This should resolve the issue that @michaelhelmick had in kennethreitz/requests#1366. In short, the keys for doing Transport Adapter lookups are native strings, but requests_oauthlib turns the URL into bytes. Not helpful. This prevents that behaviour while avoiding regressing kennethreitz/requests#1252.

I've been trying to wrap my head around refresh tokens and the OAuth2 web example (https://requests-oauthlib.readthedocs.org/en/latest/examples/real_world_example.html). Would it be possible to provide an example usage of refresh tokens in that context? Where in the code it would go, etc?

Just a suggestion! :grin:

Each time the oauthlib library is changed, I have to change my code because the behaviour changes. So, can you fix the version of the libraries that you use? At least you should fix the mayor number of the dependencies since when this number changes, the API often changes.

@Lukasa asked me to raise this error in this repo as well:

Hey guys, just wanted to bring this issue forward. With requests 1.0.0 So the error came from when I went to test Twython with the new requests release.

And because it bothered me, I removed self from all variables that used self like self.callback_url Also, I striped the code out of the actual function get_authentication_tokens (so that's why you'll see ref to that function in the traceback)

import requests
from requests_oauthlib import OAuth1

app_key = u'SUPERDUPERSECRETKEY'
app_secret = u'SUPERDUPERSECRETSECRET'

callback_url = 'http://example.com'
headers = {'User-Agent': 'Twython v2.5.5'}
auth = OAuth1(app_key, app_secret,
                               signature_type='auth_header')

request_args['oauth_callback'] = callback_url
response = requests.get('https://api.twitter.com/oauth/request_token', params=request_args, headers=headers, auth=auth)

if response.status_code != 200:
    raise TwythonAuthError("Seems something couldn't be verified with your OAuth junk. Error: %s, Message: %s" % (response.status_code, response.content))

request_tokens = dict(parse_qsl(response.content))
if not request_tokens:
    raise TwythonError('Unable to decode request tokens.')

oauth_callback_confirmed = request_tokens.get('oauth_callback_confirmed') == 'true'

auth_url_params = {
    'oauth_token': request_tokens['oauth_token'],
}

# Use old-style callback argument if server didn't accept new-style
if callback_url and not oauth_callback_confirmed:
    auth_url_params['oauth_callback'] = callback_url

request_tokens['auth_url'] = 'https://api.twitter.com/oauth/authenticate?' + urllib.urlencode(auth_url_params)

return request_tokens

Anyways, when I try to run this code I get the error:

Traceback (most recent call last):
  File "twython.py", line 585, in <module>
    auth_props = t.get_authentication_tokens()
  File "twython.py", line 271, in get_authentication_tokens
    response = requests.get('https://api.twitter.com/oauth/request_token', params=request_args, headers=headers, auth=self.auth)
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests/api.py", line 49, in get
    return request('get', url, **kwargs)
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests/api.py", line 38, in request
    return session.request(method=method, url=url, **kwargs)
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests/sessions.py", line 253, in request
    prep = req.prepare()
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests/models.py", line 200, in prepare
    p.prepare_auth(self.auth)
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests/models.py", line 336, in prepare_auth
    r = auth(self)
  File "/Users/mikehelmick/.virtualenv/twython/lib/python2.7/site-packages/requests_oauthlib/core.py", line 41, in __call__
    decoded_body = extract_params(r.data)
AttributeError: 'PreparedRequest' object has no attribute 'data'

We've finally got some stuff up on ReadTheDocs, but it's not great. This issue is an umbrella tracking issue, so I can tick stuff off as we go. Here are some things we need to do: feel free to suggest more in the comments.

• [ ] Sort out the README (partly in #46).
• [x] Sort out Intersphinx (see #47).
• [ ] Remove lengthy worked examples from the API docs.
• [ ] Put lengthy worked examples somewhere else (see #46).
• [ ] Improve clarity of API docs.
• [ ] Improve landing page.
• [ ] Tutorials. Lots of tutorials. A whole tutorials section (see #49).

Using Flask_OAuth2_Login (for example):

  def login(self):
    sess = self.session()

    # Get token
    try:
      sess.fetch_token(
        self.token_url,
        code=request.args["code"],
        client_secret=self.client_secret,
      )

results in:

  File "/lib/python2.7/site-packages/flask_oauth2_login/base.py", line 56, in login
    client_secret=self.client_secret,
  File "/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 232, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 409, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 376, in parse_token_response
    validate_token_parameters(params)
  File "/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 383, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 271, in raise_from_error
    raise cls(**kwargs)

This is due to a change introduced in 0.6.0 in oauth2_session.py/fetch_token:

auth = auth or requests.auth.HTTPBasicAuth(username, password)

whereas previously auth was allowed to remain empty. Google responds with:

{
  "error" : "invalid_request"
}

and everything falls down from there. Commenting out the line allows the request to complete normally.

This should resolve requests-oauthlib's problems with uploading binary data, as demonstrated in kennethreitz/requests#1252.

@sigmavirus24, can I get code review on this before I merge into master?

