From d1455dd280d8695cdf18b8622f4bd61c7874ea71 Mon Sep 17 00:00:00 2001
From: Jaap Roes <jroes@leukeleu.nl>
Date: Thu, 3 Oct 2024 16:35:26 +0200
Subject: [PATCH] Add client_secret to sensitive_post_parameters

The client_secret is posted to the token endpoint when using the client_credentials grant.
---
 oauth2_provider/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index 1e0d12dea..c5c904b14 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -292,7 +292,7 @@ class TokenView(OAuthLibMixin, View):
     * Client credentials
     """
 
-    @method_decorator(sensitive_post_parameters("password"))
+    @method_decorator(sensitive_post_parameters("password", "client_secret"))
     def post(self, request, *args, **kwargs):
         url, headers, body, status = self.create_token_response(request)
         if status == 200: