new_request potentially makes a request even if self.access_token_expired is True: https://github.com/google/oauth2client/blob/933e1d0073d676d6a80d39616405b19fc6f7ccbd/oauth2client/client.py#L550

If the token is expired, the server will return a 401, new_request will refresh the token, and then it will retry the request.

It should refresh beforehand if the access token is known to be expired, avoiding an unnecessary HTTP call.

AttributeError: 'Module_six_moves_urllib' object has no attribute 'urlencode'

body = urllib.urlencode({
'client_id': self.client_id,
'scope': self.scope,
})
should be
body = urllib.parse.urlencode({
'client_id': self.client_id,
'scope': self.scope,
})
(.parse is missing)

Even setup fails

Installing collected packages: oauth2client, httplib2
  Running setup.py install for oauth2client
      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/locked_file.py", line 125
        except IOError, e:
                      ^
    SyntaxError: invalid syntax

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/tools.py", line 166
        except socket.error, e:
                           ^
    SyntaxError: invalid syntax

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/file.py", line 95
        old_umask = os.umask(0177)
                                ^
    SyntaxError: invalid token

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/gce.py", line 86
        except StandardError, e:
                            ^
    SyntaxError: invalid syntax

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/old_run.py", line 99
        except socket.error, e:
                           ^
    SyntaxError: invalid syntax

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/multistore_file.py", line 274
        old_umask = os.umask(0177)
                                ^
    SyntaxError: invalid token

      File "/home/user/test-env/lib/python3.4/site-packages/oauth2client/appengine.py", line 190
        except app_identity.Error, e:
                                 ^
    SyntaxError: invalid syntax

When I moved us from epydoc to sphinx, it looks like I lost the docs for several methods in the process. For instance, tools.run_flow has documentation that simply doesn't show up.

This is quite possibly a trivial fix (i.e. we need to change a depth argument somewhere when running sphinx).

cc @nathanielmanistaatgoogle, @soltanmm

I may be missing something here, but this doesn't appear to support Python3 currently. In order to initialize the credentials, you are expected to pass in the private key file's contents as a string, so this would work for Python2:

  with open(KEY_FILE) as f:
    private_key = f.read()

  oauth2credentials = oauth2client.client.SignedJwtAssertionCredentials(
        SERVICE_ACCOUNT_EMAIL, private_key, SCOPE, sub=None)

Doing the same for Python3 would result in a UnicodeDecodeError, as it should be read in binary. Ideally, it would work as follows:

  with open(KEY_FILE, 'rb') as f:
    private_key = f.read()

  oauth2credentials = oauth2client.client.SignedJwtAssertionCredentials(
        SERVICE_ACCOUNT_EMAIL, private_key, SCOPE, sub=None)

However, while it will make it past the initialization step (it probably shouldn't), it will throw a TypeError later when you attempt to do a refresh because crypto.load_pkcs12(key, password) is expecting the key to be a string.

The easiest solution that comes to mind is to handle the private key differently depending on whether it is a str or bytes.

See:
https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth

By sending the query parameter include_granted_scopes=true, previous authorizations can be wrapped into new tokens (when new scopes are needed).

Is there any reason why oauth2client is using two spaces for indentation instead of four, as recommended by PEP 8?

Would people be opposed to switching to PEP8-friendly code?

I'm having issues with the OAuth2Decorator.

The problem is that in client.py the code parameter is only checked as dict, but not as UnicodeMultiDict. Appengine.py provides self.request.params in the parameter code as UnicodeMultiDict.

client.py:1794

    if code is None:
      code = device_flow_info.device_code
    elif isinstance(code, dict):
      if 'code' not in code:
        raise FlowExchangeError(code.get(
            'error', 'No code was supplied in the query parameters.'))
      code = code['code']

I changed the code to check if it is a string or try to get the property. That would be one solution.

    if code is None:
      code = device_flow_info.device_code
    elif not isinstance(code, str):
      if 'code' not in code:
        raise FlowExchangeError(code.get(
            'error', 'No code was supplied in the query parameters.'))
      code = code['code']

