async API

[legokichi]

#44 (comment)

[legokichi]

reqwest puts lowercase letters.
https://docs.rs/reqwest/0.9.3/src/reqwest/async_impl/request.rs.html#171

[ramosbugs]

thanks for the reference! looking at https://tools.ietf.org/html/rfc7235#section-2.1, the auth scheme is indeed supposed to be case insensitive. hopefully this won't cause any compatibility issues with off-spec server implementations.

[legokichi]

I'm thinking of using hyper instead of reqwest.
reqwest does not have HttpConnector API -
https://docs.rs/hyper/0.12.12/hyper/client/struct.HttpConnector.html

ex.

• https://rusoto.github.io/rusoto/rusoto_core/request/struct.HttpClient.html#method.from_connector
• https://actix.rs/actix-web/actix_web/client/struct.ClientConnector.html#method.with_connector

[ramosbugs]

thanks for the PR! I'm traveling this weekend, but I'll take a look next week.

[legokichi]

from here https://github.com/rusoto/rusoto/blob/7640ca3de1e6486b0b25bce395810a9434a66ee5/rusoto/core/src/signature.rs#L593

[ramosbugs]

I'm finding the chain of specs referenced by https://tools.ietf.org/html/rfc6749#appendix-B to be a bit hard to follow, so it's not super clear to me exactly which characters need to be escaped (especially since we're dealing with an HTTP header here, rather than a URI). This code does seem to maintain the current behavior as implemented in https://github.com/curl/curl/blob/master/lib/escape.c#L40, but I wonder if it would suffice to use
USERINFO_ENCODE_SET, which seems to be intended for username and password escaping (according to https://github.com/dtolnay/url/blob/master/UPGRADING.md).

@DeeUnderscore do you have any thoughts here, as the author of #41? (see usage below)

[DeeUnderscore]

By my reading, this adheres to application/x-www-form-urlencoded—everything outside of the permitted bytes is encoded. This WHATWG spec seems to be essentially equivalent to what RFC6749 wanted when it described the encoding in Appendix B.

URLs can use forms of percent encoding which aren't application/x-www-form-urlencoded, since they permit more byte ranges (presumably to make URLs more readable). USERINFO_ENCODE_SET (WHATWG ref), in particular, is intended for the userinfo component of a URL, ie. the user:password in https://user:password@example.org/.

In practical terms, you could probably get away with a less strict encoding, and I suspect most OAuth implementations in the wild avoid using characters which could cause problems anyway. But, for closest adherence to the standard I'd recommend what this PR is doing.

[ramosbugs]

Thanks for the reference and rationale! That makes sense; I agree with the recommendation.

The encoding here does seem to deviate ever so slightly from the WHATWG spec, though:

• spaces encoded with %20 instead of +
• asterisks (0x2A) excluded from the encoding set but mentioned by WHATWG
• tildes (0x7E) included in encoding set but excluded by WHATWG

None of these deviations seems particularly problematic, though it's probably safer for interoperability to err on the side of percent-encoding more values rather than fewer. Unless there's an error in the WHATWG spec, we should probably remove tildes from this set.

[DeeUnderscore]

Seems reasonable. While the RFC specifically gives spaces as + in an example, a properly implemented decoder should consume %20 fine, too.

[legokichi]

I think add hyper::Client to oauth2::Client structure as member and create oauth2::Client::with_connector static method.

[ramosbugs]

Sorry for the delay! Looking this PR over now.

I'm thinking of using hyper instead of reqwest.
reqwest does not have HttpConnector API -
https://docs.rs/hyper/0.12.12/hyper/client/struct.HttpConnector.html

I think it's definitely useful (often required) for clients to be able to specify connection parameters, including TLS settings (trusted CA certs, cipher suites, etc.) and proxy configs. This functionality has been missing from this crate so far, so thank you for bringing it up!

However, it doesn't look like hyper::client::HttpConnector really lets us specify these parameters. Rather, that interface seems to deal with lower level network options. What sort of customization were you hoping to support via HttpConnector?

As an alternative, reqwest::async::ClientBuilder does seem to allow significant customization: https://docs.rs/reqwest/0.9.4/reqwest/async/struct.ClientBuilder.html. What if we add a set_http_client method to oauth2::Client so that users can pass in their own reqwest::async::Clients?

• https://actix.rs/actix-web/actix_web/client/struct.ClientConnector.html#method.with_connector

it looks like this one refers to a different interface (openssl's SslConnector struct rather than hyper's Connect trait)

---

I'll submit comments on the rest of the PR soon.

[ramosbugs]

Thanks again for the PR!

In addition to supporting the async API, I think we should still provide a sync API. That should reduce the boilerplate for callers that want sync behavior, and in particular make this breaking change easier for existing code to adopt.

We probably want both sync and async versions of Client, similar to what reqwest does. What I'm not sure of is which interface should be the default. We could either have oauth2::Client be sync and oauth2::async::Client be async or vice versa (oauth2::Client is async and oauth2::sync::Client is sync).

The former is nice because the default interface matches the underlying implementation, while the latter is nice because it avoids making a breaking change altogether (I think). What do you think?

[ramosbugs]

let's add a newline at the end here

[ramosbugs]

nit: sort imports

Suggested change

extern crate reqwest;

[ramosbugs]

Suggested change

use url::percent_encoding::{utf8_percent_encode, EncodeSet};

[ramosbugs]

a panic is probably undesirable here. it seems like we have a few options:

• return an Err if the header contains non-ASCII chars
• set content_type to None in this case
• change the type of RequestTokenResponse::content_type to Option<reqwest::header::HeaderValue>

I think the last option is probably the cleanest here, but the first seems fine too.

