requests-oauthlib 自动刷新客户端凭据流中的 Bearer 令牌？

Question

I'm using the python requests-oauthlib package to connect to the Microsoft Graph. I am using the OAuth 2.0 Client Credentials flow.

The following simplified code works perfectly fine:

from oauthlib.oauth2 import BackendApplicationClient
from requests_oauthlib import OAuth2Session
client = BackendApplicationClient(client_id='myclientid')

token_url = "https://login.microsoftonline.com/mydomain.onmicrosoft.com/oauth2/v2.0/token"
msgraph = OAuth2Session(client=client)

msgraph.fetch_token(
    token_url = token_url,
    client_secret = 'myclientsecret',
    scope='https://graph.microsoft.com/.default')

response = msgraph.get(
    url="https://graph.microsoft.com/v1.0/users/user@mydomain.com/messages")

While this works, the Bearer access token in this case is only valid for 1 hour. The requests-oauthlib package has support for refreshing tokens but it seems limited to token types that come with separate refresh tokens. The client credentials flow as used with the Microsoft Graph only issues an access_token.

So my questions are:

1. Is there a way to make the requests-oauthlib refresh the token automatically in this use case or do I need to manually track the age of my token and explicitly refresh it as needed?
2. I'm not wedded to requests-oauthlib so if there is a better library that accomplishes the auto-refreshing I'd be interested in using it.

Answer 1

This behavior is by design (and aligns with the OAuth spec). The only OAuth grants that support Refresh Tokens are Authorization Code and Resource Owner Password Credentials . The Implicit and Client Credentials grants only return an Access Token.

More importantly, since the Client Credentials flow isn't interactive, there is no need for Refresh Tokens. You simply request a new token when the old one expires.

Answer 2

As far as I can tell, there is still no built-in way to do this automatically using requests-oauthlib. There is a ticket about it on their GitHub with a couple of different ideas on how to do it, but nothing out of the box: https://github.com/requests/requests-oauthlib/issues/260

Answer 3

I know this is an old question, but it seems unanswered, so please allow me to give it a try.

My initial answer was:

I dare make the hypothesis, reading your mention of lack of refresh token, that you did not add offline_access in your requested scope - if you want it to be part of the answer from the Microsoft authentication service, you have to (please refer to https://learn.microsoft.com/en-us/graph/auth-v2-user#token-response and the various pages around for more details).

which was indeed totally irrelevant for the scenario used, as commented by Mark, and also clearly stated in https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-daemon-app#cache-and-store-tokens :

It is important that applications use the "expires_in" property to determine the lifespan of the token.

So as an answer to your question 2., the above link also suggests the use of MSAL (MS Authentication Library) :

MSAL implements and follows [best practices for caching and storing tokens] automatically.

what the why use MSAL wiki page seems to confirm:

It also adds value by [...] maintaining a token cache and refreshes tokens for you when they are close to expire. You don't need to handle expiration on your own.

For your question 1., I indeed did not find a standard way in requests-oauthlib to do so, either.

In this kind of situation, I usually don't monitor the age of the token, but just catch the 401 return code and fetch a new token.

To do so, I found suitable to tweak the first example of the Requests-OAuthlib - OAuth 2 Workflow - refreshing tokens section, replacing their call to refresh_token(refresh_url, **extra) by a new call to fetch_token() .

What I usually use in order to avoid repeating the try...except... code piece, is to put it in a wrapper decorator (got a good inspiration in https://realpython.com/primer-on-python-decorators/#a-few-real-world-examples ) around my API-calling functions / methods.

Hope this time it helps more...