetch_token
  token = self.parse_response_token(resp.status_code, resp.text)
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/oauth1/client.py",
line 170, in parse_response_token
  self.handle_error('fetch_token_denied', message)
File "/home/ubuntu/.pyenv/versions/3.9.1/envs/fav/lib/python3.9/site-packages/authlib/integrations/reque
sts_client/oauth1_session.py", line 58, in handle_error
  raise OAuthError(error_type, error_description)
authlib.integrations.base_client.errors.OAuthError: fetch_token_denied: Token request failed with code 40
0, response was 'oauth_problem=parameter_rejected&oauth_parameters_rejected=oauth_callback'.

To Reproduce

Just call authorize_access_token() from flask integration.

# oauth = authlib.integrations.flask_client.OAuth()
# oauth.register("hatena", ...)
@app.route('/authorized')
def hatena_authorized():
    # session.pop("_hatena_authlib_redirect_uri_") # workaround
    token = oauth.hatena.authorize_access_token()

Expected behavior

oauth_callback field (or any unnecessary fields) should not be sent for accesss_token_url.

Possible workaround is delete _providername_authlib_redirect_uri_ from session before every authorize_access_token() call.

Environment:

• OS: Ubuntu 20.04 with pyenv-install/virtualenv
• Python Version: 3.9.1
• Authlib Version: 0.15.2

Additional context

Add any other context about the problem here.

[lepture]

Try with v0.15.3 release.