Maybe an even better solution would be to change appengine.py:876 from:

credentials = decorator.flow.step2_exchange(self.request.params)

to:

credentials = decorator.flow.step2_exchange(self.request.params['code'])

I'm trying to use this to refresh an access token for a user that has approved offline access, though it seems to open a web browser everytime I attempt to refresh the token. Here is the basic code I'm using:

import argparse
from oauth2client.client import OAuth2WebServerFlow
from oauth2client import tools
from oauth2client.file import Storage

CLIENT_ID = '[censored]'
CLIENT_SECRET = '[censored]'

flow = OAuth2WebServerFlow(client_id=CLIENT_ID,
                           client_secret=CLIENT_SECRET,
                           scope='https://www.googleapis.com/auth/analytics.readonly',
                           redirect_uri='urn:ietf:wg:oauth:2.0:oob',
                           access_type="offline",
                           approval_prompt="auto")

parser = argparse.ArgumentParser(parents=[tools.argparser])
flags = parser.parse_args()

storage = Storage('creds.data')
credentials = storage.get()

if credentials is None or credentials.invalid == True: 
    credentials = tools.run_flow(flow, storage, flags)

print "access_token: %s" % credentials.access_token

My creds.data file contains an access token and a refresh token. The access token expired yesterday, but the credentials are still returning as valid for some reason. If I remove the if statement and force tools.run_flow to execute, a web browser opens seeking user approval even though I have offline access and a refresh token. I've been working at this for a few days now and am really stumped, is there anything I'm missing, or is this method out of date? Would love an example of how to do this. Thanks in advance!

 File "/home/peter/work/arv_venv/local/lib/python2.7/site-packages/oauth2client-1.4-py2.7.egg/oauth2client/tools.py", line 53, in <module>
NameError: name '_CreateArgumentParser' is not defined

Looking at tools.py, it does appear that is calling
argparser = _CreateArgumentParser() right before defining def _CreateArgumentParser() which seems like a problem?

multistore.py uses LockedFile for managing the credential store. However, if the operating system doesn't support the necessary open+lock file operation https://github.com/google/oauth2client/blob/master/oauth2client/locked_file.py#L338 that's used by the opener class, it will raise this exception (usually an OSError) and likely kill its caller.

At a minimum, multistore_file should probably just return that a credential couldn't be loaded from the store in this case.

Client_secrets.json contains redirect_uri and one doesn't need to be provided separately.

# client_secrets.json
{
    "web":
    {
        "client_id":"blah-blah",
        "client_secret":"blah-blah",
        "client_email":"blah-blah",
        "redirect_uris":["https://example.com/oauth2callback"],
    }
}

Currently there are a large number of tests that test networking-related functionality without mocking it out. This means that tests will fail in surprising ways on different environments.

(One example: GCE detection doesn't mock out the network, so we see the behavior intended in the tests in "most" environments, but on GCE we will accidentally pick up the metadata service, and on AWS, we'll see a different codepath as we can fetch 169.254.169.254, but it won't have the expected Google metadata header.)

This needs to be cleaned up throughout the tests.

The implementation of get_application_default has an issue that it detects the environement before fetching the credentials. However, the check for GCE can hang on certain networks for up to 30 seconds (See #93).
This should be changed to match the Java implementation where this is not queried until the end because of its side effects. This means that the can can only occur in a failure case.

To give a little more detail; the java code roughly says:

if (testForWellKnownFile(...)) {
return credsFromWellKnownFile();
} else if (testForGae(...)) {
return credsFromGae();
} else if (testForGce(...)) {
return credsFromGce();
}

on the flip side, the python code says:

if (well_known_file_exists()):
env = 'WELL_KNOWN_FILE'
elif (detect_gae()):
env = 'GAE'
elif (detect_gce()):
env = 'GCE'
...
return CredsFromEnv(env)

Fails on some Ubuntu 14.04 LTS machines for both py27 and py34.

Hi guys !

I am using google-api-python-client to deal with Google Analytics API. google-api-python-client uses oauth2client to deal with Google's OAuth 2 authentication tokens (which are saved in my Django PostgreSQL DB).

I have created tests which used to pass with Django==1.6.5 and google-api-python-client==1.2 but now fail. I run my test with a fixture containing a model using a oauth2client.django_orm.CredentialsField field. Here is my full stack trace generated when the test is run:

Traceback (most recent call last):
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/test/testcases.py", line 182, in __call__
    self._pre_setup()
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/test/testcases.py", line 754, in _pre_setup
    self._fixture_setup()
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/test/testcases.py", line 907, in _fixture_setup
    'skip_checks': True,
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/management/__init__.py", line 115, in call_command
    return klass.execute(*args, **defaults)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/management/base.py", line 338, in execute
    output = self.handle(*args, **options)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/modeltranslation/management/commands/loaddata.py", line 50, in handle
    return super(Command, self).handle(*fixture_labels, **options)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 61, in handle
    self.loaddata(fixture_labels)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 91, in loaddata
    self.load_label(fixture_label)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 142, in load_label
    for obj in objects:
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/serializers/json.py", line 81, in Deserializer
    six.reraise(DeserializationError, DeserializationError(e), sys.exc_info()[2])
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/serializers/json.py", line 75, in Deserializer
    for obj in PythonDeserializer(objects, **options):
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/django/core/serializers/python.py", line 145, in Deserializer
    data[field.name] = field.to_python(field_value)
  File "/Users/quentin/Python/virtualenvs/mtanalytics/lib/python2.7/site-packages/oauth2client/django_orm.py", line 47, in to_python
    return pickle.loads(base64.b64decode(value))
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/base64.py", line 76, in b64decode
    raise TypeError(msg)
DeserializationError: Problem installing fixture '/Users/quentin/Python/projects/mtanalytics/test/fixtures/cron_fixture.json': Incorrect padding

The code line from oauth2client.django_orm.CredentialsField.to_python (line 47):

return pickle.loads(base64.b64decode(value))

which should work fine with this code from oauth2client.django_orm.CredentialsField.get_db_prep_value (line 52):

return base64.b64encode(pickle.dumps(value))

My Django text fixture is created using manage.py dumpdata. I am using oauth2client==1.4.6.

Thanks for your support!!

The README file says to do this to install:
easy_install --upgrade oauth2client
However, I get the error "Couldn't find a setup script". This is both with a clone of the git repo and also the tarball.

If this is a duplicate I apologize.

ISTM this requires

• Move all uses of httplib2 into a module (call it transport probably) (#554, #559, #561, #577)
• Determine what assumed interface of httplib2.Http is needed
• Optional. Try to reduce the interface needed
• Factor out the hard dependencies on httplib2 and just use these interfaces
• Document the interface and allow credentials constructors to optionally take a custom Http object from any old library, e.g. twisted or requests.
• Revisit all changes and ensure consistency
• Revisit query string update hackery in #622

Hi,

It looks like we cannot use OAuth2WebServerFlow.step1_get_device_and_user_codes() with gmail service
It always return :
"OAuth2DeviceCodeError: Invalid response 400. Error: invalid_scope"
although I set different scope such as
'https://www.googleapis.com/auth/gmail.modify'
'https://www.googleapis.com/auth/gmail.compose'
'https://www.googleapis.com/auth/gmail.readonly'
'https://mail.google.com/'

oauth2_for_devices.py sample (https://github.com/google/oauth2client/blob/master/samples/oauth2_for_devices.py) works fine for 'youtube' or 'calendar' service, but not for gmail.
Did I miss something?

Thanks in advance for your feedback,
fcaza

Similar changes to https://codereview.appspot.com/187380044/ should be made.

We've got a few mocking libraries in place, might as well standardize on the one that's in the stdlib for python3.

