requests-oauthlib
requests-oauthlib copied to clipboard
requests
Possible to auto refresh client_credentials access token?
As a client_credentials based access token has no refresh token, the refresh_token() functionality raises an exception (ie. InvalidRequestError: Missing refresh token parameter.). Based on the spec, I believe this is technically fine - one should fetch a new access token in this case.
Is it just the spec that prevents requests-oauthlib from handling this scenario gracefully alongside the current token expiration code handling in the request() method on OAuth2Session?
If I subclass OAuth2Session like so:
class RefreshOAuth2Session(OAuth2Session):
def request(self, *args, **kwargs):
try:
return super().request(*args, **kwargs)
except TokenExpiredError:
self.token = self.fetch_token(
token_url=OAUTH2_TOKEN_URL,
**self.auto_refresh_kwargs
)
self.token_updater(self.token)
return super().request(*args, **kwargs)
I can use it like this:
class MyClass(object):
_session = None
_token = None
def token_updater(self, token):
self._token = token
@property
def session(self):
if self._session is None:
self._session = RefreshOAuth2Session(
client=BackendApplicationClient(client_id=self.client_id),
token=self.token,
token_updater=self.token_updater,
auto_refresh_kwargs={
'client_id': self.client_id,
'client_secret': self.client_secret,
}
)
return self._session
@property
def token(self):
if self._token is None:
self._token = RefreshOAuth2Session(
client=BackendApplicationClient(client_id=self.client_id)
).fetch_token(
token_url=OAUTH2_TOKEN_URL,
client_id=self.client_id,
client_secret=self.client_secret
)
return self._token
def __init__(self, *args, **kwargs):
super(MyClass, self).__init__(*args, **kwargs)
self.client_id = CLIENT_ID
self.client_secret = CLIENT_SECRET
def get_information(self):
return self.session.get('https://localhost:10000/api/infomation/')
obj = MyClass()
obj.get_information()
As long as auto_refresh_url is not passed in, the logic in my subclass handles everything smoothly. Could logic be added to request() to cover this scenario, rather than having to kludge this as I've done?
Related thread: https://groups.google.com/d/msg/django-oauth-toolkit/iSIiZQtn0mM/5SDckbyTCQAJ
I don't see any problem with adding some logic to request() to cover this scenario.
I am having similar issues.
https://github.com/requests/requests-oauthlib/issues/264
I solved this issue by subclassing oauthlib's BackendApplicationClient and adding
def prepare_refresh_body(self, body='', refresh_token=None, scope=None, **kwargs):
return self.prepare_request_body(boby=body, scope=scope, **kwargs)
Then you can pass such a client to Oauth2Session as normal.
But, indeed, a solution that doesn't require custom code would be most welcome.
Is anyone working on a solution to this? The suggestion from @IvanAnishchuk doesn't seem to do the trick for me. The only way I manage to make it work is by catching TokenExpired and manually fetch a token from there.
It looks to me like there's some non-trivial refactoring that is required to make this work well. OAuth2Session works under the assumption that there is such a thing as a refresh token, but it's normally not the case for the client_credentials flow.
It's not clear to me exactly where the line is drawn between the Client and the Session and what the responsibility of each is. It also doesn't make sense to me that client ID is a required parameter for BackendApplicationClient, since, as I understand the client_credentials flow, it's only used (in combination with the client secret) for getting an access token and nothing else.
Could someone help me out here? Is the client_credentials really still not fully supported? Is there anything we can do to make it happen?
Is anyone working on a solution to this?
Unfortunately, probably not. See #385 for more context.
