PR for #585, client_id behavior with prepare_request_body
#593
Conversation
* `prepare_request_body` client_id is deprecated in favor of include_client_id * a new unit test `test_prepare_request_body` is added to ensure conformity of several use cases * the docstrings for the `body` param have been consolidated and standardized across multiple functions linked to `prepare_request_body` for clarity
integrated against requests_oauthlib idea
* added LegacyApplicationClient tests to ensure the grant supports a variety of allowed methods
|
Cross reference to paired requests-oauthlib PR - requests/requests-oauthlib#331 |
There was a problem hiding this comment.
Hi @jvanasco, I tried to review your changes, those are great. It is the in the right direction, the RFC's one ! While preserving ability to work with broken implem', that's great.
However, the include_client_id stuff should be moved to parameters.prepare_token_request instead. Why ? Because this auth stuff is not tied to a specific grant type, but to all: it is eligible to password (LegacyApplicationClient), refresh_token (base Client), client_credentials (BackendApplicationClient) and authorization_code (WebApplicationClient).
The good thing, is that all those Clients have a thing in common: they call parameters.prepare_token_request(.., **kwargs). Once that's done, I think you can also extend the tests for the other Clients, if possible.
Let me know your thoughts!
PS: don't hesitate to join in Gitter#oauthlib to discuss!
Agreed. I'll make the change and circle back here. I was just updating the tests, and they were starting to lead me to this same conclusion. |
|
My latest commit has the following:
|
There was a problem hiding this comment.
LGTM! Would be great to have feedback from someone else.. poke @skion ?
| # pull the `client_id` out of the kwargs. | ||
| client_id = kwargs.pop('client_id', None) | ||
| if include_client_id: | ||
| if client_id is not None: |
There was a problem hiding this comment.
It seems that client_id isn't used in this function except in this line... I'm not sure if I understand why we'd need include_client_id in this function's signature in that case.
There was a problem hiding this comment.
There was a request by @JonathanHuot (above) to migrate the include_client_id functionality into this function, as it is shared by a few endpoints/clients.
The section of code you cited pulls client_id out of the kwargs and conditionally appends it to params (line 144, not included above) - if it is None, it will not appear in the params, but an empty string will. This allows an empty string to be sent for client_id if the oAuth server requires/prefers that to omitting the argument (the RFC supports both, and we should expect some servers to be broken and support only one or the other). By pulling client_id out of the kwargs, the logic operating on the kwargs does not affect it -- that logic requires a true-ish value (so no empty string is possible).
include_client_id was put in the function's signature because it is defaulting to True. client_id was left out of the signature and documented as an explicitly supported kwarg because of it's significance in here.
an alternate approach would be removing include_client_id here, but then we'd have to implement the logic to include or exclude the client_id in each subclass method which invokes this method.
There was a problem hiding this comment.
It feels a bit fiddly with the None, False, True options and I'd be inclined to put the logic in the individual client classes, but am happy with this too.
There was a problem hiding this comment.
Excellent work on this @jvanasco and @JonathanHuot! Good to have in 3.0.
| # pull the `client_id` out of the kwargs. | ||
| client_id = kwargs.pop('client_id', None) | ||
| if include_client_id: | ||
| if client_id is not None: |
There was a problem hiding this comment.
It feels a bit fiddly with the None, False, True options and I'd be inclined to put the logic in the individual client classes, but am happy with this too.
| if kwargs[k]: | ||
| params.append((unicode_type(k), kwargs[k])) | ||
|
|
||
| if ('client_secret' in kwargs) and ('client_secret' not in params): |
There was a problem hiding this comment.
wow, thanks for this comment. i actually found a weird issue from this and am rewriting the function a bit!
There was a problem hiding this comment.
fixed, and with a comment.
the outdated code will never find "client_secret" in params, because params is a list of tuples.
('client_secret' not in params)
the search should have been something like this:
('client_secret' not in [p[0] for p in params])
but that's ugly and inefficient.
in the fix, I just popped client_secret from the kwargs and compared it to None.
| @@ -10,19 +10,26 @@ | |||
|
|
|||
| from ....unittest import TestCase | |||
|
|
|||
| # this is the same import method used in oauthlib/oauth2/rfc6749/parameters.py | |||
There was a problem hiding this comment.
Catching an ImportError for a fallback library has caused a bunch of problems for me in the past. Eventually someone changes the import strategy in one place, and you end up with tests (or functions) breaking because two functions/packages with the same name aren't actually the same. I wanted a callout in the tests that would point people in the right direction when a test breaks, to ensure it gets updated without a headache.
…ings * fixed some formatting issues in `prepare_token_request` docstring * slightly altered `prepare_token_request` in handling nontruthy values for `client_secret`.
|
@JonathanHuot when you have time, please take a look at the last commit and review the 'outdated' comment regarding |
|
@jvanasco, I have no objections about the docstring changes. I bet we should do something better than playing with kwargs however that's not the purpose of this PR and what you did is great. For |
|
Existing tests didn't catch an error, because the block always generates the right output - it just generates the right output in the wrong way. The block correctly only acted on the I'm not a fan of playing with the kwargs either, unfortunately it's just done a lot in this library. I did upgrade the docs whenever there is some kwarg action going on to make things more apparent. |
|
That's merged! Thanks for this great contribution. |
This PR addresses #585
I had to make the new test a little bit 'dumb' to keep it simple while maintaining support under Python2 & Python3
The order of arguments inserted into the request body is deterministic and can shift on different platforms (or even the same platform on different computers). Instead of sorting the result in the test, or generating a sorted Response body, I just test against 2 possible permutations.
The test checks for a ValueError Exception and a DeprecationWarning. I couldn't manage to support a check for the expected error message on both platforms while maintaining a clear and concise test -- so I just omitted that check.