-
-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove client_id and client_secret from body (generated via prepare_r… #326
base: master
Are you sure you want to change the base?
Remove client_id and client_secret from body (generated via prepare_r… #326
Conversation
…equest_body) if HTTPBasicAuth used. Usage: token = oauth.fetch_token( token_url='token_url_here', code='code_here', client_id='client_id_here', client_secret='client_secret_here' )
Hi @DmitryPaschenko, the problem in this is that it takes out @jvanasco is working on a wider patch in oauthlib oauthlib/oauthlib#593 and requests-oauthlib (PR TBC). |
@JonathanHuot the concept in current implementation is not good to understand. Here are my thoughts: There are two types of requests:
For "using token to request other things", currently, Why not use the From the later RFCs, we can understand fetching access token in this way:
There are several methods for client authentication:
For fetching token, this is usually called You can get some inspiration from Authlib. Checkout
When fetching token, we just pass an auth = ClientAuth(client_id, client_secret, 'client_secret_basic') This auth = ClientAuth(client_id, client_secret, 'client_secret_post') This |
unless I am missing something,
the block you cited only creates a HTTP Basic Auth header if the auth parameter was not provided and the requires/is-intended-to-have the header. |
@jvanasco I mean, for |
I am sorry for wildly misinterpreting your original message. I didn't have enough coffee this morning - but I understand it now. you should probably create a new issue ticket with your above content. I think this PR ticket is a candidate to be closed, because it should have been made obsolete by PR #593 last year. |
Remove client_id and client_secret from body (generated via prepare_request_body) if HTTPBasicAuth used.
Usage:
token = oauth.fetch_token(
token_url='token_url_here',
code='code_here',
client_id='client_id_here',
client_secret='client_secret_here'
)