'Authorization' header not set by default, specifying header param in fetch_token doesn't guarantee header inclusion
JamesKunstle opened this issue · 1 comments
Describe the bug
This is w.r.t an OAuth2Session object in a Flask application communicating with a custom authorization server. Authorization with custom requests works fine with the same inputs.
The auth server we're communicating with implements the 'Authorization'-in-header requirement. That means that one of the headers for the access-token retrieval step must be {'Authorization': 'Client '}.
However, when we call this:
token = client.fetch_token(
url=<endpoint>,
authorization_response=request.url,
headers={"Authorization": 'Client <client secret>'},
grant_type="code")
The server replies that the application isn't an authorized client- the error is SPECIFIC to the header not being set correctly.
All packages are latest as of 8/8/23.
The desired behavior is for the header that is set in fetch_token to be propagated to the request, but it seems to be dropped.
@JamesKunstle you can pass a auth
parameter in this case to resolve the issue for now.
def custom_auth(req):
req.headers["Authorization"] = "Client ..."
return req
token = client.fetch_token(..., auth=auth)