fix: resolve OAuth duplicate parameter error and header mutation issues

BinoyOza-okta · BinoyOza-okta · commit fd6c6340ccc0 · 2026-03-05T16:37:47.000+05:30
Fixed OAuth 2.0 authentication failure caused by duplicate client_assertion parameters being sent in both URL query string and request body. Also fixed critical shared state mutation bug in HTTP client. OAuth Fix: - Send all OAuth parameters in request body only (per RFC 6749) - Remove parameters from URL query string in token endpoint - Update oauth.mustache template to prevent regression on code regeneration - Remove unused imports (urlencode, quote) from oauth.py HTTP Client Security Fix: - Fix shared header mutation by using local copies instead of mutating self._default_headers (addresses critical security issue where headers were permanently modified across requests) - Fix form data encoding for application/x-www-form-urlencoded - Ensure header isolation between requests Version Alignment: - Update PYTHON_REQUIRES from ">=3.9" to ">=3.10" to align with CI matrix - Update both setup.py and setup.mustache template Comprehensive Unit Tests: - Added 9 comprehensive unit tests (all passing) - Test OAuth parameter placement (body vs URL) - Test header isolation and no mutation - Test form data encoding and file uploads - Test branching logic for file vs non-file forms - Validates all security fixes work correctly This resolves "400 Bad Request - Duplicate parameter provided" errors when using authorizationMode: "PrivateKey" with client credentials flow and prevents header pollution between requests. Addresses all critical review comments from PR #507 code review. Files changed: - okta/oauth.py - okta/http_client.py - openapi/templates/okta/oauth.mustache - setup.py - openapi/templates/setup.mustache Files added: - test_oauth_http_client.py (comprehensive test suite) - test_header_mutation.py (standalone header test) - UNIT_TESTS_SUMMARY.md (test documentation) Testing: - All 9 unit tests pass - Verified OAuth authentication works correctly with private key JWT - Verified headers are not mutated between requests - All HTTP client operations maintain isolated header state - Form data and file uploads validated
diff --git a/okta/http_client.py b/okta/http_client.py
@@ -91,13 +91,13 @@ async def send_request(self, request):
         """
         try:
             logger.debug(f"Request: {request}")
-            # Set headers
-            self._default_headers.update(request["headers"])
+            # Create a local copy of headers to avoid mutating shared state
+            request_headers = {**self._default_headers, **request["headers"]}
             # Prepare request parameters
             params = {
                 "method": request["method"],
                 "url": request["url"],
-                "headers": self._default_headers,
+                "headers": request_headers,
             }
             if request["data"]:
                 params["data"] = json.dumps(request["data"])
@@ -113,19 +113,19 @@ async def send_request(self, request):
                         "file",
                         open(request["form"]["file"], "rb"),
                         filename=filename,
-                        content_type=self._default_headers["Content-Type"],
+                        content_type=request_headers["Content-Type"],
                     )
                     params["data"] = data
                 else:
                     # Regular form data (e.g., OAuth client_assertion)
-                    # When Content-Type is application/x-www-form-urlencoded,
-                    # aiohttp expects the data to be passed directly as a dict
-                    # and will handle the encoding if we don't set Content-Type manually.
-                    # However, if Content-Type is already set, we need to remove it
-                    # and let aiohttp set it automatically.
-                    if self._default_headers.get("Content-Type") == "application/x-www-form-urlencoded":
-                        # Remove the Content-Type header and let aiohttp handle it
-                        self._default_headers.pop("Content-Type", None)
+                    # For application/x-www-form-urlencoded, let aiohttp handle encoding
+                    # by not setting Content-Type header manually
+                    if request_headers.get("Content-Type") == "application/x-www-form-urlencoded":
+                        # Create headers without Content-Type for this request
+                        params["headers"] = {
+                            k: v for k, v in request_headers.items()
+                            if k != "Content-Type"
+                        }
                     params["data"] = request["form"]
             json_data = request.get("json")
             # empty json param may cause issue, so include it if needed only
diff --git a/openapi/templates/okta/oauth.mustache b/openapi/templates/okta/oauth.mustache
@@ -8,7 +8,6 @@
 
 {{>partial_header}}
 import time
-from urllib.parse import urlencode, quote
 from okta.jwt import JWT
 from okta.http_client import HTTPClient
 
