Fix the invalid_client error when request token without the client_secret field (#1288)

glaucojunior22 · Glauco Junior · n2ygk · web-flow · commit 6ae81979c699 · 2024-05-07T10:44:43.000-04:00
* Fix the invalid_client error when request token without the client_secret field.

* add a CHANGELOG entry since this is a user-visible change.

---------

Co-authored-by: Glauco Junior &lt;gjunior@clb.santillana.com&gt;
Co-authored-by: Alan Crosswell &lt;alan@columbia.edu&gt;
diff --git a/AUTHORS b/AUTHORS
@@ -55,6 +55,7 @@ Federico Dolce
 Florian Demmer
 Frederico Vieira
 Gaël Utard
+Glauco Junior
 Hasan Ramezani
 Hiroki Kiyohara
 Hossein Shakiba
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1357 Move import of setting_changed signal from test to django core modules
 * #1268 fix prompt=none redirects to login screen
 * #1381 fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used
+* #1288 fixes #1276 which attempt to resolve #1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
 
 ### Removed
 * #1350 Remove support for Python 3.7 and Django 2.2
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -183,7 +183,7 @@ def _authenticate_request_body(self, request):
         # TODO: check if oauthlib has already unquoted client_id and client_secret
         try:
             client_id = request.client_id
-            client_secret = getattr(request, "client_secret", "")
+            client_secret = getattr(request, "client_secret", "") or ""
         except AttributeError:
             return False
 
