Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop relying on Flask-OAuthlib #195

Open
Sinclert opened this issue Mar 3, 2020 · 5 comments
Open

Stop relying on Flask-OAuthlib #195

Sinclert opened this issue Mar 3, 2020 · 5 comments

Comments

@Sinclert
Copy link

Sinclert commented Mar 3, 2020
edited
Loading

The package Flask-OAuthlib has been discontinued and replaced by authlib (claimed both in the GitHub repository, and in its docs).

Additionally, the usage of Flask-OAuthlib with the syntax Flask-OAuthlib >= 0.9.3, as it is currently specified inside the setup.py file, leads to inconsistent oauthlib versions being install

Inconsistency tracking

Let's track dependencies down, shall we?

Flask-OAuthlib >= 0.9.3 resolves into v0.9.5 (last version in Pypi), which declares the following (check here):

  • oauthlib >= 1.1.2, ... <3.0.0 👀
  • requests-oauthlib >= 0.6.2, which ends up as requests-oauthlib v1.3.0 (latest version), with the following declaration (check here):
    • oauthlib>=3.0.0 👀
@lnielsen
Copy link
Member

lnielsen commented Mar 5, 2020

Replacing Flask-OAuthlib is quite big task as it's both in Invenio-OAuthClient and Invenio-OAuth2Server. Also, authlib is, like Flask-OAuthlib, a one-man show by the same person and I must admit that I'm quite concerned of spending a lot of effort migrating to authlib if he makes the same move again.

Obviously there's a problem here, just not clear what the solution is - i.e stay and fork flask-oauthlib, or switch to authlib, or …?

@Sinclert
Copy link
Author

Sinclert commented Mar 5, 2020

That's a good point.

Maybe for now just locking the Flask-OAuthlib version to 0.9.3 or 0.9.4 is enough. It is just the latest version (0.9.5) the one that does not play well with requests-oauthlib.

Both 0.9.3 (check here) and 0.9.4 (check here) do not bound oauthlib with the "<3.0.0" bomb.

@slint
Copy link
Member

slint commented Mar 12, 2020

In the setup.py we also pin requests-oauthlib to <1.2.0:

invenio-oauthclient/setup.py

Line 72 in ca0e40e

'requests-oauthlib>=0.5.0,<1.2.0',

...which should be enough to protect anyone doing pip install invenio-oauthclient.

The actual issue might be that pip messes up the installation order of the packages, which can indeed cause problems, e.g. if Flask-OAuthlib is installed first, what @Sinclert described above happens...

Unfortunately, this is not an easy issue to fix, and that's also why when deploying Python apps in production, people have requirements.txt with the exact combination of pinned dependencies that are known to work, or use tools like pipenv, poetry and dephell exist.

Also, I guess Flask-OAuthlib pins requests-oauthlib for a reason (e.g. incompatibility)

@Sinclert
Copy link
Author

Sinclert commented Mar 13, 2020
edited
Loading

You are right, invenio-oauthclient specifies requests-oauthlib...<1.2.0, which would solve the problem if the order is appropriate.

However, given that anyone who uses requirements.txt is likely to specify dependencies in alphabetical order, Flask-OAuthlib will most certainly be installed before invenio-oauthclient for all requirements.txt users, creating the incompatibility.

Could you limit Flask-OAuthlib in that regard?

Something like:

    'Flask-OAuthlib>=0.9.3,<0.9.5',

@alexdutton
Copy link
Member

c.f. inveniosoftware/invenio-oauth2server#195

@ParthS007 ParthS007 mentioned this issue Dec 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexdutton @lnielsen @slint @Sinclert