What is OAuth2.0

[maelle]

• What is OAuth (video https://www.youtube.com/watch?v=KT8ybowdyr0). Scope on OAuth2.0
• Examples of APIs needing OAuth
• Why is it difficult to wrap one's head around it? Because although it makes sense that OAuth2.0 involves apps (it's the use case; the OAuth dance needs an app in particular a redirect URI), for an R user it makes little sense. We'll need something playing the role of an app.
• What's the end goal of the OAuth dance
  • An access token with some expiry date. We'll use it in headers.
  • Possibly a refresh token, with a longer life. We'll use it when the access token is expired, in the body of a request.
• How does httr OAuth stuff works (the requests are made, httpuv for listening to the redirect URI) and why is it so handy (the token object has all the info it needs, in requests httr takes what it needs from it, and it's auto-refreshed)
• Testing for OAuth stuff in your package. Create a fake httr OAuth2.0 token with fake credentials; use webfakes.
• Link to gargle source code as a good example.
• Where to save the token, blog post about rappdirs and co.

[maelle]

BYOA vs built-in app. See https://gargle.r-lib.org/articles/get-api-credentials.html#oauth-client-id-and-secret explaining risk.

[maelle]

• What are your secrets with OAuth (the access token and the refresh tokens, wrapped in a file by httr. Important to know the details of how they are passed to the API when you cache API requests/responses by vcr/httptest).