Comments (5)
The common case is that the client credentials are needed when using the refresh token. From Section 6:
If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.
The client credentials are either passed in an Authorization header or in the request body. See Client Authentication.
Google says to pass using the request body. The spec recommends not passing them this way.
Letting the developer choose seems best. Similar to the signature_type
parameter of OAuth1
.
from requests-oauthlib.
Indeed but which credentials are needed is undefined and my thoughts were that if we can find that the majority uses say, client_id
and client_secret
, in the request body whereas the others don't use the credentials at all. Then we could possibly default to include client_id
and client_secret
by default when refreshing the token if these were passed to the OAuth2Session
constructor. The developer should always be able to choose but it would be nice if we could provide sane defaults.
from requests-oauthlib.
This is the problem with OAuth2: it's sufficiently complicated that we risk having the API get seriously overcomplicated. I'm strongly inclined to make a decision based on what users are likely to need and hard-code that, then let users subclass if they need to change it.
from requests-oauthlib.
Agreed. My thoughts were that if, through happy coincident we notice that
60% require client_id
and client_secret
.
10% require Basic auth.
10% require secret_key
and key_type
and none of these overlap. Then we could add these parameters by default if present in the OAuth2Sessuib constructor. That said, this is likely not the case and might just add too much complexity. But if someone is up for doing this research I it might be valuable =)
I think sub classing to provide the various extra args is a good way to go for users and will make a note somewhere to add this to the documentation.
from requests-oauthlib.
Thought a little about this. Better have customizing wrappers rather than tricky/magic logic trying to determine what to send.
from requests-oauthlib.
Related Issues (20)
- Can't change method to 'client_secret_post" for authorization method.
- Fix documentation or fix the way client is handled in requests-oauthlib for refreshing tokens HOT 1
- 'requests' distribution not found when listed in install_requires together with requests_oauthlib
- why passing requests kwargs that may contain request params to refresh_token request ? HOT 1
- Optional
- Felse HOT 2
- (Optinal)
- Superseded by #2445.
- Thanks for stopping by to let us know something could be better! HOT 1
- `oauth2_session.OAuth2Session.refresh_token` creates infinite loop with Exchange Online when token expires
- Trying to use OAuth1Session with Flickr - requests_oauthlib.oauth1_session.VerifierMissing: No client verifier has been set. HOT 1
- ## Description HOT 1
- Add refresh token exception hook to list of compliance hooks?
- Requirements out of date HOT 2
- Hkş HOT 2
- Scope changes with Microsoft services & `offline_access`
- Question: Is this project maintained? HOT 1
- Compliance fix for tokens that never expire (e.g. Mailchimp)
- Redo request after token is updated
- Why is the backend client workflow asking for a code or a response url? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from requests-oauthlib.