Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope changes with Microsoft services & offline_access #507

Open
attie-argentum opened this issue Nov 16, 2022 · 0 comments
Open

Scope changes with Microsoft services & offline_access #507

attie-argentum opened this issue Nov 16, 2022 · 0 comments

Comments

@attie-argentum
Copy link

attie-argentum commented Nov 16, 2022
edited

I'm trying to set up OAuth2 for unattended access to Microsoft IMAP servers - the refresh_token is important here.

When providing a request scope set as follows:

  • offline_access
  • https://outlook.office.com/User.Read
  • https://outlook.office.com/IMAP.AccessAsUser.All

The service responds with the following (i.e: offline_access is removed):

  • https://outlook.office.com/User.Read
  • https://outlook.office.com/IMAP.AccessAsUser.All

This results in a warning being raised.

Traceback 
Traceback (most recent call last):
  File "./oauth2-test.py", line 51, in <module>
    token = oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)
  File "/usr/lib/python3.8/site-packages/requests_oauthlib/oauth2_session.py", line 366, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
    validate_token_parameters(params)
  File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 471, in validate_token_parameters
    raise w
Warning: Scope has changed from "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All offline_access" to "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All".

Apparently the offline_access scope should never be returned by Microsoft services, as it's not actually a useful scope for accessing resources (ref).

My current approach (which isn't ideal), is as follows:

oauth = OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scope)
authorization_url, state = oauth.authorization_url(authorize_url)

# remove the `offline_access` scope directly / by hand
oauth.scope.remove('offline_access')

# ... submit the request to authorization_url, and retrieve the token
redirect_response = ...
token = oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)

I'm aware of OAUTHLIB_RELAX_TOKEN_SCOPE (link), but that seems perhaps a little over-permissive.

Perhaps one of the following would be a good idea?

  • A more generic mechanism to permit accepting scope changes
  • A way to supply the expected response set of scopes
  • A list of "I don't mind if these aren't grated" scopes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@attie-argentum