I just realized that this library is AGPL-licensed - quite unexpected considering that its predecessors like flask-oauthlib and oauthlib are BSD-licensed, and e.g. flask-oauthlib strongly recommends people to authlib instead.

While I completely understand that you want to make money with this library when people use it in commercial/closed-source software, the fact that it's AGPL and thus very viral seems problematic:

For example, many open source projects nowadays use a more liberal license like MIT or BSD. And while IANAL, I'm pretty sure any such projects are currently excluded from using your library, since you cannot use GPL software in MIT/BSD-licensed application...

...which this is truly unfortunate, since AFAIK there is no other decent implementation of OAuth providers for Python out there - and many webapps do include OAuth provider functionality nowadays! And we all know what happens when people start implementing their own security code... usually it won't be as secure as it should be.

Describe the bug

It happens when using authlib to configure Keycloak for Apache Superset. Everything works perfectly up until redirecting back from Keycloak to Superset.

Error Stacks

Traceback (most recent call last):
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/abc/.local/lib/python3.8/site-packages/flask_appbuilder/security/views.py", line 681, in oauth_authorized
    resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
    params = self.retrieve_access_token_params(flask_req, request_token)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
    params = self._retrieve_oauth2_access_token_params(request, params)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
    raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

To Reproduce

A minimal example to reproduce the behavior: This is my code: In superset_config.py

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Public'
CSRF_ENABLED = True
ENABLE_PROXY_FIX = True
OAUTH_PROVIDERS = [
    {
        'name': 'keycloak',
        'token_key': 'access_token',
        'icon': 'fa-icon',
        'remote_app': {
            'client_id': CLIENT_ID,
            'client_secret': CLIENT_SECRET,
            'client_kwargs': {
                'scope': 'openid email profile'
            },
            'access_token_method': 'POST',
            'api_base_url': 'https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/openid-connect/',
            'access_token_url': 'https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/openid-connect/token',
            'authorize_url': 'https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/openid-connect/auth',
        },
    }
]
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager

In extended_security.py

class OIDCSecurityManager(SupersetSecurityManager):
    def get_oauth_user_info(self, provider, response=None):
        if provider == 'keycloak':
            me = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
            return {
                "first_name": me.data.get("given_name", ""),
                "last_name": me.data.get("family_name", ""),
                "email": me.data.get("email", "")
            }

Expected behavior

Suerpset redirect user to keycloak authentication site as expected. Upon finishing authenticating and getting redirected back to superset, CSRF Warning! State not equal in request and response occur.

Environment: Docker:

• Python Version: 3.8
• Authlib Version: 0.15.4

Additional context

Tried on different browser (chrome, firefox, edge, etc.), clearing cookies, etc., but the error is still there. Would very appreciate some help.

Is your feature request related to a problem? Please describe.

We currently use authlib.integrations.flask_client to authenticate users against Auth0, where they can log in via different connection types (e.g., GitHub, Google, etc.). But users sometimes initiate multiple authentication flows in parallel, as by command- or control-clicking multiple links, each of which opens in a new tab. Even if the user logs in successfully to each of those tabs, each tab (except for the most recently opened one) ultimately errs with:

authlib.integrations.base_client.errors.MismatchingStateError: 
mismatching_state: CSRF Warning! State not equal in request and response

That seems to be the result of Authlib using a single session key (e.g., _name_authlib_state_) to implement CSRF protection, per https://github.com/lepture/authlib/blob/master/authlib/integrations/flask_client/integration.py#L15-L21.

Because each tab has a new value for state, previously opened tabs' state values are clobbered in Flask's session.

Describe the solution you'd like

Might it make sense to use unique session keys instead so that tabs don't share (and clobber each other's) state? Similarly for _name_authlib_redirect_uri_ and _name_authlib_nonce_? E.g., instead of, in pseudocode,

session["_name_authlib_state_"] = "ABC"
session["_name_authlib_redirect_uri_"] = "https://example.com/callback"
session["_name_authlib_nonce_"] = "XYZ"

perhaps an approach along these lines, whereby the key includes the unique state value?

session["_name_authlib_ABC_"] = {
    "redirect_uri": "https://example.com/callback",
    "nonce": "XYZ"
}

Describe alternatives you've considered

Instead of authlib.integrations.flask_client, should we perhaps use requests_client.OAuth2Session instead to achieve this behavior? Would we need to validate state, redirect_uri, and nonce ourselves, though, and also validate the ID token returned from Auth0?