[ramosbugs]

I think we can simplify this to:

.and_then(|token_response| {
    if token_response.http_status != 200 {
        ....
    }
    ...
})

In other words, the inner closure is already returning a Result, which transforms automatically into FutureResult courtesy of impl From<Result<T, E>> for FutureResult<T, E>. This lets us remove the redundant:

Ok(()).and_then(|| {
    ...
}).into_future()

[ramosbugs]

I'm finding the chain of specs referenced by https://tools.ietf.org/html/rfc6749#appendix-B to be a bit hard to follow, so it's not super clear to me exactly which characters need to be escaped (especially since we're dealing with an HTTP header here, rather than a URI). This code does seem to maintain the current behavior as implemented in https://github.com/curl/curl/blob/master/lib/escape.c#L40, but I wonder if it would suffice to use
USERINFO_ENCODE_SET, which seems to be intended for username and password escaping (according to https://github.com/dtolnay/url/blob/master/UPGRADING.md).

@DeeUnderscore do you have any thoughts here, as the author of #41? (see usage below)

[ramosbugs]

since each test needs to do this, let's define a function that takes a future, creates a runtime, blocks on it, and returns the result. it's probably worth trying to minimize the test boilerplate.

[legokichi]

futures trait also changes greatly in Rust 2018.
How about doing this as a provisional response for the past few months?

• exchange_code_async
• exchange_password_async
• exchange_client_credentials_async
• exchange_refresh_token_async

[legokichi]

Alternative choice: just constructs and returns http::request::Request object.
We can chose own http request library e.g. curl, reqwest, hyper, actix-web ...etc.

[ramosbugs]

I think it's fine to put the pre-Rust 2018 async functionality into this crate. However, I think we should do this via a separate Client implementation (i.e., oauth2::async::Client). Then, when we're ready to add support for Rust 2018 async, we can call that oauth2::async2018::Client or something. Each of these can present the same exchange_* functions, just with different return types. This change will probably require some refactoring to share as much code as possible between the different Client implementations.

[ramosbugs]

also, the reason I don't think returning Request objects would work well is that we'd then have to offer an interface for callers to pass the response back in for us to parse

[legokichi]

Here are the implementations of https_connector.

• native-tls: https://github.com/hyperium/hyper-tls
• rustls: https://github.com/ctz/hyper-rustls
• https://github.com/pimeys/hyper-alpn
• https://github.com/sfackler/hyper-native-tls
• https://github.com/sfackler/hyper-openssl

[ramosbugs]

based on the conversation above, I think we should probably remove tilde

[ramosbugs]

I think it's fine to put the pre-Rust 2018 async functionality into this crate. However, I think we should do this via a separate Client implementation (i.e., oauth2::async::Client). Then, when we're ready to add support for Rust 2018 async, we can call that oauth2::async2018::Client or something. Each of these can present the same exchange_* functions, just with different return types. This change will probably require some refactoring to share as much code as possible between the different Client implementations.

[ramosbugs]

Looks like there are some merge conflicts now based some other PRs I merged

[ramosbugs]

Added some minor cleanup here to 3ca27ff. Mind pulling in those changes, or giving me permissions to update this PR?

[ramosbugs]

also, the reason I don't think returning Request objects would work well is that we'd then have to offer an interface for callers to pass the response back in for us to parse

[ramosbugs]

Here are the implementations of https_connector.

• native-tls: https://github.com/hyperium/hyper-tls
• rustls: https://github.com/ctz/hyper-rustls
• https://github.com/pimeys/hyper-alpn
• https://github.com/sfackler/hyper-native-tls
• https://github.com/sfackler/hyper-openssl

Ohh, I see. So it looks like what we really want to accept is a struct that implements the hyper::client::connect::Connect trait, which can do anything it wants as long as it yields a (hyper::client::connect::Connect::Transport, hyper::client::connect::Connected). Something like what you mentioned above should work, e.g.:

pub struct Client<C: Connect, EF: ExtraTokenFields, TT: TokenType, TE: ErrorResponseType> {
    connector: C,
    ...
}

// new() sets a sensible default (and secure) connector (require HTTPS, etc.)

pub fn with_connector(mut self, connector: C) -> Self {
    self.connector = connector;

    self
}

[bachp]

I would like to use this in the context of actix-web. So I would be very happy if there is a way to specify the client library to use (reqwest, actix, ...). Did you already give any toughts on how this could be done?

If it would be desired to have this as a feature I might be able to come up with a PR that allows to select actix-web as a replacement for reqwest.

[ramosbugs]

I would like to use this in the context of actix-web. So I would be very happy if there is a way to specify the client library to use (reqwest, actix, ...). Did you already give any toughts on how this could be done?

I think the simplest approach to supporting multiple HTTP clients is probably via a trait. Since the hyper::client::connect::Connect trait is quite low level, I think it's a good candidate. This also lets people use hyper by default, which seems to have a significantly larger volume of downloads on crates.io than reqwest or actix-web. Other client libraries could potentially be used by writing wrappers that implement the hyper::client::connect::Connect trait on top of those libraries.

Alternatively, we could probably do something at compile time based on feature flags, but I haven't looked into that much, and it feels like that would be harder to maintain over time.

Was there specific functionality from actix-web that you were looking to use in conjunction with this crate? Understanding the use case a bit more might help illuminate the right solution.

I think it's also probably worth filing a separate Github issue for this so that we can refocus #44 on the async discussion, and the new issue on the need for a generic HTTP client interface.

[ramosbugs]

latest master now features an async API with pluggable HTTP clients