Skip to content

Added client_id parameter to AssertionClient#476

Open
vilmar-hillow wants to merge 3 commits intoauthlib:mainfrom
vilmar-hillow:fix/assertion_client_id
Open

Added client_id parameter to AssertionClient#476
vilmar-hillow wants to merge 3 commits intoauthlib:mainfrom
vilmar-hillow:fix/assertion_client_id

Conversation

@vilmar-hillow
Copy link
Copy Markdown

@vilmar-hillow vilmar-hillow commented Jul 29, 2022

Per https://datatracker.ietf.org/doc/html/rfc7521#section-4.1,
client_id parameter, although optional, can still be passed
when using assertions as authorization grants. Adding a way to pass
that id to refresh token body.

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No
  • You consent that the copyright of your pull request source code belongs to Authlib's author.

@lepture
Copy link
Copy Markdown
Member

lepture commented Aug 9, 2022

  1. I didn't see client_id is optional in the doc.
  2. You are always passing client_id=None

@vilmar-hillow vilmar-hillow force-pushed the fix/assertion_client_id branch from 3ea23ce to 22ef69a Compare August 9, 2022 03:07
@vilmar-hillow
Copy link
Copy Markdown
Author

vilmar-hillow commented Aug 9, 2022

  1. I didn't see client_id is optional in the doc.
  2. You are always passing client_id=None
  1. From linked section: "Authentication of the client is optional, as described in
    Section 3.2.1 of OAuth 2.0 [RFC6749], and consequently, the
    "client_id" is only needed when a form of client authentication that
    relies on the parameter is used."

One of the providers I'm working with uses the authorization grant routine with client id.

  1. Good catch, fixed

Added client_id parameter to AssertionClient
727ee0e 
Per https://datatracker.ietf.org/doc/html/rfc7521#section-4.1,
client_id parameter, although optional, can still be passed
when using assertions as authorization grants. Adding a way to pass
that id to refresh token body.
@vilmar-hillow vilmar-hillow force-pushed the fix/assertion_client_id branch from 22ef69a to 727ee0e Compare August 9, 2022 03:15
@azmeuk azmeuk added the role:client Concerns a client implementation label Feb 20, 2025
@azmeuk
Copy link
Copy Markdown
Member

azmeuk commented Mar 29, 2026

I would guess client_id is indeed optional:

RFC7521 section 4.1:

Authentication of the client is optional, as described in
Section 3.2.1 of OAuth 2.0 [RFC6749], and consequently, the
"client_id" is only needed when a form of client authentication that
relies on the parameter is used.

RFC6749 section 3.2.1

A client MAY use the "client_id" request parameter to identify itself
when sending requests to the token endpoint.

@azmeuk azmeuk requested a review from lepture March 29, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lepture lepture Awaiting requested review from lepture

Assignees

No one assigned

Labels

role:client Concerns a client implementation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vilmar-hillow @lepture @azmeuk