Is a simpler approach already possible perhaps?

Additional context

If a user opens multiple tabs because they've command- or control-clicked multiple links (each of which requires authentication), it's indeed intentional that we want them to authenticate in each of those tabs (especially since their choice of connection type on Auth0's end might differ per tab). We wouldn't want one tab, upon encountering a MismatchingStateError, simply to check whether the user has logged in via another tab and allow the user to proceed.

Thank you!

This issue is similar to my other reported issue #115 but essentially in an authorization server where applications are both public and private it isn't possible to natively authenticate to the token server as a public and private client depending on type of authorization request.

The only way to achieve this currently is to extend the client auth methods with a custom authentication scheme:

def authenticate_rfc7636(query_client, request):
    data = request.form
    code_verifier = data.get('code_verifier')
    if code_verifier:
        return authenticate_none(query_client, request)

This works because rfc7636 always runs validate_code_verifier after after_validate_token_request, which validates the code verifier provided.

At least in my case, when creating an AuthorizationServer, it requires the Client model. This has the requirement that the models be imported. However, since the models themselves also import __init__.py through from .. import db, login_manager, it creates a cyclic include.

Due to this constraint, the next best option is to use flask-oauthlib library. It might make sense to address this issue, either in the documentation or in the code architecturally.

This commit adds a new Starlette client along with documentation and tests. The Starlette client is suitable for use with frameworks that build on top of Starlette such as FastAPI and Bocadillo.

This implements #148.

What kind of change does this PR introduce? (check at least one)

• [ ] Bugfix
• [x] Feature
• [ ] Code style update
• [ ] Refactor
• [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

• [ ] Yes
• [x] No

• [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

What kind of change does this PR introduce? (check at least one)

• [ ] Bugfix
• [x] Feature
• [ ] Code style update
• [ ] Refactor
• [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

• [ ] Yes
• [x] No

• [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

Referencing https://github.com/lepture/authlib/issues/391

I'd like to pass in addtional JWT headers into the client assertion, such as the kid so the recipient of the token can find the corresponding key at the registered JWKS endpoint.

Describe the solution you'd like

When setting up an PrivateKeyJWT() instance to register as client auth method, I'd like to pass in additional JWT headers such as the kid.

Describe the bug

oauth.twitter.authorize_access_token(request) is normally called in the callback function. The request object usually has a request_token parameter in its query parameters. However, Twitter's 3-legged OAuth process, described here: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/obtaining-user-access-tokens

Does not return a request_token parameter. Instead it returns oauth_token and oauth_verifier. Both of these are expected to be passed back to the twitter's auth endpoint to get the user's tokens.

The problem comes in function fetch_access_token in authlib\integrations\base_client\async_app.py. That function contains the following code:

                if request_token is None:
                    raise MissingRequestTokenError()
                # merge request token with verifier
                token = {}
                token.update(request_token)
                token.update(params)
                client.token = token

Since twitter doesn't have a request_token, the MissingRequestTokenError() is raised and the authorize process fails. This is an error for twitter because twitter doesn't require a request_token. I commented out the lines 1, 2, and 5 from above, and then twitter oauth worked fine, returning the client's token as expected.

FWIW, I use loginpass but this defines the twitter metadata the same as is shown in the examples, so I don't think that's the source of the error.

Is there a way to specify that for twitter, this function should just skip the request_token parameter? More generally, is there a way to specify what query parameters are expected to be returned for each endpoint, so that in the future, other endpoints that return non-standard parameters can be accommodated?

Error Stacks

ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\uvicorn\protocols\http\h11_impl.py", line 389, in run_asgi
    result = await app(self.scope, self.receive, self.send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\uvicorn\middleware\proxy_headers.py", line 45, in __call__
    return await self.app(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\fastapi\applications.py", line 179, in __call__
    await super().__call__(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\applications.py", line 111, in __call__
    await self.middleware_stack(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\middleware\errors.py", line 181, in __call__
    raise exc from None
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\middleware\errors.py", line 159, in __call__
    await self.app(scope, receive, _send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\middleware\cors.py", line 78, in __call__
    await self.app(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\middleware\sessions.py", line 75, in __call__
    await self.app(scope, receive, send_wrapper)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\exceptions.py", line 82, in __call__
    raise exc from None
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\exceptions.py", line 71, in __call__
    await self.app(scope, receive, sender)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\routing.py", line 566, in __call__
    await route.handle(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\routing.py", line 227, in handle
    await self.app(scope, receive, send)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\starlette\routing.py", line 41, in app
    response = await func(request)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\fastapi\routing.py", line 182, in app
    raw_response = await run_endpoint_function(
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\fastapi\routing.py", line 133, in run_endpoint_function
    return await dependant.call(**values)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\app\api\api_v1\endpoints\link_accounts.py", line 156, in auth_twitter
    token = await oauth.twitter.authorize_access_token(request)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\authlib\integrations\starlette_client\integration.py", line 64, in authorize_access_token
    return await self.fetch_access_token(**params)
  File "C:\Users\mraju\PycharmProjects\api-server-useraccounts\venv\lib\site-packages\authlib\integrations\base_client\async_app.py", line 90, in fetch_access_token
    raise MissingRequestTokenError()
authlib.integrations.base_client.errors.MissingRequestTokenError: missing_request_token: 

To Reproduce

@router.get('/twitter/login')
async def login_twitter(request: Request) -> Any:
    redirect_uri = request.url_for('auth_twitter')
    return await oauth.twitter.authorize_redirect(request, redirect_uri)


@router.get('/twitter/callback')
async def auth_twitter(request: Request):
    token = await oauth.twitter.authorize_access_token(request)

Expected behavior

A clear and concise description of what you expected to happen.

Environment:

• OS: Windows
• Python Version: 3.9.0
• Authlib Version: 0.15.2

Additional context

Add any other context about the problem here.

Describe the bug

An input for authlib.jose.jwt.decode() causes an exception on python 3.8.3 while it works on python 3.6.8 .

I'm using:

from authlib.jose import jwt
jwt.decode(mytoken, key=mykey, claims_options=something)

The causing parameter is key. In my case, the (shortened) value is :

{
  "keys": [
    {
      "kid": "something2",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "something3",
      "e": "AQAB",
      "x5c": ["something4"],
      "x5t": "something5",
      "x5t#S256": "something6"
    }
  ]
}

However, if I set mykey to the key in the inner list:

{
      "kid": "something2",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "something3",
      "e": "AQAB",
      "x5c": ["something4"],
      "x5t": "something5",
      "x5t#S256": "something6"
    }

then authlib accepts the input for both, python 3.6.8 and 3.8.3.

Error Stacks

[...]
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7519/jwt.py", line 98, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
    key = algorithm.prepare_key(key)
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
    return RSAKey.import_key(raw_data)
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 116, in import_key
    return import_key(
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 277, in import_key
    cls.check_required_fields(raw)
  File "/Users/njjn/.pyenv/versions/demo2/lib/python3.8/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
    raise ValueError('Missing required field: "{}"'.format(k))
ValueError: Missing required field: "e"

To Reproduce

(untested): get a valid key and put it in the structure as depicted in my example above.

Expected behavior

The same input gets accepted without errors for both python versions.

Environment:

• OS: macos/linux
• Python Version: 3.8.3
• Authlib Version: v0.15

The README states

License

Authlib offers two licenses:

    BSD for open source projects
    Commercial license for closed source projects

however, the LICENSE is a BSD license, which is compliant with closed source (redistribution). As it stands, I read this as

If I develop a close source project, I must buy a commercial license; if it is an open source, I can use BSD.

If this is the case, then this project is not BSD licensed, as its actual license is

If usage in open source, you can use it under the terms of BSD; else, you must buy a commercial license

I propose that we clarify what exactly do we mean with Commercial license for closed source projects.

Hello, I can't made a successful auth against google oauth because an error (that seems related or identical to https://github.com/authlib/loginpass/issues/47).

