requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Google example doesn't work - Scope has changed

Open messa opened this issue 6 years ago • 3 comments
trafficstars

When I follow the Google example:

>>> google.fetch_token(token_url, client_secret=client_secret,authorization_response=redirect_response)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/requests_oauthlib/oauth2_session.py", line 307, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 421, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 431, in parse_token_response
    validate_token_parameters(params)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 461, in validate_token_parameters
    raise w
Warning: Scope has changed from "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile" to "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile".

Apparently Google adds an openid scope even if I haven't asked for it, and the oauthlib code is too strict when comparing the new received scope with the old requested one.

I see three possible solutions:

  1. just add openid to list of scopes - it does work then 🎉
  2. supress raising this error from oauthlib by setting env variable OAUTHLIB_RELAX_TOKEN_SCOPE (see here)
  3. change oauthlib behavior so it doesn't raise an error when a scope was added, only when it was removed...

What do you think?

messa avatar Sep 18 '19 10:09 messa

If using openid, the scope can be as short as openid email profile. See https://github.com/authlib/loginpass/blob/master/loginpass/google.py#L38

lepture avatar Sep 18 '19 11:09 lepture

I get this error when use SCOPES = ["https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/drive.file"] just change to work for me SCOPES = ["openid","https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/drive.file"]

shurshilov avatar Nov 04 '22 19:11 shurshilov

Here's one with Microsoft Office365 Exchange:

Warning: Scope has changed from "offline_access https://outlook.office365.com/.default" to "https://outlook.office365.com/EWS.AccessAsUser.All https://outlook.office365.com/.default".

And if you provide the scope exactly as provided by the server, you get: Screenshot 2022-11-23 at 16 11 17

So is this a library issue or a server one?

cmin764 avatar Nov 23 '22 14:11 cmin764