authenticate_none fails if an empty client_secret parameter exists #438

jaap3 · 2022-03-16T14:08:46Z

Describe the bug

authenticate_none fails if an empty client_secret request parameter exists

Error Stack

authlib.oauth2.rfc6749.authenticate_client - DEBUG - Authenticate examplevia "none" failed
Bad Request: /token/
Error: invalid_client

To Reproduce

Register an AuthorizationCodeGrant with TOKEN_ENDPOINT_AUTH_METHODS = ['none']

POST /token/
grant_type: "authorization_code"
code: "super-secret-generated-code"
redirect_uri: "https://example.com/"
client_id: "example"
client_secret: ""

Expected behavior

I expect authenticate_none to ignore an empty client_secret parameter

According to the specification

Parameters sent without a value MUST be treated as if they were omitted from the request.

This would be fixed by using:

if client_id and not request.data.get('client_secret'):

instead of if client_id and 'client_secret' not in request.data:

Environment:

OS: Linux
Python Version: 3.8
Authlib Version: 1.0.0

The text was updated successfully, but these errors were encountered:

lepture · 2022-03-18T14:43:11Z

Thanks, fixed.

jaap3 added the bug label Mar 16, 2022

jaap3 assigned lepture Mar 16, 2022

lepture added a commit that referenced this issue Mar 18, 2022

Fix authenticate_none method, via #438

01e95ad

lepture closed this as completed Mar 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

authenticate_none fails if an empty client_secret parameter exists #438

authenticate_none fails if an empty client_secret parameter exists #438

jaap3 commented Mar 16, 2022

lepture commented Mar 18, 2022

authenticate_none fails if an empty client_secret parameter exists #438

authenticate_none fails if an empty client_secret parameter exists #438

Comments

jaap3 commented Mar 16, 2022

lepture commented Mar 18, 2022