BasicAuth instead of post data for OAuth2 token

According to RFC6749 Section 2.3.1 all token servers are required to
support http basic auth. Instead supporting the credentials as post
data is specified as optional. Furthermore the RCF discourages using
the latter.

CHANGES/pulp-glue/+oauth2_token_basicauth.bugfix

@@ -0,0 +1 @@
+Use BasicAuth for token retrieval to comply with RFC6749.

pulp-glue/pulp_glue/common/authentication.py

@@ -17,8 +17,7 @@ def __init__(
         token_url: str,
         scopes: t.Optional[t.List[str]] = None,
     ):
-        self.client_id = client_id
-        self.client_secret = client_secret
+        self.token_auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
         self.token_url = token_url
         self.scopes = scopes
 
@@ -76,15 +75,13 @@ def handle401(
 
     def retrieve_token(self) -> None:
         data = {
-            "client_id": self.client_id,
-            "client_secret": self.client_secret,
             "grant_type": "client_credentials",
         }
 
         if self.scopes:
             data["scope"] = " ".join(self.scopes)
 
-        response: requests.Response = requests.post(self.token_url, data=data)
+        response: requests.Response = requests.post(self.token_url, data=data, auth=self.token_auth)
 
         response.raise_for_status()
 

pulp-glue/tests/test_authentication.py

@@ -16,7 +16,7 @@ def raise_for_status(self):
         def json(self):
             return {"expires_in": 1, "access_token": "aaa"}
 
-    def _requests_post_mocked(url: str, data: t.Dict[str, t.Any]):
+    def _requests_post_mocked(url: str, data: t.Dict[str, t.Any], **kwargs: t.Any):
         assert "scope" not in data
         return OAuth2MockResponse()