The current exception simply passes without raising a reason for the exception:

from oauth2client.client import SignedJwtAssertionCredentials
ImportError: cannot import name SignedJwtAssertionCredentials

This is due to line 42 - 48 of client.py:

try:
from oauth2client import crypt
HAS_CRYPTO = True
if crypt.OpenSSLVerifier is not None:
HAS_OPENSSL = True
except ImportError:
pass

I suggest modifying this to:

try:
from oauth2client import crypt
HAS_CRYPTO = True
if crypt.OpenSSLVerifier is not None:
HAS_OPENSSL = True
except ImportError as e:
raise e

This way a real exception is thrown and can be solved easier:

from oauth2client.client import SignedJwtAssertionCredentials

/Users/Alexander/.virtualenvs/tubehunter/lib/python2.7/site-packages/oauth2client/client.py in ()
46 HAS_OPENSSL = True
47 except ImportError as e:
---> 48 raise e
49
50 try:

ImportError: No encryption library found. Please install either PyOpenSSL, or PyCrypto 2.6 or later

This repo contains a number of tests of oauth2client/appengine.py, but they're currently disabled in tox/travis. We should download the SDK and re-enable them.

This is to prevent issues like #125 where unit tests give false sense of working code.

ISTM we'd want the following

• Python2 / Python3 - Mint a P12 Service Account access token and make a simple request
• Python2 / Python3 - Mint a JSON Key Service Account access token and make a simple request
• Python2 / Python3 - Refresh a user OAuth 2.0 token and make a simple request
• Python2 / Python3 - Mint a user OAuth 2.0 token (not possible on Travis / without human interaction)
• Python2 / Python3 - Mint a GAE / GCE Service Account access token (not possible on Travis)

When running with the branch from googleapis/google-cloud-python#580:

$ .tox/regression3/bin/python regression/run_regression.py --package=storage
ERROR

======================================================================
ERROR: setUpModule (storage)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/regression/storage.py", line 42, in setUpModule
    SHARED_BUCKETS['test_bucket'] = CONNECTION.create_bucket(bucket_name)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/gcloud/storage/connection.py", line 351, in create_bucket
    data={'name': bucket.name})
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/gcloud/storage/connection.py", line 239, in api_request
    method=method, url=url, data=data, content_type=content_type)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/gcloud/storage/connection.py", line 176, in make_request
    body=data)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/oauth2client/client.py", line 530, in new_request
    self._refresh(request_orig)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/oauth2client/client.py", line 744, in _refresh
    self._do_refresh_request(http_request)
  File "/home/tseaver/projects/agendaless/Google/src/gcloud-python/.tox/regression3/lib/python3.4/site-packages/oauth2client/client.py", line 807, in _do_refresh_request
    raise AccessTokenRefreshError(error_msg)
oauth2client.client.AccessTokenRefreshError: invalid_grant

----------------------------------------------------------------------

• Those tests use the GOOGLE_APPLICATION_CREDENTIALS envvar, and run fine under Python2.
• All gcloud-python unit tests pass on that branch under Python2 and Python3.

It would be great to have a higher level wrapper like get_credentials:

https://github.com/GoogleCloudPlatform/gcloud-python/blob/master/gcloud/credentials.py#L33

directly in this library

I was thinking of moving the DefaultCredential format definition and validation logic recently added to client.GoogleCredentials into a separate class. This predominantly concerns the validation code in _get_application_default_credential_from_file() starting here:
https://github.com/google/oauth2client/blob/master/oauth2client/client.py#L1162

What I'm hoping to accomplish:

• Consolidate the DefaultCredential format/model definition making it easier to implement and verify correctness of implementations in other languages
• Allow validation method to be called from non-file loader contexts
• Remove hardcoded strings for field names when serializing
• Add optional fields for token_uri and revoke_uri in the model and remove related references to constants in _get_application_default_credential_from_file()

Would be nice to see it in the list at https://github.com/google. Thanks!