Here is the relevant code:

config = Config(".env")  # pylint: disable=invalid-name
oauth = OAuth(config)

CONF_URL = 'https://accounts.google.com/.well-known/openid-configuration'
oauth.register(
    name='google',
    server_metadata_url=CONF_URL,
    client_kwargs={
        'scope': 'openid email profile'
    }
)

async def login(request):
    redirect_uri = request.url_for('auth')
    return await oauth.google.authorize_redirect(request, redirect_uri)

async def auth(request):
    logging.critical(request.headers)
    token = await oauth.google.authorize_access_token(request)
    user = await oauth.google.parse_id_token(request, token)
    request.session['user'] = dict(user)
    return RedirectResponse(url='/')

ROUTES = [
    Route('/login', endpoint=login),
    Route('/auth', endpoint=auth),
]

app = Starlette(debug=True, routes=ROUTES)  # pylint: disable=invalid-name

when /auth endpoint is hit after a successful authentication, I get this traceback (first line is mine):

[osso] CRITICAL: Headers({'host': 'osso.dev.scimmia.net', 'x-request-id': '299db1f2a6d8f187459083ed590d4adb', 'x-real-ip': '10.42.0.1', 'x-forwarded-for': '10.42.0.1', 'x-forwarded-host': 'osso.dev.scimmia.net', 'x-forwarded-port': '443', 'x-forwarded-proto': 'https', 'x-scheme': 'https', 'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0', 'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'accept-language': 'en-US,en;q=0.5', 'accept-encoding': 'gzip, deflate, br', 'referer': 'https://accounts.google.com/', 'dnt': '1', 'upgrade-insecure-requests': '1'})
[osso] INFO:     10.42.0.1:0 - "GET /auth?state=VNyCSjjCXSojWBTqNjsm3XlxBSJEgg&code=4%2FwwEnVamW5jzr4hOz4agsa1kjrKBlCOrMJTdO0pbFM9nq9qDbJ7-riJQ4Sh9TeokDyvz47FnRtY4DQsMMNH3N_II&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=consent HTTP/1.1" 500 Internal Server Error
[osso] ERROR:    Exception in ASGI application
[osso] Traceback (most recent call last):
[osso]   File "/usr/local/lib/python3.7/site-packages/uvicorn/protocols/http/httptools_impl.py", line 385, in run_asgi
[osso]     result = await app(self.scope, self.receive, self.send)
[osso]   File "/usr/local/lib/python3.7/site-packages/uvicorn/middleware/proxy_headers.py", line 45, in __call__
[osso]     return await self.app(scope, receive, send)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/applications.py", line 102, in __call__
[osso]     await self.middleware_stack(scope, receive, send)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/middleware/errors.py", line 181, in __call__
[osso]     raise exc from None
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/middleware/errors.py", line 159, in __call__
[osso]     await self.app(scope, receive, _send)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette_authlib/middleware.py", line 122, in __call__
[osso]     await self.app(scope, receive, send_wrapper)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/exceptions.py", line 82, in __call__
[osso]     raise exc from None
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/exceptions.py", line 71, in __call__
[osso]     await self.app(scope, receive, sender)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/routing.py", line 550, in __call__
[osso]     await route.handle(scope, receive, send)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/routing.py", line 227, in handle
[osso]     await self.app(scope, receive, send)
[osso]   File "/usr/local/lib/python3.7/site-packages/starlette/routing.py", line 41, in app
[osso]     response = await func(request)
[osso]   File "./osso/app.py", line 79, in auth
[osso]     token = await oauth.google.authorize_access_token(request)
[osso]   File "/usr/local/lib/python3.7/site-packages/authlib/integrations/starlette_client/integration.py", line 58, in authorize_access_token
[osso]     return await self.fetch_access_token(**params)
[osso]   File "/usr/local/lib/python3.7/site-packages/authlib/integrations/base_client/async_app.py", line 105, in fetch_access_token
[osso]     token = await client.fetch_token(token_endpoint, **kwargs)
[osso]   File "/usr/local/lib/python3.7/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 120, in _fetch_token
[osso]     return self.parse_response_token(resp.json())
[osso]   File "/usr/local/lib/python3.7/site-packages/authlib/oauth2/client.py", line 348, in parse_response_token
[osso]     self.handle_error(error, description)
[osso]   File "/usr/local/lib/python3.7/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 76, in handle_error
[osso]     raise OAuthError(error_type, error_description)
[osso] authlib.common.errors.AuthlibBaseError: invalid_request: Missing parameter: redirect_uri

Expected behavior

A successful login via google oauth

Environment:

• OS: python:3.7-slim docker image (alpine)
• Authlib Version: 0.14.1

Thank you, ciao!

Describe the bug

When I try to use Azure OAuth to log into my Airflow application, instead of logging me in I am sent back to the login page with a CSRF state mismatch error.

Error Stacks

[2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response.
airflow-web [2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response.