OAuth2Session(client_id=client_id, client=client) return 403 error in production environment. Works good in localhost

In localhost and production environment I disabled OAUTHLIB_INSECURE_TRANSPORT os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

OAuth requires spaces to be encoded as %20 instead of + in order to generate a valid signature.

Explained in http://troy.yort.com/2-common-problems-with-oauth-client-libraries/

Before this patch, I was unable to use Yahoo!'s BOSS Placefinder API, which now seems to be responding correctly to me, instead of what it used to say:

<?xml version='1.0' encoding='UTF-8'?>
<yahoo:error xmlns:yahoo='http://yahooapis.com/v1/base.rng'
  xml:lang='en-US'>
  <yahoo:description>Please provide valid credentials. OAuth oauth_problem="signature_invalid", realm="yahooapis.com"</yahoo:description>
</yahoo:error>

I've added some initial tests and cleaned up the extension code a bit.

Unfortunately this code depends heavily on an update to requests.models.py in which lines 200 & 201 are swapped, i.e.

    p.prepare_auth(self.auth)
    p.prepare_body(self.data, self.files)

becomes

    p.prepare_body(self.data, self.files)
    p.prepare_auth(self.auth)

Why? Because we have no idea in auth whether body will soon be filled with files data or not and consequently it would be foolish to assume form encoded on empty body.

I've not had time to look into what implications this might have for requests. Will send a PR when I have. @kennethreitz

The current 0.3.0 release is pretty old and we've fixed a few bugs, as well as added a massive amount of functionality. I want to get this library into a shape where we can pass it to Kenneth all he has to do is tag it and go. @ib-lundgren, @sigmavirus24, is there anything we need to do?

I'm trying to set up OAuth2 for unattended access to Microsoft IMAP servers - the refresh_token is important here.

When providing a request scope set as follows:

• offline_access
• https://outlook.office.com/User.Read
• https://outlook.office.com/IMAP.AccessAsUser.All

The service responds with the following (i.e: offline_access is removed):

• https://outlook.office.com/User.Read
• https://outlook.office.com/IMAP.AccessAsUser.All

This results in a warning being raised.

Traceback (most recent call last):
  File "./oauth2-test.py", line 51, in <module>
    token = oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)
  File "/usr/lib/python3.8/site-packages/requests_oauthlib/oauth2_session.py", line 366, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
    validate_token_parameters(params)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 471, in validate_token_parameters
    raise w
Warning: Scope has changed from "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All offline_access" to "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All".

Apparently the offline_access scope should never be returned by Microsoft services, as it's not actually a useful scope for accessing resources (ref).

My current approach (which isn't ideal), is as follows:

oauth = OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scope)
authorization_url, state = oauth.authorization_url(authorize_url)

# remove the `offline_access` scope directly / by hand
oauth.scope.remove('offline_access')

# ... submit the request to authorization_url, and retrieve the token
redirect_response = ...
token = oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)

I'm aware of OAUTHLIB_RELAX_TOKEN_SCOPE (link), but that seems perhaps a little over-permissive.

Perhaps one of the following would be a good idea?

• A more generic mechanism to permit accepting scope changes
• A way to supply the expected response set of scopes
• A list of "I don't mind if these aren't grated" scopes

The version of requests pinned by this library is 2.26.0.

requests==2.26.0

Currently, requests is at version 2.28.1. Please consider updating the requirements or leaving the requests version unpinned, as it is in requirements.in.

Thanks!

I have a use case were sometimes my stored users' tokens expire and thus they need to reauthenticate into whatever app I'm trying to request data from.

In these cases I get an error 400 from the api I'm requesting from and simply ask my user to reauthenticate using my usual oAuth2 flow.

Since I don't know exactly when a token will expire my current approach is to wrap every request I make to these apis in a try catch and then handle the exception from there.

I noticed that there are some compliance hooks and was wondering if it would be appropriate to add something like a refresh_token_exception hook to be called if the library runs into an error code while refreshing the token as opposed to just calling the usual refresh_token_response with the raw response.

If this makes sense I would be happy to submit a pull request for it

https://github.com/requests/requests-oauthlib/blob/3a2a852e33c691c7e793300ce366a01b6e4b3848/requests_oauthlib/oauth2_session.py#L94

Using an expired access token with Microsoft Exchange Online for sending Outlook e-mails under exchangelib runs into an infinite loop during the token refresh just because the app creds are bundled into the body structure instead of being provided as a (client_id, client_secret) pair given the auth object. (context)

Is it possible to automatically create and use an auth object (if it isn't provided explicitly by the caller) based on these refresh kwargs (if they contain the client creds) right inside of oauth2_session.OAuth2Session.refresh_token so the /token POST will benefit from this implicit auth object and make the server auth working with Exchange?

Since oauthlib 3.2.0 now supports PKCE for Clients (https://github.com/oauthlib/oauthlib/releases/tag/v3.2.0), this PR proposes a first implementation . Any feedbacks are welcome, I'm not sure it is production ready yet.

Change from: session = OAuth2Session(client_id) to session = OAuth2Session(app.client_id, pkce="S256")

And be sure to reuse the same session for fetch_token, as it will need to remember code_verifier. It is not really practical beyond PoC, so any suggestions are welcome.