Fix 652: removed "state" from /token response.

Fix OIDC /token flow where &state=None was always returned, and fix OAuth2.0 /token flow where &state=foobar was returned if &state=foobar was present in the token request. Remove "save_token" from create_token() signature cuz it was not used internally. Deprecated the option to let upstream libraries have a chance to remove it, if ever used.
author: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2019-02-20 14:30:03 +0100
committer: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2019-02-20 14:30:03 +0100
commit: 8c9f0a3cee9fab35fdf7269441daab666b931f59 (patch)
tree: 3269712f570666f7ca00521b3f939fa66a167394 /oauthlib/oauth2/rfc6749/tokens.py
parent: 00c0c3613879396e6511e9fc48d6ba5a6d7d746f (diff)
download: oauthlib-8c9f0a3cee9fab35fdf7269441daab666b931f59.tar.gz
1 files changed, 8 insertions, 10 deletions
diff --git a/oauthlib/oauth2/rfc6749/tokens.py b/oauthlib/oauth2/rfc6749/tokens.py
index d78df09..44a9a97 100644
--- a/oauthlib/oauth2/rfc6749/tokens.py
+++ b/oauthlib/oauth2/rfc6749/tokens.py
@@ -12,6 +12,7 @@ from __future__ import absolute_import, unicode_literals
 import hashlib
 import hmac
 from binascii import b2a_base64
+import warnings
 
 from oauthlib import common
 from oauthlib.common import add_params_to_qs, add_params_to_uri, unicode_type
@@ -296,15 +297,18 @@ class BearerToken(TokenBase):
         )
         self.expires_in = expires_in or 3600
 
-    def create_token(self, request, refresh_token=False, save_token=True):
+    def create_token(self, request, refresh_token=False, **kwargs):
         """
         Create a BearerToken, by default without refresh token.
-        
+
         :param request: OAuthlib request.
         :type request: oauthlib.common.Request
         :param refresh_token:
-        :param save_token:
         """
+        if "save_token" in kwargs:
+            warnings.warn("`save_token` has been deprecated, it was not used internally."
+                          "If you do, use `request_validator.save_token()` instead.",
+                          DeprecationWarning)
 
         if callable(self.expires_in):
             expires_in = self.expires_in(request)
@@ -325,9 +329,6 @@ class BearerToken(TokenBase):
         if request.scopes is not None:
             token['scope'] = ' '.join(request.scopes)
 
-        if request.state is not None:
-            token['state'] = request.state
-
         if refresh_token:
             if (request.refresh_token and
                     not self.request_validator.rotate_refresh_token(request)):
@@ -336,10 +337,7 @@ class BearerToken(TokenBase):
                 token['refresh_token'] = self.refresh_token_generator(request)
 
         token.update(request.extra_credentials or {})
-        token = OAuth2Token(token)
-        if save_token:
-            self.request_validator.save_bearer_token(token, request)
-        return token
+        return OAuth2Token(token)
 
     def validate_request(self, request):
         """
author	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2019-02-20 14:30:03 +0100
committer	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2019-02-20 14:30:03 +0100
commit	8c9f0a3cee9fab35fdf7269441daab666b931f59 (patch)
tree	3269712f570666f7ca00521b3f939fa66a167394 /oauthlib/oauth2/rfc6749/tokens.py
parent	00c0c3613879396e6511e9fc48d6ba5a6d7d746f (diff)
download	oauthlib-8c9f0a3cee9fab35fdf7269441daab666b931f59.tar.gz