<p></p>
<h3 dir="auto">URL</h3>
<p dir="auto"><a href="https://master.apis.dev.openstreetmap.org/oauth2/token" rel="nofollow">https://master.apis.dev.openstreetmap.org/oauth2/token</a></p>
<h3 dir="auto">How to reproduce the issue?</h3>
<p dir="auto">It seems that adding the scope <code class="notranslate">openid</code> to the list of requested scopes returns a HTTP 500 error on the <code class="notranslate">https://master.apis.dev.openstreetmap.org/oauth2/token</code> endpoint. Yes, I gave permission to that scope and yes I used all correct client-id and -secret values. Removing <code class="notranslate">openid</code> from the list of wanted scopes solves the problem.</p>
<p dir="auto">The error does <em>not</em> appear on the productive <a href="http://www.openstreetmap.org" rel="nofollow">www.openstreetmap.org</a> server!</p>
<p dir="auto">This bug does not affect me (and would have a very low priority for me personally), I just saw it by accident.</p>
<h3 dir="auto">Reproduce</h3>
<p dir="auto">Requires python3 <code class="notranslate">authlib</code> dependency:</p>
<div class="highlight highlight-source-python" dir="auto"><pre class="notranslate"><span class="pl-k">from</span> <span class="pl-s1">authlib</span>.<span class="pl-s1">integrations</span>.<span class="pl-s1">requests_client</span> <span class="pl-k">import</span> <span class="pl-v">OAuth2Session</span>

<span class="pl-c"># dev server:</span>
<span class="pl-s1">client_id</span> <span class="pl-c1">=</span> <span class="pl-s">"..."</span>
<span class="pl-s1">client_secret</span> <span class="pl-c1">=</span> <span class="pl-s">"..."</span>
<span class="pl-s1">domain</span> <span class="pl-c1">=</span> <span class="pl-s">"master.apis.dev"</span>

<span class="pl-c"># prod server:</span>
<span class="pl-c">#client_id = "..."</span>
<span class="pl-c">#client_secret = "..."</span>
<span class="pl-c">#domain = "www"</span>

<span class="pl-s1">redirect_uri</span> <span class="pl-c1">=</span> <span class="pl-s">'http://127.0.0.1:8000/callback'</span>

<span class="pl-c"># Remove the "openid" entry here and it'll work</span>
<span class="pl-s1">scope</span> <span class="pl-c1">=</span> [<span class="pl-s">"read_prefs"</span>, <span class="pl-s">"openid"</span>]

<span class="pl-s1">oauth</span> <span class="pl-c1">=</span> <span class="pl-v">OAuth2Session</span>(<span class="pl-s1">client_id</span><span class="pl-c1">=</span><span class="pl-s1">client_id</span>, <span class="pl-s1">redirect_uri</span><span class="pl-c1">=</span><span class="pl-s1">redirect_uri</span>, <span class="pl-s1">scope</span><span class="pl-c1">=</span><span class="pl-s1">scope</span>)

<span class="pl-s1">authorization_url</span>, <span class="pl-s1">state</span> <span class="pl-c1">=</span> <span class="pl-s1">oauth</span>.<span class="pl-en">create_authorization_url</span>(<span class="pl-s">'https://'</span><span class="pl-c1">+</span><span class="pl-s1">domain</span><span class="pl-c1">+</span><span class="pl-s">'.openstreetmap.org/oauth2/authorize'</span>)
<span class="pl-en">print</span>(<span class="pl-s">"Please visit:<span class="pl-cce">\n</span>"</span> <span class="pl-c1">+</span> <span class="pl-s1">authorization_url</span>)
<span class="pl-en">print</span>(<span class="pl-s">""</span>)
<span class="pl-s1">authorization_response</span> <span class="pl-c1">=</span> <span class="pl-en">input</span>(<span class="pl-s">'Enter the redirect url from your browser and paste it here:<span class="pl-cce">\n</span>'</span>)
<span class="pl-s1">token</span> <span class="pl-c1">=</span> <span class="pl-s1">oauth</span>.<span class="pl-en">fetch_token</span>(
        <span class="pl-s">'https://'</span><span class="pl-c1">+</span><span class="pl-s1">domain</span><span class="pl-c1">+</span><span class="pl-s">'.openstreetmap.org/oauth2/token'</span>,
        <span class="pl-s1">authorization_response</span><span class="pl-c1">=</span><span class="pl-s1">authorization_response</span>,
        <span class="pl-s1">client_secret</span><span class="pl-c1">=</span><span class="pl-s1">client_secret</span>)
<span class="pl-en">print</span>(<span class="pl-s">""</span>)
<span class="pl-en">print</span>(<span class="pl-s">"Access token is:"</span>)
<span class="pl-en">print</span>(<span class="pl-s1">token</span>[<span class="pl-s">"access_token"</span>])</pre></div>
<ol dir="auto">
<li>Execute the script</li>
<li>Click on the presented link to open the OSM login form and grant access</li>
<li>The browser will redirect to <code class="notranslate">http://127.0.0.1:8000/callback?...</code>, copy the whole url from the browsers address bar, paste it into the terminal and press Enter</li>
<li>If everything works, the access token should appear. In the above script, the error message <code class="notranslate">requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: https://master.apis.dev.openstreetmap.org/oauth2/token</code> comes up.</li>
</ol>
<p dir="auto">This situation also appears using golang and the <code class="notranslate">golang/oauth2</code> library.</p>
<h3 dir="auto">Screenshot(s) or anything else?</h3>
<p dir="auto"><em>No response</em></p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/4334">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLNZG2RGSKCHTEU5AULYD74R7AVCNFSM6AAAAAA7HRPRY2VHI2DSMVQWIX3LMV43ASLTON2WKOZRHE4DSMJUGM2TMNQ">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLP54HQB4WSC3ML2N43YD74R7A5CNFSM6AAAAAA7HRPRY2WGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHHND7MBY.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/issues/4334</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/4334",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/4334",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>