You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to set up OAuth2 for unattended access to Microsoft IMAP servers - the refresh_token is important here.
When providing a request scope set as follows:
offline_access
https://outlook.office.com/User.Read
https://outlook.office.com/IMAP.AccessAsUser.All
The service responds with the following (i.e: offline_access is removed):
https://outlook.office.com/User.Read
https://outlook.office.com/IMAP.AccessAsUser.All
This results in a warning being raised.
Traceback
Traceback (most recent call last):
File "./oauth2-test.py", line 51, in <module>
token = oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)
File "/usr/lib/python3.8/site-packages/requests_oauthlib/oauth2_session.py", line 366, in fetch_token
self._client.parse_request_body_response(r.text, scope=self.scope)
File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
self.token = parse_token_response(body, scope=scope)
File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
validate_token_parameters(params)
File "/usr/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 471, in validate_token_parameters
raise w
Warning: Scope has changed from "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All offline_access" to "https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All".
Apparently the offline_access scope should never be returned by Microsoft services, as it's not actually a useful scope for accessing resources (ref).
My current approach (which isn't ideal), is as follows:
oauth=OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scope)
authorization_url, state=oauth.authorization_url(authorize_url)
# remove the `offline_access` scope directly / by handoauth.scope.remove('offline_access')
# ... submit the request to authorization_url, and retrieve the tokenredirect_response= ...
token=oauth.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response)
I'm aware of OAUTHLIB_RELAX_TOKEN_SCOPE (link), but that seems perhaps a little over-permissive.
Perhaps one of the following would be a good idea?
A more generic mechanism to permit accepting scope changes
A way to supply the expected response set of scopes
A list of "I don't mind if these aren't grated" scopes
The text was updated successfully, but these errors were encountered:
I'm trying to set up OAuth2 for unattended access to Microsoft IMAP servers - the
refresh_token
is important here.When providing a request scope set as follows:
offline_access
https://outlook.office.com/User.Read
https://outlook.office.com/IMAP.AccessAsUser.All
The service responds with the following (i.e:
offline_access
is removed):https://outlook.office.com/User.Read
https://outlook.office.com/IMAP.AccessAsUser.All
This results in a warning being raised.
Traceback
Apparently the
offline_access
scope should never be returned by Microsoft services, as it's not actually a useful scope for accessing resources (ref).My current approach (which isn't ideal), is as follows:
I'm aware of
OAUTHLIB_RELAX_TOKEN_SCOPE
(link), but that seems perhaps a little over-permissive.Perhaps one of the following would be a good idea?
The text was updated successfully, but these errors were encountered: