-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop relying on Flask-OAuthlib #195
Comments
Replacing Flask-OAuthlib is quite big task as it's both in Invenio-OAuthClient and Invenio-OAuth2Server. Also, authlib is, like Flask-OAuthlib, a one-man show by the same person and I must admit that I'm quite concerned of spending a lot of effort migrating to authlib if he makes the same move again. Obviously there's a problem here, just not clear what the solution is - i.e stay and fork flask-oauthlib, or switch to authlib, or …? |
That's a good point. Maybe for now just locking the Both |
In the Line 72 in ca0e40e
...which should be enough to protect anyone doing The actual issue might be that Unfortunately, this is not an easy issue to fix, and that's also why when deploying Python apps in production, people have Also, I guess |
You are right, However, given that anyone who uses requirements.txt is likely to specify dependencies in alphabetical order, Could you limit Something like: 'Flask-OAuthlib>=0.9.3,<0.9.5', |
As part of the current efforts to upgrade Invenio to Flask v3, we've decided that forking Flask-OAuthlib is the most straightforward course of action for now. Migrating to the new authlib is the long-term goal (and looks straightforward in theory), but will require coordination inside the community to make sure that all the contrib OAuth providers are tested and working. |
The package Flask-OAuthlib has been discontinued and replaced by
authlib
(claimed both in the GitHub repository, and in its docs).Additionally, the usage of Flask-OAuthlib with the syntax
Flask-OAuthlib >= 0.9.3
, as it is currently specified inside the setup.py file, leads to inconsistentoauthlib
versions being installInconsistency tracking
Let's track dependencies down, shall we?
Flask-OAuthlib >= 0.9.3
resolves intov0.9.5
(last version in Pypi), which declares the following (check here):oauthlib >= 1.1.2, ... <3.0.0
👀requests-oauthlib >= 0.6.2
, which ends up asrequests-oauthlib v1.3.0
(latest version), with the following declaration (check here):oauthlib>=3.0.0
👀The text was updated successfully, but these errors were encountered: