Skip to content

OAuth2Client: use correct auth method for token introspection #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
azmeuk merged 1 commit into from
Feb 21, 2025
Merged

OAuth2Client: use correct auth method for token introspection #662

azmeuk merged 1 commit into from
Feb 21, 2025

Conversation

@AdamWill
Copy link
Contributor

@AdamWill AdamWill commented Jul 19, 2024

When token introspection was introduced in 6f5d19a, using the code that previously only handled token revocation, the new _handle_token_hint method that does the work for both introspect_token and revoke_token kept using
self.revocation_endpoint_auth_method unconditionally if no auth was passed in with the introspect or revoke request. This seems to be wrong, introspecting a token should use the token_endpoint_auth_method.

This leaves the fallback to revocation_endpoint_auth_method in _handle_token_hint because adjusting its signature to make auth compulsory would be awkward, but it's not expected ever to be used.

What kind of change does this PR introduce? (check at least one)

  • Bugfix

Does this PR introduce a breaking change? (check one)

  • No
  • You consent that the copyright of your pull request source code belongs to Authlib's author.

@AdamWill
OAuth2Client: use correct auth method for token introspection
7cadb79 
When token introspection was introduced in 6f5d19a, using the
code that previously only handled token revocation, the new
`_handle_token_hint` method that does the work for both
`introspect_token` and `revoke_token` kept using
`self.revocation_endpoint_auth_method` unconditionally if no
`auth` was passed in with the introspect or revoke request.
This seems to be wrong, introspecting a token should use the
`token_endpoint_auth_method`.

This leaves the fallback to `revocation_endpoint_auth_method`
in `_handle_token_hint` because adjusting its signature to make
`auth` compulsory would be awkward, but it's not expected ever
to be used.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
@AdamWill
Copy link
Contributor Author

AdamWill commented Jul 19, 2024

As I work for Red Hat I cannot agree to "consent that the copyright of your pull request source code belongs to Authlib's author" without my employer's permission, but I think this change is too trivial to be copyrightable.

This was referenced Jul 19, 2024
Closed
Closed
@azmeuk azmeuk added the role:client Concerns a client implementation label Feb 20, 2025
@azmeuk
Copy link
Member

azmeuk commented Feb 21, 2025

I have discussed with @lepture, and he is OK about the copyright thing.

@azmeuk azmeuk merged commit b79d868 into authlib:main Feb 21, 2025
@hluk hluk mentioned this pull request Mar 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Aliblame Aliblame Aliblame approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

role:client Concerns a client implementation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AdamWill @azmeuk @Aliblame