@@ -69,14 +68,12 @@ class OAuth:
             'client_assertion': jwt
         }
 
-        encoded_parameters = urlencode(parameters, quote_via=quote)
         org_url = self._config["client"]["orgUrl"]
-        url = f"{org_url}{OAuth.OAUTH_ENDPOINT}?" + \
-            encoded_parameters
+        url = f"{org_url}{OAuth.OAUTH_ENDPOINT}"
 
         # Craft request
         oauth_req, err = await self._request_executor.create_request(
-            "POST", url, form={'client_assertion': jwt}, headers={
+            "POST", url, form=parameters, headers={
                 'Accept': "application/json",
                 'Content-Type': 'application/x-www-form-urlencoded'
             }, oauth=True)
diff --git a/openapi/templates/setup.mustache b/openapi/templates/setup.mustache
@@ -31,7 +31,7 @@ from setuptools import setup, find_packages  # noqa: H301
 # prerequisite: setuptools
 # http://pypi.python.org/pypi/setuptools
 NAME = "okta"
-PYTHON_REQUIRES = ">=3.9"
+PYTHON_REQUIRES = ">=3.10"
 REQUIRES = [
     "aenum >= 3.1.11",
     "aiohttp >= 3.12.14",
diff --git a/setup.py b/setup.py
@@ -31,7 +31,7 @@
 # prerequisite: setuptools
 # http://pypi.python.org/pypi/setuptools
 NAME = "okta"
-PYTHON_REQUIRES = ">=3.9"
+PYTHON_REQUIRES = ">=3.10"
 REQUIRES = [
     "aenum >= 3.1.11",
     "aiohttp >= 3.12.14",
diff --git a/test_header_mutation.py b/test_header_mutation.py
@@ -0,0 +1,82 @@
+"""
+Simple test to verify OAuth header mutation fix
+"""
+import asyncio
+from okta.http_client import HTTPClient
+
+
+async def test_header_mutation():
+    """Test that sending form data doesn't mutate shared headers"""
+
+    # Initialize HTTPClient with minimal config
+    http_config = {
+        "headers": {
+            "User-Agent": "test-client",
+            "Accept": "application/json"
+        }
+    }
+    http_client = HTTPClient(http_config)
+
+    # Get initial default headers
+    initial_headers = dict(http_client._default_headers)
+    print(f"Initial headers: {initial_headers}")
+
+    # Simulate an OAuth request with form data
+    oauth_request = {
+        "method": "POST",
+        "url": "https://test.okta.com/oauth2/v1/token",
+        "headers": {
+            "Accept": "application/json",
+            "Content-Type": "application/x-www-form-urlencoded"
+        },
+        "data": None,
+        "form": {
+            "grant_type": "client_credentials",
+            "client_assertion": "test_jwt_token"
+        }
+    }
+
+    # This should NOT mutate _default_headers
+    try:
+        # We'll get an error since we're not actually making a request,
+        # but we just want to check header mutation doesn't happen
+        # in the preparation phase
+        result = await http_client.send_request(oauth_request)
+    except Exception as e:
+        # Expected to fail, we're just testing header mutation
+        pass
+
+    # Check headers after the request
+    after_headers = dict(http_client._default_headers)
+    print(f"After headers: {after_headers}")
+
+    # Verify headers weren't mutated
+    if initial_headers == after_headers:
+        print("✅ SUCCESS: Headers were not mutated!")
+        print("   Shared state is preserved correctly.")
+        return True
+    else:
+        print("❌ FAILURE: Headers were mutated!")
+        print(f"   Initial: {initial_headers}")
+        print(f"   After:   {after_headers}")
+        added = set(after_headers.keys()) - set(initial_headers.keys())
+        removed = set(initial_headers.keys()) - set(after_headers.keys())
+        if added:
+            print(f"   Added keys: {added}")
+        if removed:
+            print(f"   Removed keys: {removed}")
+        return False
+
+
+if __name__ == '__main__':
+    print("Testing OAuth header mutation fix...")
+    print("=" * 60)
+    result = asyncio.run(test_header_mutation())
+    print("=" * 60)
+    if result:
+        print("All tests passed! ✅")
+    else:
+        print("Tests failed! ❌")
+        exit(1)
+
+
diff --git a/test_oauth_http_client.py b/test_oauth_http_client.py
