Skip to content

work around Facebook's non-conformance #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 22, 2014
Merged

work around Facebook's non-conformance #268

merged 7 commits into from
Sep 22, 2014
+77 −4

Conversation

chadwhitacre
Copy link
Contributor

Facebook uses URL-encoding instead of JSON for access token response bodies, and they use expires instead of expires_in. Fixes #267.

@chadwhitacre
Copy link
Contributor Author

Hmm ... Facebook also doesn't include a token_type, which is hard-required in validate_token_parameters. Raising an exception seems to me to violate the robustness principle:

[C]ode that sends commands or data to other machines (or to other programs on the same machine) should conform completely to the specifications, but code that receives input should accept non-conformant input as long as the meaning is clear.

In Client we default to a token type of Bearer, and we gracefully degrade if token_type is not present in the params passed to _populate_attributes after calling parse_token_response (under which we call validate_token_parameters). I can see raising if there is no access token: the meaning would not be clear in that case. For token_type I think we should raise only if the developer wants strict parsing.

@chadwhitacre
Copy link
Contributor Author

Okay! Ready for review. :-)

@chadwhitacre chadwhitacre changed the title [WIP] work around Facebook's non-conformance work around Facebook's non-conformance Sep 17, 2014
@chadwhitacre
Copy link
Contributor Author

cc: @ib-lundgren @idan @singingwolfboy @gulopine

This was referenced Sep 17, 2014
Merged
Closed
@singingwolfboy
Copy link
Contributor

LGTM, but you should document the OAUTHLIB_STRICT_TOKEN_TYPE envvar somewhere.

@chadwhitacre chadwhitacre mentioned this pull request Sep 18, 2014
Closed
ib-lundgren
ib-lundgren reviewed Sep 22, 2014
View reviewed changes
oauthlib/oauth2/rfc6749/parameters.py
@@ -313,7 +328,8 @@ def validate_token_parameters(params, scope=None):
raise MissingTokenError(description="Missing access token parameter.")

if not 'token_type' in params:
raise MissingTokenTypeError()
if os.environ.get('OAUTHLIB_STRICT_TOKEN_TYPE'):
raise MissingTokenTypeError()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should simply add token type Bearer here in non-strict mode. Ideally logging that so was done on DEBUG level.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I figured we could depend on the default behavior of the calling class, as described above.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough.

@ib-lundgren
Copy link
Collaborator

Looks good :)

Maybe add a comment in http://oauthlib.readthedocs.org/en/latest/oauth2/clients/client.html (change docs as you like btw).

@chadwhitacre
Copy link
Contributor Author

@ib-lundgren It seemed better to add documentation to http://oauthlib.readthedocs.org/en/latest/oauth2/tokens/tokens.html. Look okay to you? :-)

ib-lundgren added a commit that referenced this pull request Sep 22, 2014
@ib-lundgren
Merge pull request #268 from whit537/facebook
3bb2bfb 
work around Facebook's non-conformance
@ib-lundgren ib-lundgren merged commit 3bb2bfb into oauthlib:master Sep 22, 2014
@chadwhitacre chadwhitacre deleted the facebook branch September 22, 2014 14:42
@chadwhitacre
Copy link
Contributor Author

Yay! Thanks @ib-lundgren! :D

@ib-lundgren ib-lundgren mentioned this pull request Oct 1, 2014
Closed
@chadwhitacre chadwhitacre mentioned this pull request Oct 17, 2014
Closed
@JonathanHuot JonathanHuot mentioned this pull request Mar 14, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

parse_token_response assumes JSON
3 participants
@chadwhitacre @singingwolfboy @ib-lundgren