When we try to use verify_id_token in our app, the updated version of oauth2client now tells us urllib cannot be imported. The stacktrace looks something like this:

web_1 | from oauth2client.client import verify_id_token
web_1 | File "/usr/local/lib/python2.7/site-packages/oauth2client/client.py", line 32, in
web_1 | from six.moves import urllib
web_1 | ImportError: cannot import name urllib

when running line 131 with a .p12 file:

pkey = crypto.load_pkcs12(key, password).get_privatekey()

the following error occurs:
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_D2I_READ_BIO', 'not enough data')]

should be:

pkey = crypto.load_pkcs12(file(key,"rb").read(),str(password)).get_privatekey()

Howto says to run "pip install oath2client" and here is the output when I do so:

Downloading/unpacking oath2client
Getting page https://pypi.python.org/simple/oath2client/
Could not fetch URL https://pypi.python.org/simple/oath2client/: 404 Client Error: Not Found
Will skip URL https://pypi.python.org/simple/oath2client/ when looking for download links for oath2client
Getting page https://pypi.python.org/simple/
URLs to search for versions for oath2client:

• https://pypi.python.org/simple/oath2client/
  Getting page https://pypi.python.org/simple/oath2client/
  Could not fetch URL https://pypi.python.org/simple/oath2client/: 404 Client Error: Not Found
  Will skip URL https://pypi.python.org/simple/oath2client/ when looking for download links for oath2client
  Could not find any downloads that satisfy the requirement oath2client
  Cleaning up...
  No distributions at all found for oath2client
  Exception information:
  Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/pip/basecommand.py", line 122, in main
  status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/pip/commands/install.py", line 278, in run
  requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/pip/req.py", line 1177, in prepare_files
  url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/pip/index.py", line 277, in find_requirement
  raise DistributionNotFound('No distributions at all found for %s' % req)
  pip.exceptions.DistributionNotFound: No distributions at all found for oath2client

pip search oath also reveals there is no oath2client

Hello all,

It looks like this library has a bug for Python3 versions < 3.3. Attempting to import the library results in the following:

Traceback (most recent call last):
File "authorize_with_service_account_py3.py", line 1, in
import oauth2client.client
File "/usr/local/lib/python3.2/dist-packages/oauth2client-1.4.5-py3.2.egg/oauth2client/client.py", line 1569
segments = id_token.split(u'.')

The reason this doesn't work is because u'' isn't supported in Python3 versions < 3.3, so it sees this as invalid syntax. The library can be imported in versions > 3.2.

Proposed code change for oauth2client/clientsecrets.py

class InvalidClientSecretsError(Error):
"""Format of ClientSecrets file is invalid."""
def init(self, Error):
logging.info("Error:"+str(Error))
pass

Would be nice to see it in the list at https://github.com/google. Thanks!

I've created a path to keep the raw value of the id_token in the token_reponse attribute of the OAuth2Credentials object.
This value is needed in some case, for example for the Amazon AWS Web identity federation.

The appengine decorators use the User's service get_current_user() method to determine if a user is logged in; however, there is no easy way to adapt the decorator to use the Google+ web server flow for authentication.

See https://developers.google.com/+/web/signin/server-side-flow

Adding a get_current_user method to the decorator would make it easier to override and adapt.

When I run "gcloud auth login", the file ${HOME}/.config/gcloud/application_default_credentials.json is created with a permission 0644, which seems inappropriate in my opinion. I think it should be 0600 or something stricter.

I downloaded the clientsecrets JSON file from a standard AppEngine instance and when I try to do oauth with

from oauth2client.client import flow_from_clientsecrets
flow = flow_from_clientsecrets(secrets_file, scope=scope,
message=MISSING_CLIENT_SECRETS_MESSAGE)

I get the following error:
Error:Missing property "redirect_uris" in a client type of "web".

We may need to remove the "redirect_uris" from required tags list.

In particular, there are cases where DNS resolution causes problems -- we need to make this configurable.

This is the root cause of the slowness from #89. From the back-and-forth in #85, it looks like the tests happen to pick up existing credentials from the well-known file, which means our tests aren't self-contained (badness), and are slow to boot.

(Moving the gcloud directory is a temporary workaround, but clearly this needs fixed.)

on some networks (@dhermes has one at home), doing a lookup on a bogus URL takes ~20-30s. this means that the default way of discovering the current environment (say for fetching the application default credential) can be insanely slow.

The cloud console now allows you to download .json keys, which have an unencrypted version of the private key, along with the existing .p12 keys, which had the private key encrypted with 'notasecret'.

Right now, the SignedJwtAssertionCredentials constructor only takes an encrypted key, though it immediately decrypts it.

