You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
It's not possible to execute an additional request when using automatic token refresh.
Describe the solution you'd like
Be able to define an async function as a compliance hook.
Example:
defwithings_compliance_fix(session: AsyncOAuth2Client):
asyncdef_fix_refresh_token_request(url, headers, body):
asyncwithhttpx.AsyncClient() asclient:
nonce_response=awaitclient.post (...) # call Withings api to get a noncesigning_params=# use the nonce to add the additional required parametersbody=add_params_to_qs(body, signing_params)
returnurl, headers, bodysession.register_compliance_hook(
"refresh_token_request", _fix_refresh_token_request
)
oauth.register(
name="withings",
...
compliance_fix=withings_compliance_fix,
)
If I specify my custom auth in the post() function, then the Authorization: Bearer header isn't added to requests with a non-expired token.
Even ignoring this problem with the Authorization header, my custom auth wouldn't be used anyway to refresh the token. In oauth2_client.py:ensure_active_token(), we have:
It doesn't pass any auth argument to fetch_token. It falls back to OAuth2ClientAuth.
Alternative 2: Don't sign requests
Additional context
Withings supports two ways to retrieve tokens. Here's the api doc.
It supports "using signature", which is what I've tried to do here.
It also supports "using secret". In this case, Authlib works just fine with token_endpoint_auth_method=client_secret_post.
I just thought it would be better to not send the client secret over the network if possible. Note that, it appears that some of Withings apis (not all) require the signature approach.
Note: even though the Withings api has notions of nonce and signature, it doesn't appear to be oauth1. With client_secret_post, it works fine with Authlib oauth2 apis.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
It's not possible to execute an additional request when using automatic token refresh.
Describe the solution you'd like
Be able to define an async function as a compliance hook.
Example:
This fails in client.py:refresh_token():
Error:
TypeError: cannot unpack non-iterable coroutine object
Describe alternatives you've considered
Alternative 1: custom
Auth
.I've tried an alternative which worked for retrieving the initial access token, specifying an alternate
Auth
implementation:This approach doesn't work when I want to access a resource, using an expired access token.
auth
in thepost()
function, then theAuthorization: Bearer
header isn't added to requests with a non-expired token.It doesn't pass any
auth
argument tofetch_token
. It falls back toOAuth2ClientAuth
.Alternative 2: Don't sign requests
Additional context
Withings supports two ways to retrieve tokens. Here's the api doc.
It supports "using signature", which is what I've tried to do here.
It also supports "using secret". In this case, Authlib works just fine with
token_endpoint_auth_method=client_secret_post
.I just thought it would be better to not send the client secret over the network if possible. Note that, it appears that some of Withings apis (not all) require the signature approach.
Note: even though the Withings api has notions of nonce and signature, it doesn't appear to be oauth1. With
client_secret_post
, it works fine with Authlib oauth2 apis.The text was updated successfully, but these errors were encountered: