requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Authentication on refresh has to be explicit but shouldn't be

Open jsfan opened this issue 10 years ago • 4 comments

RFC 6749 recommends the use of HTTP Basic auth for OAuth2. While requests-oauthlib allows for authentication details to be sent along explicitly when fetching tokens, the credentials would have to be passed to every single request in order for the refresh to work.

Oauth2Session should probably either take the credentials on fetch and then store them to use for refresh or already take them in the constructor.

I am happy to contribute the patch but would like to have an opinion first as to which path to go down.

jsfan avatar Oct 25 '15 23:10 jsfan

@jsfan Do you have a proposed API for this?

Lukasa avatar Oct 26 '15 20:10 Lukasa

The approach I tried turned out not to work and I haven't had a chance to revisit and try something else. It has not been forgotten though.

jsfan avatar Dec 02 '15 09:12 jsfan

Yes auto-refresh seems to be currently broken unless you pass the client_secret along with every request. Ideally this would be stored in the OAuth2Session itself so that it was there when it was needed.

mmerickel avatar Nov 22 '16 16:11 mmerickel

My proposal is to accept client_secret in __init__() for use in refresh_token(). client_id is already passed and accessible.

https://github.com/requests/requests-oauthlib/issues/264

btimby avatar Mar 03 '17 14:03 btimby