We should modify SignedJwtAssertionCredentials to also take the unencrypted key.

I'd like to open this up as an Enhancement and have some discussion, similar to googleapis/google-api-python-client#3.

I've already forked the code and made some trivial updates in a new branch. My goal is to keep the code working in both 2.6+ and 3.3+. In the other thread, it was suggested to have 2.6 as the minimum supported version; at what point will that be the case? Should I incrementally submit pull requests (that may break compatibility with versions before 2.6)?

The program tries to revoke the access and refresh tokens of a Google Analytics service.
The error occurs in credentials.revoke(), in the following snippet of code:

@require_GET
def logout(request):
    if request.app_user:
        from oauth2client.client import Credentials
        credentials = Credentials.new_from_json(request.app_user['credentials_json'])
        if not credentials.refresh_token:
            try:
                credentials.revoke(httplib2.Http())
            except Exception:
                # If credentials.revoke() doesn't work for some reason
                # use a plain http request as a fallback
                import requests
                response = requests.get(
                    credentials.revoke_uri + '?token=' + credentials.access_token)
        auth.logout(request)
        return HttpResponse()
    else:
        return HttpResponse(status=401)

The credentials.access_token is set and valid and the credentials.refresh_token is set to None.
The credentials.revoke() causes an TokenRevokeError but when I want to do the same thing using the requests library, it works perfectly.

requests.get(credentials.revoke_uri + '?token=' + credentials.access_token)

To better understand what I'm saying, here is a screenshot of when the above snippet gets executed:

Hi,
When I refresh credentials file, and get TypeError:

pkey = crypto.load_pkcs12(key, password).get_privatekey()
File "build\bdist.win32\egg\OpenSSL\crypto.py", line 2223, in load_pkcs12
parse_result = _lib.PKCS12_parse(p12, passphrase, pkey, cert, cacerts)
TypeError: initializer for ctype 'char *' must be a str or list or tuple, not unicode

Someone said that modify crypt.py to 'load_pcs12(key, str(password))', but official not fix it. Why?

This function should probably take any sort of Credentials object, and either convert or raise an exception, depending on which type comes in.

I'm running Fedora 14, i.e., python 2.7 and pyOpenSSL 0.9. According to tox.ini the requirement is pyopenssl<0.14, but the OpenSSL.crypto.sign() method is missing in that version (see below). What is the minimum version of pyOpenSSL required?

Traceback (most recent call last):
[...]
    self.service = apiclient.discovery.build( 'admin', 'v1', http=http )
  File "/usr/lib/python2.7/site-packages/oauth2client/util.py", line 135, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "build/bdist.macosx-10.9-x86_64/egg/googleapiclient/discovery.py", line 198, in build
  File "/usr/lib/python2.7/site-packages/oauth2client/util.py", line 135, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/oauth2client/client.py", line 530, in new_request
    self._refresh(request_orig)
  File "/usr/lib/python2.7/site-packages/oauth2client/client.py", line 744, in _refresh
    self._do_refresh_request(http_request)
  File "/usr/lib/python2.7/site-packages/oauth2client/client.py", line 768, in _do_refresh_request
    body = self._generate_refresh_request_body()
  File "/usr/lib/python2.7/site-packages/oauth2client/client.py", line 1376, in _generate_refresh_request_body
    assertion = self._generate_assertion()
  File "/usr/lib/python2.7/site-packages/oauth2client/client.py", line 1505, in _generate_assertion
    private_key, self.private_key_password), payload)
  File "/usr/lib/python2.7/site-packages/oauth2client/crypt.py", line 328, in make_signed_jwt
    signature = signer.sign(signing_input)
  File "/usr/lib/python2.7/site-packages/oauth2client/crypt.py", line 116, in sign
    return crypto.sign(self._key, message, 'sha256')
AttributeError: 'module' object has no attribute 'sign'

Recently I had to use a flow that fails if redirect_url is provided.
I monkey patched an oauth2client(1.2) almost like a0d99b9 and it works fine for me.

But given what a bad practise monkey patching is, it would be great if you can include the possibility to exchange codes without providing any redirect_url.