Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
This project provides first-class OAuth library support for Requests <https://requests.readthedocs.io>
_.
OAuth 1 can seem overly complicated and it sure has its quirks. Luckily, requests_oauthlib hides most of these and let you focus at the task at hand.
Accessing protected resources using requests_oauthlib is as simple as:
.. code-block:: pycon
>>> from requests_oauthlib import OAuth1Session
>>> twitter = OAuth1Session('client_key',
client_secret='client_secret',
resource_owner_key='resource_owner_key',
resource_owner_secret='resource_owner_secret')
>>> url = 'https://api.twitter.com/1/account/settings.json'
>>> r = twitter.get(url)
Before accessing resources you will need to obtain a few credentials from your
provider (e.g. Twitter) and authorization from the user for whom you wish to
retrieve resources for. You can read all about this in the full
OAuth 1 workflow guide on RTD <https://requests-oauthlib.readthedocs.io/en/latest/oauth1_workflow.html>
_.
OAuth 2 is generally simpler than OAuth 1 but comes in more flavours. The most common being the Authorization Code Grant, also known as the WebApplication flow.
Fetching a protected resource after obtaining an access token can be extremely
simple. However, before accessing resources you will need to obtain a few
credentials from your provider (e.g. Google) and authorization from the user
for whom you wish to retrieve resources for. You can read all about this in the
full OAuth 2 workflow guide on RTD <https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html>
_.
To install requests and requests_oauthlib you can use pip:
.. code-block:: bash
pip install requests requests-oauthlib
.. |build-status| image:: https://github.com/requests/requests-oauthlib/actions/workflows/run-tests.yml/badge.svg :target: https://github.com/requests/requests-oauthlib/actions .. |coverage-status| image:: https://img.shields.io/coveralls/requests/requests-oauthlib.svg :target: https://coveralls.io/r/requests/requests-oauthlib .. |docs| image:: https://readthedocs.org/projects/requests-oauthlib/badge/ :alt: Documentation Status :scale: 100% :target: https://requests-oauthlib.readthedocs.io/
v2.0.0 (22 March 2024) ++++++++++++++++++++++++
Full set of changes are in github.
Additions & changes:
OAuth2Session
now correctly uses the self.verify
value if verify
is not overridden in fetch_token
and refresh_token
. Fixes #404 <https://github.com/requests/requests-oauthlib/issues/404>
_.OAuth2Session
constructor now uses its client.scope
when a client
is provided and scope
is not overridden. Fixes #408 <https://github.com/requests/requests-oauthlib/issues/408>
_refresh_token_request
and access_token_request
compliance hooksv1.4.0 (27 Feb 2024) ++++++++++++++++++++++++
v1.3.1 (21 January 2022) ++++++++++++++++++++++++
v1.3.0 (6 November 2019) ++++++++++++++++++++++++
force_querystring
argument to fetch_token() method on OAuth2Sessionv1.2.0 (14 January 2019) ++++++++++++++++++++++++
auth
because OAuth2Session objects and methods acceept an auth
paramether which is
typically an instance of requests.auth.HTTPBasicAuth
OAuth2Session.fetch_token
previously tried to guess how and where to provide
"client" and "user" credentials incorrectly. This was incompatible with some
OAuth servers and incompatible with breaking changes in oauthlib that seek to
correctly provide the client_id
. The older implementation also did not raise
the correct exceptions when username and password are not present on Legacy
clients.v1.1.0 (9 January 2019) +++++++++++++++++++++++
oauthlib
dependency: this project is
not yet compatible with oauthlib
3.0.0.nose
.v1.0.0 (4 June 2018) ++++++++++++++++++++
token
property to OAuth1Session, to match the corresponding
token
property on OAuth2Session.v0.8.0 (14 February 2017) +++++++++++++++++++++++++
auth
to several
methods would encounter conflicts with the client_id
and
client_secret
-derived auth. The user-supplied auth
argument is now
used in preference to those options.v0.7.0 (22 September 2016) ++++++++++++++++++++++++++
OAuth2Session.request
to take the client_id
and
client_secret
parameters for the purposes of automatic token refresh,
which may need them.v0.6.2 (12 July 2016) +++++++++++++++++++++
client_id
and client_secret
for the Authorization header if
provided.auth=False
.proxies
kwarg when refreshing tokens.v0.6.1 (19 February 2016) +++++++++++++++++++++++++
fetch_request_token
and fetch_access_token
.v0.6.0 (14 December 2015) +++++++++++++++++++++++++
TokenRequestDenied
exceptions now carry the entire response, not just the
status code.v0.5.0 (4 May 2015) +++++++++++++++++++
TypeError
being raised instead of TokenMissing
error.AttributeError
when initializing the OAuth2Session
class
without complete client information.v0.4.2 (16 October 2014) ++++++++++++++++++++++++
authorized
property on OAuth1Session and OAuth2Session, which allows
you to easily determine if the session is already authorized with OAuth tokens
or not.TokenMissing
and VerifierMissing
exception classes for OAuth1Session:
this will make it easier to catch and identify these exceptions.v0.4.1 (6 June 2014) ++++++++++++++++++++
[rsa]
for people using OAuth1 RSA-SHA1 signature
method.OAUTHLIB_INSECURE_TRANSPORT
.requests_oauthlib
namespace instead
of piggybacking on oauthlib namespace.v0.4.0 (29 September 2013) ++++++++++++++++++++++++++
FAQs
OAuthlib authentication support for Requests.
We found that requests-oauthlib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.