To Reproduce

I am running Airflow 2.4.3 on Kubernetes pods using the airflow community helm chart 8.6.1(https://github.com/airflow-helm/charts) and python 3.8.15. To use Azure OAuth configuration with Airflow, I have created the webserver_config file to do so:

from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.www.security import AirflowSecurityManager
import logging
from typing import Dict, Any, List, Union
import os
import sys

#Add this as a module to pythons path
sys.path.append('/opt/airflow')

log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "DEBUG"))

class AzureCustomSecurity(AirflowSecurityManager):
    # In this example, the oauth provider == 'azure'.
    # If you ever want to support other providers, see how it is done here:
    # https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550
    def get_oauth_user_info(self, provider, resp):
        # Creates the user info payload from Azure.
        # The user previously allowed your app to act on their behalf,
        #   so now we can query the user and teams endpoints for their data.
        # Username and team membership are added to the payload and returned to FAB.
        if provider == "azure":
            log.debug("Azure response received : {0}".format(resp))
            id_token = resp["id_token"]
            log.debug(str(id_token))
            me = self._azure_jwt_token_parse(id_token)
            log.debug("Parse JWT token : {0}".format(me))
            return {
                "name": me.get("name", ""),
                "email": me["upn"],
                "first_name": me.get("given_name", ""),
                "last_name": me.get("family_name", ""),
                "id": me["oid"],
                "username": me["oid"],
                "role_keys": me.get("roles", []),
            }

# Adding this in because if not the redirect url will start with http and we want https
os.environ["AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX"] = "True"
WTF_CSRF_ENABLED = False
CSRF_ENABLED = False
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True  # Checks roles on every login
# Make sure to replace this with the path to your security manager class
FAB_SECURITY_MANAGER_CLASS = "webserver_config.AzureCustomSecurity"
# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
AUTH_ROLES_MAPPING = {
    "airflow_dev_admin": ["Admin"],
    "airflow_dev_op": ["Op"],
    "airflow_dev_user": ["User"],
    "airflow_dev_viewer": ["Viewer"]
    }
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
# If you wish, you can add multiple OAuth providers.
OAUTH_PROVIDERS = [
    {
        "name": "azure",
        "icon": "fa-windows",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "CLIENT_ID",
            "client_secret": 'AZURE_DEV_CLIENT_SECRET',
            "api_base_url": "https://login.microsoftonline.com/TENANT_ID",
            "request_token_url": None,
            'request_token_params': {
                'scope': 'openid email profile'
            },
            "access_token_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "access_token_params": {
                'scope': 'openid email profile'
            },
            "authorize_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize",
            "authorize_params": {
                'scope': 'openid email profile',
            },
            'jwks_uri':'https://login.microsoftonline.com/common/discovery/v2.0/keys',
        },
    },
]

Expected behavior

When you hit the login button it should log me in to the airflow instance.

Environment:

• OS: Debian GNU/Linux 11 (bullseye)
• Python Version: 3.8.15
• Authlib Version: 1.1.0

Additional context

This was working just fine, but when we upgraded from airflow 2.2.5 to 2.4.3 this issue arose. Here are some current versions of libraries I have installed:

Airflow==2.4.3 Authlib==1.1.0 Flask-AppBuilder==4.1.4 Flask-Babel==2.0.0 Flask-Caching==2.0.1 Flask-JWT-Extended==4.4.4 Flask-Login==0.6.2 Flask-SQLAlchemy==2.5.1 Flask-Session==0.4.0 Flask-WTF==1.0.1 Flask==2.2.2

I have posted this issue in airflow as well as FAB and still have not been able to find out how to solve

Describe the bug

When using the exactly same credentials and API call signatures, the requests client could access protected resources from OAuth protected API, while the signature of requests made by httpx client is rejected.

This only happens for POST requests which sends non-binary data (Content-Type will be x-www-form-urlencoded).

Error Stacks

Error are raised at server side and is service-specific (depends on how API services respond to invalid OAuth signatures) so there's no error stack.

