Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop relying on Flask-OAuthlib #195

Open
Sinclert opened this issue Mar 3, 2020 · 6 comments
Open

Stop relying on Flask-OAuthlib #195

Sinclert opened this issue Mar 3, 2020 · 6 comments

Comments

@Sinclert
Copy link

Sinclert commented Mar 3, 2020

The package Flask-OAuthlib has been discontinued and replaced by authlib (claimed both in the GitHub repository, and in its docs).

Additionally, the usage of Flask-OAuthlib with the syntax Flask-OAuthlib >= 0.9.3, as it is currently specified inside the setup.py file, leads to inconsistent oauthlib versions being install

Inconsistency tracking

Let's track dependencies down, shall we?

Flask-OAuthlib >= 0.9.3 resolves into v0.9.5 (last version in Pypi), which declares the following (check here):

  • oauthlib >= 1.1.2, ... <3.0.0 👀
  • requests-oauthlib >= 0.6.2, which ends up as requests-oauthlib v1.3.0 (latest version), with the following declaration (check here):
    • oauthlib>=3.0.0 👀
@lnielsen
Copy link
Member

lnielsen commented Mar 5, 2020

Replacing Flask-OAuthlib is quite big task as it's both in Invenio-OAuthClient and Invenio-OAuth2Server. Also, authlib is, like Flask-OAuthlib, a one-man show by the same person and I must admit that I'm quite concerned of spending a lot of effort migrating to authlib if he makes the same move again.

Obviously there's a problem here, just not clear what the solution is - i.e stay and fork flask-oauthlib, or switch to authlib, or …?

@Sinclert
Copy link
Author

Sinclert commented Mar 5, 2020

That's a good point.

Maybe for now just locking the Flask-OAuthlib version to 0.9.3 or 0.9.4 is enough. It is just the latest version (0.9.5) the one that does not play well with requests-oauthlib.

Both 0.9.3 (check here) and 0.9.4 (check here) do not bound oauthlib with the "<3.0.0" bomb.

@slint
Copy link
Member

slint commented Mar 12, 2020

In the setup.py we also pin requests-oauthlib to <1.2.0:

'requests-oauthlib>=0.5.0,<1.2.0',

...which should be enough to protect anyone doing pip install invenio-oauthclient.

The actual issue might be that pip messes up the installation order of the packages, which can indeed cause problems, e.g. if Flask-OAuthlib is installed first, what @Sinclert described above happens...

Unfortunately, this is not an easy issue to fix, and that's also why when deploying Python apps in production, people have requirements.txt with the exact combination of pinned dependencies that are known to work, or use tools like pipenv, poetry and dephell exist.

Also, I guess Flask-OAuthlib pins requests-oauthlib for a reason (e.g. incompatibility)

@Sinclert
Copy link
Author

Sinclert commented Mar 13, 2020

You are right, invenio-oauthclient specifies requests-oauthlib...<1.2.0, which would solve the problem if the order is appropriate.

However, given that anyone who uses requirements.txt is likely to specify dependencies in alphabetical order, Flask-OAuthlib will most certainly be installed before invenio-oauthclient for all requirements.txt users, creating the incompatibility.

Could you limit Flask-OAuthlib in that regard?

Something like:

    'Flask-OAuthlib>=0.9.3,<0.9.5',

@alexdutton
Copy link
Member

@slint
Copy link
Member

slint commented Dec 11, 2024

As part of the current efforts to upgrade Invenio to Flask v3, we've decided that forking Flask-OAuthlib is the most straightforward course of action for now.

Migrating to the new authlib is the long-term goal (and looks straightforward in theory), but will require coordination inside the community to make sure that all the contrib OAuth providers are tested and working.

@slint slint pinned this issue Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants