OAuth2 ClientCredential grant custom expiration not being read from Flask configuration.

Summary

When registering a client credential grant for the authlib.flask.oauth2.AuthorizationServer in a Flask application and attempting to set a custom expiration time by setting OAUTH2_EXPIRES_CLIENT_CREDENTIAL as specified in the docs:

https://github.com/lepture/authlib/blob/23ea76a4d9099581cd1cb43e0a8a9a49a9328361/docs/flask/oauth2.rst#define-server

the specified custom expiration time is not being read.

Investigation

At first I believe that there was simply an error in the docs, in that the configuration value key should be pluralized, e.g. OAUTH2_EXPIRES_CLIENT_CREDENTIALS. However, upon a deeper look, it seems as though the default credential grant expiration time set in the authlib code base was not being used at all; the value being returned was 3600 instead of 864000 as specified in the mapping:

https://github.com/lepture/authlib/blob/7d2a7b55475e458c7043238bc4642e55c39fd449/authlib/flask/oauth2/authorization_server.py#L15-L20

After a bit more digging, it seems that the create_expires_generator is returning the default BearerToken.DEFAULT_EXPIRES_IN value because the calculated conf_key = 'OAUTH2_EXPIRES_{}'.format(grant_type.upper()) only produces client_credentials instead of the expected client_credential:

https://github.com/lepture/authlib/blob/7d2a7b55475e458c7043238bc4642e55c39fd449/authlib/flask/oauth2/authorization_server.py#L124-L136

Notes

A very subtle bug that took me a while to track down; I attempted to create a test case, but it’s not very obvious as to where the test case should exist since tests/flask/test_oauth2/test_client_credentials_grant.py is composed of functional tests as opposed to integration/unit tests.

If this is at all not clear, please let me know and I’ll attempt to provide additional information.

And thank you for all your hard work! Authlib is fantastic, and has been a pleasure to use even in it’s not-completely-done state.