Support client authentication for authorization-code grant type #86
Conversation
|
Thanks for this patch. I am not sure whether this is the right way. I'll look into the documentation in another day. But firstly, could you send me a test case for this issue? |
|
Sorry for the missing tests! I have added them now =) |
|
Any progress? =) |
|
@stianpr I am sorry. I am busy these days for my project. Do you need it badly right now? |
|
@lepture Well we need it within the week, so in a couple of days would be great! |
|
@stianpr Your test cases are useless. You test cases will pass even without the changes. |
|
Sorry for creating some stupid test... The test are now correct, but in order to have it working I had to add some code in Hmm the last commit should probably have been split into two commits for the code in I will clean up things after we agree on how it should be working. And please let me know if anything is unclear! Thank you! |
|
Okay. I removed the comment from the previous code and actually implemented the code that needed to be there in order for the whole thing to work. Hopefully it's even more clear now! |
| """ | ||
| auth_required = ('password', 'authorization_code', 'refresh_token') | ||
| return 'Authorization' in request.headers and\ | ||
| request.grant_type in auth_required |
There was a problem hiding this comment.
I think password grant type will always need to be verified with Authorization header.
There was a problem hiding this comment.
Ah so you want it to be stricter?
There was a problem hiding this comment.
I think it should be:
if request.grant_type == 'password':
return True
return 'Authorization' in ....
When using a confidential client it should be possible to obtain a token through authorization code grant type with a valid code. This makes `OAuth2RequestValidator.validate_code()` and `OAuth2RequestValidator.confirm_redirect_uri)` support retrieving client from either request.client or request.client_id.
|
Merged at 2d711e9 |
When using a confidential client it should be possible to obtain a token through authorization code grant type with a valid code.
In some cases you want to authenticate the client when using authorization code grant type. Though as it is implemented now you to have the client_id in the body. Which is not really required when a token was obtained with client_credentials... I'm not 100% sure on how this should be, but at least authorization_code is working with non-confidential clients also with this implementation.
https://github.com/idan/oauthlib/blob/master/oauthlib/oauth2/rfc6749/request_validator.py#L22