feat(integrations): Vsts OAuth refresh

[lauryndbrown]

No description provided.

[lauryndbrown]

Had anticipated moving things in here, but couldn't figure out a clean way of doing so. Open to suggestions, otherwise I'll just remove this code.

[evanpurkhiser]

Did you see what we did in the auth version of the Oauth2 provider?

sentry/src/sentry/auth/providers/oauth2.py

Lines 181 to 216 in f683f22

	def refresh_identity(self, auth_identity):
	refresh_token = auth_identity.data.get('refresh_token')
	if not refresh_token:
	raise IdentityNotValid('Missing refresh token')
	data = self.get_refresh_token_params(
	refresh_token=refresh_token,
	)
	req = safe_urlopen(self.get_refresh_token_url(), data=data)
	try:
	body = safe_urlread(req)
	payload = json.loads(body)
	except Exception:
	payload = {}
	error = payload.get('error', 'unknown_error')
	error_description = payload.get('error_description', 'no description available')
	formatted_error = 'HTTP {} ({}): {}'.format(req.status_code, error, error_description)
	if req.status_code == 401:
	raise IdentityNotValid(formatted_error)
	if req.status_code == 400:
	# this may not be common, but at the very least Google will return
	# an invalid grant when a user is suspended
	if error == 'invalid_grant':
	raise IdentityNotValid(formatted_error)
	if req.status_code != 200:
	raise Exception(formatted_error)
	auth_identity.data.update(self.get_oauth_data(payload))
	auth_identity.update(data=auth_identity.data)

We can probably do something really similar here and whatever needs to call refresh can do `identity.get_provider().refresh_identity(identity)

[lauryndbrown]

The error handling is the same code from the old oauth code. I was wondering if that was still the desired behavior here?

[evanpurkhiser]

Yeah this is fine I think, we probably want to know what the error is

[lauryndbrown]

This is small, but I sort of wish I had a different name for this. Open to suggestions.

[evanpurkhiser]

The name sounds good to me actually

[lauryndbrown]

I really wanted to put this in the OAuth2ApiClient class, but I didn't also want to have to go back and alter the headers/url/whatever the subclass using the old identity did.So, I felt this was the best option. Open to suggestions.

[evanpurkhiser]

This looks good to me :)

[evanpurkhiser]

I think I'd change the parameter name from auth_identity to just identity, since where this code was previously was specific to auth identities (which are still a separate thing)

[evanpurkhiser]

nit: Does this need to be on multiple lines?

[evanpurkhiser]

This seems a little strange, why would the refresh token be something that comes from the configuration object that's passed to the provider?

I'm not sure if this is used anywhere, maybe it's just some code that didn't get removed?

[lauryndbrown]

Good catch. I'll remove it.

[evanpurkhiser]

Yeah this is fine I think, we probably want to know what the error is

[evanpurkhiser]

The identity provider has redirect URLs abstracted from it, I think this is breaking that abstraction. For example you can see her how it works

sentry/src/sentry/identity/oauth2.py

Line 144 in ea1b647

redirect_uri=absolute_uri(pipeline.redirect_url()),

However in this case we have access to the pipeline from the dispatched method.

Reading further though I'd like to understand more why we actually need this, checkout some of my following comments.

[evanpurkhiser]

I'm not sure I understand why there's this redirect URL? Doesn't this call happen from our server?

[lauryndbrown]

So @evanpurkhiser it's a VSTS thing. If you check out the docs the redirect URL is used as a check. The redirect URL is required to match the redirect url that was registered within the app, so passing it is required. This is true even in the case you're refreshing the token.

More here: https://docs.microsoft.com/en-us/vsts/integrate/get-started/authentication/oauth?view=vsts

[lauryndbrown]

Let me know if there's a better way of doing it. This was the best I could think to make the minimal changes possible

[evanpurkhiser]

I wonder if maybe we could actually make this more of a mixin OAuth2RefreshingMixin, so instead of this extending ApiClient, it's just a mixin that has this functionality. Since this also ties the client specifically to using identities.

[evanpurkhiser]

The name sounds good to me actually

[evanpurkhiser]

This looks good to me :)

[evanpurkhiser]

Actually we want to keep this hardcoded here I think, since the extensions/vsts/setup is integration specific, where as identity related things not specific to integrations.