Hi,
I'm using latest version of the requests-authlibpackage.
For our authorization server, we added support for audience claim, according RFC 8707. So, basically put, one client can request access to one or many resources by adding the resource parameter in the token request body. When requesting access to many resources, many 'resource' parameters need to be added into the token request rather than a single 'resource' parameter with space-separated resource values (resource URI), as it is done with scope claim.
For instance, for a token request using the client credentials grant (POST request):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxx
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&resource=https//resourceserver1.example.com&resource=https//resourceserver2.example.com&scope=read+write
The problem is that with your current implementation, resulting Request kwargs are wrong.
- Result when passing the multiple
resource parameters through kwargs, as a list:
Request kwargs: {'data': {'grant_type': 'client_credentials', 'scope': 'read write', 'resource': "['https://resourceserver1.example.com', 'https://resourceserver2.example.com']"}}As you can see the list of resourceparameters is encoded as single string which is wrong.
- Result when passing the multiple
resourceparameters through body:
Request kwargs: {'data': {'resource': 'https://resourceserver2.example.com', 'grant_type': 'client_credentials', 'scope': 'read write'}}As you can see, only one resourceparameter is kept which is wrong too.
For the record, I tried with the following code:
By passing multiple resource parameters in body:
token = OAuth2Session(client=BackendApplicationClient(client_id=client_id)).fetch_token(
token_url='https://my-oauthorization-server.tld/o/token',
client_id=client_id,
client_secret=client_secret,
body="resource=https://resourceserver1.example.com&resource=https://resourceserver2.example.com",
scope=["read", "write"]
)By passing multiple resource parameters as kwargs:
token = OAuth2Session(client=BackendApplicationClient(client_id=client_id)).fetch_token(
token_url='https://my-oauthorization-server.tld/o/token',
client_id=client_id,
client_secret=client_secret,
resource=["https://resourceserver1.example.com", "https://resourceserver2.example.com"],
scope=["read", "write"]
)Thank you.
Hi,
I'm using latest version of the
requests-authlibpackage.For our authorization server, we added support for audience claim, according RFC 8707. So, basically put, one client can request access to one or many resources by adding the
resourceparameter in the token request body. When requesting access to many resources, many 'resource' parameters need to be added into the token request rather than a single 'resource' parameter with space-separated resource values (resource URI), as it is done with scope claim.For instance, for a token request using the client credentials grant (POST request):
The problem is that with your current implementation, resulting Request kwargs are wrong.
resourceparameters through kwargs, as a list:As you can see the list of
resourceparameters is encoded as single string which is wrong.resourceparameters through body:As you can see, only one
resourceparameter is kept which is wrong too.For the record, I tried with the following code:
By passing multiple
resourceparameters in body:By passing multiple
resourceparameters as kwargs:Thank you.