lepture
`fetch_token` does not use the `client_id` and `client_secret` provided to `OAuth2Session`
Describe the bug
fetch_token with client_credentials requires the credentials to be passed as arguments, it doesn't use the ones from the class. This is inconvenient when getting the first token, but it also breaks refreshing.
To Reproduce
A minimal example to reproduce the behavior:
from authlib.integrations.requests_client import OAuth2Session
client = OAuth2Session(CLIENT_ID, CLIENT_SECRET, token_endpoint=TOKEN_ENDPOINT)
token = client.fetch_token()
Expected behavior
The documentation says this is how you're supposed to use it. But, the body sent to the token endpoint only has grant_type=client_credentials.
https://docs.authlib.org/en/latest/client/oauth2.html#oauth2session-for-client-credentials - almost verbatim from there.
Environment:
- OS: Linux, but irrelevant
- Python Version: 3.10 but irrelevant
- Authlib Version: Tried 1.4.1 and 1.3.2
Additional context
I stepped through the code, unless I'm missing something, this couldn't have worked.
By default the client_id and client_secret are sent in the Authorization header. You can configure the client to put the client_id and client_secret in the request body by setting token_endpoint_auth_method="client_secret_post".
client = OAuth2Session("client_id", "client_secret", token_endpoint="http://localhost:5555/token", token_endpoint_auth_method="client_secret_post")
token = client.fetch_token()
Is that what you are trying to achieve?
