Python MGMT SDK: SDK making malformed request for OAuth access tokens in v 3.0.0#507
Open
BinoyOza-okta wants to merge 3 commits intomasterfrom
Open
Python MGMT SDK: SDK making malformed request for OAuth access tokens in v 3.0.0#507BinoyOza-okta wants to merge 3 commits intomasterfrom
BinoyOza-okta wants to merge 3 commits intomasterfrom
Conversation
Fixed a critical issue where OAuth 2.0 token requests were failing due to duplicate client_assertion parameters being sent both in the URL query string and the request body, causing "400 Bad Request" errors. Changes: - Fixed duplicate parameter issue in oauth.py by sending all OAuth parameter in the request body only (per RFC 6749 spec) - Removed parameters from URL query string in token endpoint requests - Fixed form data encoding in http_client.py for application/x-www-form-urlencoded content type by allowing aiohttp to handle encoding automatically - Removed unused imports (urlencode, quote) from oauth.py - Cleaned up debug print statements Technical Details: - OAuth 2.0 token endpoint requests should send parameters in POST body, not URL query string (RFC 6749 Section 3.2) - When Content-Type is application/x-www-form-urlencoded, aiohttp handles encoding automatically when the header is not manually set - This fix ensures compatibility with Okta OAuth applications, including those with DPoP enabled (requires DPoP to be disabled in app settings) Affected Files: - okta/oauth.py: Removed URL query parameter encoding, send all params in body - okta/http_client.py: Fixed form data handling for URL-encoded content Fixes authentication failures when using authorizationMode: "PrivateKey" with client credentials grant type.
…#504 contains the permanent fix for this issue. Once it's merged will sync it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: resolve OAuth 2.0 duplicate parameter error in token requests
Fixed a critical issue where OAuth 2.0 token requests were failing due to duplicate client_assertion parameters being sent both in the URL query string and the request body, causing "400 Bad Request" errors.
Changes:
Technical Details:
Affected Files:
Testing:
Fixes authentication failures when using authorizationMode: "PrivateKey"
with client credentials grant type.
Resolves: