I am trying out Authlib. I have a working pyoidc backend and a test app using android appauth (modified from google codelabs tutorial). I reconfigured the android test app for the Authlib install on my local machine. Now I get this error when trying to make an authorization request with multiple scopes (I cut the string part down to the relevant portion):
ValueError: Error trying to decode a non urlencoded string. Found invalid characters: {' '} in the string: '...&scope=openid offline_access&...'. Please ensure the request/response body is x-www-form-urlencoded.
I started to track the problem down from the stack trace and the request_uri from the android side. But the request uri had the offending portion as ...&scope=openid%20offline_access&....
I printed out the environ parameter from flask/app.py's __call__, and I see these relevant entries, again, reduced to just the scope:
{
...
'QUERY_STRING': '...&scope=openid%20offline_access&...',
...
'werkzeug.request': <BaseRequest 'http://10.0.2.2:5000/oauth/authorize?...&scope=openid offline_access&...' [GET]>
}
I'm so confused. Why is werkzeug.request appearing to pre-decode the string before populating this argument in environ, and then authlib's urls/url_decode is being called on werkzeug.request? Was the %20 insufficient, or incorrect, encoding? But if so how does that jive with the fact that this is default app_auth_android behavior that has worked against a different oidc backend and google's single sign on scheme?
Full stack trace:
Traceback (most recent call last):
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2309, in __call__
return self.wsgi_app(environ, start_response)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2295, in wsgi_app
response = self.handle_exception(e)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1741, in handle_exception
reraise(exc_type, exc_value, tb)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/Users/mliu/Documents/Development/authlib/example-oauth2-server/website/routes.py", line 69, in authorize
grant = authorization.validate_consent_request(end_user=user)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/flask/oauth2/authorization_server.py", line 206, in validate_consent_request
req = _create_oauth2_request(request)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/flask/oauth2/authorization_server.py", line 272, in _create_oauth2_request
q.headers
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/specs/rfc6749/wrappers.py", line 39, in __init__
self.query_params = url_decode(self.query)
File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/common/urls.py", line 64, in url_decode
raise ValueError(error % (set(query) - urlencoded, query))
ValueError: Error trying to decode a non urlencoded string. Found invalid characters: {' '} in the string: '...&scope=openid offline_access&...'. Please ensure the request/response body is x-www-form-urlencoded.
Yes, I confirmed that. For now, you can only make the requests with +:
scope=openid+offline_access
to prevent this issue. I've fixed it in Authlib: https://github.com/lepture/authlib/commit/d8ab09fb97169fc47070f48c2ede43348f1feff0
It should be fixed by werkzeug too: https://github.com/pallets/werkzeug/pull/1363