Error with 2.9.9 when calling list_group_rules

[andrew951]

Hello, we noticed we started getting errors when upgrading from 2.9.8 to 2.9.9 where we're getting the following:
{'message': 'Okta HTTP 400 E0000021 Bad request. Accept and/or Content-Type headers likely do not match supported values.\n'}

It looks like now the body is being set as JSON even though the Content-Type is set to application/x-www-form-urlencoded. Any thoughts?

[mohit-samsara]

Got the same issue when calling get_user. Its working fine in 2.9.8.

[AasimPatel]

I seem to be having the same issue when using OAuth. It seems to work fine when using an API key method.

[JPLachance]

Same issue on our side. We opened a support request with the Okta team.

[andrew951]

I've also created case 02279309, if you want to reference it in your support ticket

[the-real-mathew-moon]

Also, please add some useful tests for Oauth. This is a preventable bug and should not have passed test.

[andrew951]

As an update, support is saying that the change was made to address a security concern

[JPLachance]

👋🏼 Dear Okta Team,

We all noticed that a breaking change was introduced in a patch version (2.9.9) of your Python SDK, as seen in this PR. The change lacks an explanation of the underlying issue, no clear upgrade path for users, and minimal release notes (link to release notes).

If this was an attempt to address a security issue, it’s critical to communicate the nature of the problem, such as whether it’s associated with a CVE or other security vulnerability. Without context or guidance, many customers will likely pin their dependencies to v2.9.8, potentially undermining the effectiveness of your fix.

Could an Okta engineer please clarify:
• What security issue this change addresses?
• Whether there’s a CVE or any formal disclosure?
• How customers can properly upgrade to this version without breaking their workflows?

Transparency and clear communication are vital to maintaining trust with customers, especially when addressing security issues. I believe Okta can do better to support its developer community here.

[BowlesCR]

#429 appears to fix this

[bhavik-thakkar-okta]

Hello all,

Thank you for raising your concerns regarding the recent patch release (v2.9.9) of the Python SDK. We appreciate the detailed feedback and would like to address the issues and provide clarity around the changes introduced.

The primary change in v2.9.9 was to move the client_assertion JWT from the URL query parameters to the request body. This update was implemented to adhere to OAuth 2.0 best practices and improve security by ensuring sensitive information is not exposed in URLs. This change was made to mitigate potential risks associated with passing sensitive tokens in URLs, such as accidental logging or interception. It aligns with security best practices for OAuth 2.0 to ensure safer handling of sensitive data. Unfortunately, this resulted in a breaking change and for this, we sincerely apologize.

We understand that this change may have caused breaking changes and we apologize for that. We are currently working on the below things to help with the transition -

1. Trying to find the root cause of the issue.
2. If your workflows are currently broken, you can temporarily pin your dependency to v2.9.8 while we work on additional guidance or potential fixes, since 2.9.8 is a stable one.

Moving forward, we will ensure that all changes, especially those introducing breaking behavior, are accompanied by:

1. Better testing
2. Clear documentation of the issue being addressed.
3. Early communication to the developer community.

We deeply value your trust and feedback and are committed to improving our processes to better serve our developer community. If you have specific questions or require assistance, please don’t hesitate to reach out or share your concerns directly on GitHub.

Thank you for your patience and understanding as we work to address this matter.