OAuth TokenHandler should check Authorization header for client credentials #1315
Description
Description
Currently, TokenHandler assumes that the Token request's body contains client credentials. However, some OAuth requests would contain client credentials in Authorization header:
In this case, it would throw ValidationError even though client credentials are provided in request header.
Can we add a fallback such that if client_id is not found in formData, we try to get it from header? e.g.
async def handle(self, request: Request):
try:
form_data = dict(await request.form())
# Try to get client credentials from header if missing in body
if "client_id" not in form_data:
auth_header = request.headers.get("Authorization")
if auth_header and auth_header.startswith("Basic "):
encoded = auth_header.split(" ")[1]
decoded = base64.b64decode(encoded).decode("utf-8")
client_id, _, client_secret = decoded.partition(":")
client_secret = urllib.parse.unquote(client_secret)
form_data.setdefault("client_id", client_id)
form_data.setdefault("client_secret", client_secret)
token_request = TokenRequest.model_validate(form_data).root
except ValidationError as validation_error:
return self.response(
TokenErrorResponse(
error="invalid_request",
error_description=stringify_pydantic_error(validation_error),
)
)
...
Thanks.
References
No response