Comments (7)
The auto_refresh_kwargs
are meant for implicit/automatic token refresh*, docs, using refresh_token
behind the scenes whenever a token expires during normal API interactions. In contrast, fetch_token
(i.e. obtaining a new token) will almost always be explicitly called during the OAuth dance. Since the two differ in which parameters are needed I don't think re-using the refresh args is a good idea. I rather dislike the idea of passing/storing kwargs for a method in the constructor but its necessary for auto refresh. Adding a second set of kwargs for fetch_token
I'd rather avoid.
However maybe your use-case can convince me otherwise, what did you have in mind where it would be better to pre-store the default args?
from requests-oauthlib.
I agree with what you've said, though likely it is my understanding of the OAuth2 spec that is lacking, but when would an automatic token refresh be different from a manual token fetch?
I haven't worked with very many OAuth2 API's, so it's quite likely I simply haven't run into the scenario myself.
from requests-oauthlib.
An automatic refresh is not different from a manual refresh, but it is different from a token fetch in that you refresh your access token rather than obtaining an initial one.
Using Google as an example.
- You get an access token and a refresh token by through the webserver OAuth dance. Part of which includes redirecting the user to Google.
- You store the tokens in your DB
- You fetch some G+ posts using the access token.
- The user goes away for a while.
- The user returns and want to continue using your app.
- You load up the access token and refresh token from DB and continue.
- Fetch another G+ post, but it fails.
- Turns out the access token is expired so requests-oauthlib automatically goes and gets a new access token using the refresh token and a HTTPS POST request.
- Fetch the G+ post again, this time it worked.
As you see above the time point where a token is refreshed is very different from when it is first obtained. A refresh is invisible to the user. Obtaining a token (using fetch_token) is most often not.
To get an access and refresh token you could use most of different flavours of the OAuth dance, e.g. webserver and installed together with fetch_token
. Once that is done you can refresh the access token when it expires (could be within an hour) using the refresh token (which maybe never expires). This refreshing differs from each of the OAuth dances above, it is actually its own OAuth dance (grant type) on its own, and a pretty simple one too. The token refresh can be done as long as you have a refresh token, it does not depend on how you got the refresh token in the first place.
The reason there is one fetch_token
and one refresh_token
method rather than just fetch_token
is that the latter usually follows the former and was intended to be less confusing rather than re-using fetch_token
for token refresh.
from requests-oauthlib.
Yes, I get how the flow works. My point was: Are there scenarios when you would give fetch_token
different extra kwargs than refresh_token
?
In my code, I pass the client_id
and client_secret
to fetch_token(...)
, but I also pass the same extra kwargs to auto_refresh_kwargs=...
in my constructor. Felt redundant, that's all. :)
from requests-oauthlib.
Ah, my apologies for the walls of text then :)
It is probably often the same for authorization code grant but less likely when using resource owner password credentials grant. It is a balancing act here, for many it might work to just re-use them but for some it won't and might end up causing very confusing problems since some arguments get passed unexpectedly. I agree it feels redundant but I tend to opt for least surprise.
There might be a nicer way to deal with it than appears to me now, feel free to point it out if you find it :)
from requests-oauthlib.
Totally fair. Also, my fault for not being clear. Thank you for taking the time to explain. :)
Really enjoying the library so far, looking forward to contributing at some point!
from requests-oauthlib.
Looking forward to it :) One invaluable thing you might do as you get familiar is to point out shortcomings in the documentation in #48.
from requests-oauthlib.
Related Issues (20)
- (Optinal)
- Superseded by #2445.
- Thanks for stopping by to let us know something could be better! HOT 1
- `oauth2_session.OAuth2Session.refresh_token` creates infinite loop with Exchange Online when token expires
- Trying to use OAuth1Session with Flickr - requests_oauthlib.oauth1_session.VerifierMissing: No client verifier has been set. HOT 1
- ## Description HOT 1
- Add refresh token exception hook to list of compliance hooks?
- Requirements out of date HOT 2
- Hkş HOT 2
- Scope changes with Microsoft services & `offline_access`
- Question: Is this project maintained? HOT 1
- Compliance fix for tokens that never expire (e.g. Mailchimp)
- Redo request after token is updated
- Why is the backend client workflow asking for a code or a response url? HOT 1
- refresh token workflow HOT 1
- rsengun HOT 1
- How to test if LinkedIn token is still valid and re-use? HOT 2
- 1.3.2 release? HOT 3
- (insecure_transport) OAuth 2 MUST utilize https. HOT 4
- LinkedIn issue with multiple scopes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from requests-oauthlib.