Skip to content

authorize_access_token doesn't raise MissingCodeException when code parameter missing #777

New issue
New issue
Closed
Closed
authorize_access_token doesn't raise MissingCodeException when code parameter missing#777
@markhobson

Description

@markhobson
markhobson
opened on Jun 18, 2025

Describe the bug

authorize_access_token assigns params["code"] to None when the request parameter code is missing. For example, the Flask integration:

authlib/authlib/integrations/flask_client/apps.py

Lines 82 to 101 in 772a714

def authorize_access_token(self, **kwargs):
"""Fetch access token in one step.
:return: A token dict.
"""
if request.method == "GET":
error = request.args.get("error")
if error:
description = request.args.get("error_description")
raise OAuthError(error=error, description=description)
params = {
"code": request.args.get("code"),
"state": request.args.get("state"),
}
else:
params = {
"code": request.form.get("code"),
"state": request.form.get("state"),
}

This means that it then bypasses the check in prepare_token_request as the key is present:

authlib/authlib/oauth2/rfc6749/parameters.py

Lines 95 to 96 in 772a714

if grant_type == "authorization_code" and "code" not in kwargs:
raise MissingCodeException()

This appears to apply to Django and Starlette integration too.

Error Stacks

No error is raised.

To Reproduce

The authorize route example when the code query string parameter is missing:

token = oauth.twitter.authorize_access_token()

Expected behavior

MissingCodeException is raised.

Environment:

  • OS: Ubuntu 22.04.5
  • Python Version: 3.13.5
  • Authlib Version: 1.6.0

Additional context

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions