Authlib 在使用 android appauth 和使用多个范围值时报告 "Error trying to decode a non urlencoded string"

Authlib reports "Error trying to decode a non urlencoded string" when using android appauth and using multiple scope values

我正在试用 Authlib。我有一个工作的 pyoidc 后端和一个使用 android appauth 的测试应用程序(从 google codelabs 教程修改而来)。我为本地机器上的 Authlib 安装重新配置了 android 测试应用程序。现在我在尝试使用多个范围发出授权请求时收到此错误(我将字符串部分缩减为相关部分):

ValueError: Error trying to decode a non urlencoded string. Found invalid characters: {' '} in the string: '...&scope=openid offline_access&...'. Please ensure the request/response body is x-www-form-urlencoded.

我开始从堆栈跟踪和 request_uri 从 android 端跟踪问题。但是请求 uri 的违规部分为 ...&scope=openid%20offline_access&....

我打印了 flask/app.py__call__ 中的 environ 参数,我看到这些相关条目再次缩小到范围:

{
  ...
  'QUERY_STRING': '...&scope=openid%20offline_access&...', 
  ...
  'werkzeug.request': <BaseRequest 'http://10.0.2.2:5000/oauth/authorize?...&scope=openid offline_access&...' [GET]>
}

我很困惑。为什么 werkzeug.requestenviron 中填充此参数之前似乎对字符串进行了预解码,然后在 werkzeug.request 上调用了 authlib 的 urls/url_decode%20 编码不充分或不正确吗?但是,如果是这样的话,这与默认的 app_auth_android 行为对不同的 oidc 后端和 google 的单点登录方案有效的事实有什么关系呢?

完整堆栈跟踪:

Traceback (most recent call last):
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2309, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2295, in wsgi_app
    response = self.handle_exception(e)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1741, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/Users/mliu/Documents/Development/authlib/example-oauth2-server/website/routes.py", line 69, in authorize
    grant = authorization.validate_consent_request(end_user=user)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/flask/oauth2/authorization_server.py", line 206, in validate_consent_request
    req = _create_oauth2_request(request)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/flask/oauth2/authorization_server.py", line 272, in _create_oauth2_request
    q.headers
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/specs/rfc6749/wrappers.py", line 39, in __init__
    self.query_params = url_decode(self.query)
  File "/Users/mliu/.local/share/virtualenvs/authlib-mtpFpWgH/lib/python3.7/site-packages/authlib/common/urls.py", line 64, in url_decode
    raise ValueError(error % (set(query) - urlencoded, query))
ValueError: Error trying to decode a non urlencoded string. Found invalid characters: {' '} in the string: '...&scope=openid offline_access&...'. Please ensure the request/response body is x-www-form-urlencoded.

是的,我确认了。目前,您只能使用 +:

发出请求
scope=openid+offline_access

以防止此问题。我已经在 Authlib 中修复了它:https://github.com/lepture/authlib/commit/d8ab09fb97169fc47070f48c2ede43348f1feff0

它也应该由 werkzeug 修复:https://github.com/pallets/werkzeug/pull/1363