To Reproduce

from authlib.integrations.requests_client import OAuth1Session
from authlib.integrations.httpx_client import OAuth1Client


CLIENT_ID = '<client_id>'
CLIENT_SECRET = '<client_secret>'
TOKEN = '<token>'
TOKEN_SECRET = '<token_secret>'
ENDPOINT = '<protected_resource_api_endpoint>'
REQUEST_BODY = {'foo': 'bar'}

requests_client = OAuth1Session(CLIENT_ID, CLIENT_SECRET, token=TOKEN, token_secret=TOKEN_SECRET)
httpx_client = OAuth1Client(CLIENT_ID, CLIENT_SECRET, token=TOKEN, token_secret=TOKEN_SECRET)


r = requests_client.post(ENDPOINT, data=REQUEST_BODY)
print('REQUEST ', r.json(), '\n')

r = httpx_client.post(ENDPOINT, data=REQUEST_BODY)
print('HTTPX ', r.json())

Reproducing the issue with the above script requires access to OAuth1.0 protected API resources. In the above example, the requests client could access the protected resource without a problem, while the httpx client is rejected by an incorrect signature error.

Expected behavior

Both requests client and httpx client should have access to the protected resource when authenticated with access token.

Environment:

• OS: Ubuntu 22.04
• Python Version: 3.10.6
• Authlib Version: 1.2.0
• httpx version: 0.23.1

Additional context

I've tried to fix the issue and the fix seems working on my end, though I've only tested httpx OAuth1 client. Not sure whether it will break another clients or not.

Describe the bug

When sending files in a POST request using httpx client, all binary data (the files) are lost.

Error Stacks

There is no error stack for this issue, since this is an issue only detectable from server-side or only when the server side returns meaningful error responses. To demonstrate the case, I've added the full steps and scripts to reproduce the issue in the next section.

To Reproduce

Scripts for issue reproduction:

1. Main script
2. Debug server. You can use any other tools that can act as the server to receive the request instead, this one is just attached for convenience.

Steps to reproduce:

1. Run the debug server
2. Run the main script. The main script includes two consecutive requests, one using the authlib requests client and one using the httpx client, so that we could compare the normal one with the corrupted one.

requests client

Received header Content-Length:  146
Received actual bytes:  146
127.0.0.1 - - [17/Dec/2022 08:39:09] "POST / HTTP/1.1" 200 -

httpx client

Received header Content-Length:  0
Received actual bytes:  0
127.0.0.1 - - [17/Dec/2022 08:39:09] "POST / HTTP/1.1" 200 -

It's obvious the binary data are lost when using httpx client.

Expected behavior

The request data should not be corrupted. httpx client should behaves like requests client when using the same inputs and configurations.

Environment:

• OS: Ubuntu 22.04
• Python Version: 3.10.6
• Authlib Version: 1.2.0
• httpx Version: 0.23.1

Additional context

I've tried to fix this issue and the fix seems working. Perhaps I could submit a pull request if this issue could be verified true.

Describe the bug

In commit 49c5556d8b2c7e4b8939e502fefd816bf766dfc3 headers parameter got re-introduced (previously known as header) and it is passed to client_secret_jwt_sign function call in ClientSecretJWT.sign method, but it is not passed to private_key_jwt_sign function call in PrivateKeyJWT.sign method, why is it so?

Also both client_secret_jwt_sign & private_key_jwt_sign eventually call sign_jwt_bearer_assertion which doesn't have headers parameter, but only header, so it looks to be skipped, is it expected?

Expected behavior

headers parameter is passed to private_key_jwt_sign function call in PrivateKeyJWT.sign method

class PrivateKeyJWT(ClientSecretJWT):
    ...
    def sign(self, auth, token_endpoint):
        return private_key_jwt_sign(
            auth.client_secret,
            client_id=auth.client_id,
            token_endpoint=token_endpoint,
            claims=self.claims,
            header=self.headers,
            alg=self.alg,
        )

Environment:

• OS: OS-independent
• Python Version: Python-independent
• Authlib Version: 1.2.0

What kind of change does this PR introduce? (check at least one)

This removes unused methods definition and documentation.

• [ ] Bugfix
• [ ] Feature
• [ ] Code style update
• [x] Refactor
• [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

• [ ] Yes
• [x] No

• [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

The RFC7591 dynamic client registration indicates default values for response_types and grant_types:

• If omitted, the default is that the client will use only the "code" response type.
• If omitted, the default behavior is that the client will use only the "authorization_code" Grant Type.

This is a better attempt than #509

What kind of change does this PR introduce? (check at least one)

• [x] Bugfix
• [ ] Feature
• [ ] Code style update
• [ ] Refactor
• [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

• [ ] Yes
• [x] No

• [x] You consent that the copyright of your pull request source code belongs to Authlib's author.