access_token field added to request url when oauth2_access_token already present

[jtroussard]

When trying to make a request for a LinkedIn resource I was recieving an unpermitted field error.

b'{"serviceErrorCode":100,"message":"Unpermitted fields present in PARAMETER: Data Processing Exception while processing fields [/access_token]","status":403}

Manual review of the URL revealed 2 access token related fields:

1. oauth2_access_token
2. access_token

Looking at the OAuth2-Requests source code in requests-oauthlib/requests_oauthlib/oauth2_session.py, the access_token field is added to the url right before making the final request via the add_token() method.

I imagine there is a mechanism in place to prevent the behavior but I could not find it? My solution was to copy a modified version of the oauth2_session.py module into my project with this dirty fix inside the request() method.

old_version_url = url
url, headers, data = self._client.add_token(url, 
        http_method=method, body=data, headers=headers)
if "&access_token=" in url:
    url = old_version_url

Is there an official way to modify this behavior? Is this a bug? Please advise.

Thanks

[tuseau]

It would be nice to have this fixed as it has completely broken the Linkedin integration.

[jtroussard]

@tuseau You would think right? Turns out there's a Requests 3 that has been funded and is under development. The main Requests websites mentions that this library is only in maintenance mode and that all attention is being given to Requests 3... Anyhoooo If you're so inclined you can "fix" you LinkedIn integration by importing this modified copy of the oauth2_session.py code into your module.

[JonathanHuot]

@tuseau, @jtroussard, I think a PR can help the project !. However, as mentionned in #385, the overall delay could be a bit long. But that's better than not having it integrated at all.

Also about Requests 3 library, that would be great to improve requests-oauthlib to support it but that probably not an urgent needs for most users, because most of them are not using the Requests API anyway.

[jtroussard]

I've been mulling over the idea of making a PR for some time now. The reason I haven't made the PR is because this 'fix' is more of a work around. However I think this small amount of activity has encouraged me to go ahead and give it the old college try.

@JonathanHuot peut etre tu pouvez m'aider a construre une mielluer solution? Voci le Pull Request 388

[jtroussard]

This has been solved with PR #397