'Authorization' header not set by default, specifying header param in fetch_token doesn't guarantee header inclusion

Question

'Authorization' header not set by default, specifying header param in fetch_token doesn't guarantee header inclusion

JamesKunstle opened this issue a year ago · 1 comments

Describe the bug

This is w.r.t an OAuth2Session object in a Flask application communicating with a custom authorization server. Authorization with custom requests works fine with the same inputs.

The auth server we're communicating with implements the 'Authorization'-in-header requirement. That means that one of the headers for the access-token retrieval step must be {'Authorization': 'Client '}.

However, when we call this:

    token = client.fetch_token(
        url=<endpoint>, 
        authorization_response=request.url,
        headers={"Authorization": 'Client <client secret>'},
        grant_type="code")

The server replies that the application isn't an authorized client- the error is SPECIFIC to the header not being set correctly.

All packages are latest as of 8/8/23.

The desired behavior is for the header that is set in fetch_token to be propagated to the request, but it seems to be dropped.

Answer 1 · 2023-08-12T05:58:45.000Z

@JamesKunstle you can pass a auth parameter in this case to resolve the issue for now.

def custom_auth(req):
    req.headers["Authorization"] = "Client ..."
    return req


token = client.fetch_token(..., auth=auth)