requests-oauthlib
requests-oauthlib copied to clipboard
requests
Handling of refresh tokens that can expire
Hi guys! First of all, using this library has really made things easy, so I want to thank all the contributors for their hard work! Anyway, I was wondering how requests-oauthlib's auto-refresh feature behaves if the refresh token also expires? I have taken a look at the code, particularly lines 259 to 263 of the master branch in the refresh_token() method, and it does not seem like it will be able to handle that contingency. Maybe I am missing something, but can anyone confirm? Thanks!
def refresh_token(self, token_url, refresh_token=None, body='', auth=None,
timeout=None, verify=True, **kwargs):
# ...
self.token = self._client.parse_request_body_response(r.text, scope=self.scope)
if not 'refresh_token' in self.token:
log.debug('No new refresh token given. Re-using old.')
self.token['refresh_token'] = refresh_token
return self.token
The honest answer is that I'm not sure: @ib-lundgren wrote that code, and has been absent for a while so it may or may not work. It does seem to be the case that the auto refresh feature may fail, but I'm not certain.
A reproduction of the bug would be really interesting if we could have it.
I ran into this situation. The refresh is attempted, and the provider replied with an error stating that the refresh token had expired. oauthlib pulled the error description out of the reply from the provider and raised an exception. This exception was raised here:
https://github.com/idan/oauthlib/blob/master/oauthlib/oauth2/rfc6749/parameters.py#L383
To automate this, you would need something like what is needed here:
https://github.com/requests/requests-oauthlib/issues/246
In other words, if both the access token and refresh token are expired, you will need to go back through the process of obtaining a new set. If using a grant such as client credentials, this can be done automatically.
