Release of oauthlib version 3.3.0 breaks the current implementation of Flask-Dance

[maciejstromich]

Hi,

We use Flask-Dance 7.1.0 and our today's deployment broke on refresh_token functionality.

I've dug a bit and as far as I understand what's happening
Because Flask-Dance is requiring oauthlib to be >= 3.2 and today version 3.3.0 was introduced our packager caught the new version. This version introduced changes in oauth2.rfc6749.parameters (oauthlib/oauthlib@d953188) which now does "some magic" with parse_expires method. This new method is breaking.

Here's the traceback from our flask application:

Traceback (most recent call last):
File "/opt/venv/lib/python3.11/site-packages/gevent/baseserver.py", line 34, in _handle_and_close_when_done
File "/opt/venv/lib/python3.11/site-packages/gunicorn/workers/ggevent.py", line 123, in handle
File "/opt/venv/lib/python3.11/site-packages/gunicorn/workers/base_async.py", line 54, in handle
File "/opt/venv/lib/python3.11/site-packages/gunicorn/workers/ggevent.py", line 127, in handle_request
File "/opt/venv/lib/python3.11/site-packages/gunicorn/workers/base_async.py", line 107, in handle_request
File "/opt/venv/lib/python3.11/site-packages/newrelic/api/wsgi_application.py", line 667, in _nr_wsgi_application_wrapper_
File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 1536, in __call__
File "/app/api/console/middleware.py", line 26, in __call__
File "/app/api/console/middleware.py", line 73, in __call__
File "/opt/venv/lib/python3.11/site-packages/werkzeug/middleware/proxy_fix.py", line 183, in __call__
File "/opt/venv/lib/python3.11/site-packages/newrelic/api/wsgi_application.py", line 562, in _nr_wsgi_application_wrapper_
File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 1511, in wsgi_app
File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 917, in full_dispatch_request
File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 902, in dispatch_request
File "/opt/venv/lib/python3.11/site-packages/newrelic/hooks/framework_flask.py", line 73, in _nr_wrapper_handler_
File "/app/api/console/auth.py", line 40, in refresh
File "/opt/venv/lib/python3.11/site-packages/requests_oauthlib/oauth2_session.py", line 476, in refresh_token
File "/opt/venv/lib/python3.11/site-packages/requests/sessions.py", line 637, in post
File "/opt/venv/lib/python3.11/site-packages/flask_dance/consumer/requests.py", line 191, in request
File "/opt/venv/lib/python3.11/site-packages/flask_dance/consumer/requests.py", line 134, in load_token
File "/opt/venv/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 585, in populate_token_attributes
File "/opt/venv/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 505, in parse_expires,
raise ValueError("expires_int must be an int")
ValueError: expires_int must be an int

Our auth.py:40 is calling sso_blueprint.session.refresh_token.

For now we have restricted oauthlib to ==3.2.2 which solves the issue for us.

[JonathanHuot]

Hi, there is an ongoing discussion at oauthlib/oauthlib#906

[maciejstromich]

Thanks @JonathanHuot I see that there's a 3.3.1 version released. I will give it a try in our test env in the coming days. and will report back if it's still breaking anything on our side. For avoidance of doubt we use AWS Cognito as our IdP.

[JonathanHuot]

Hi @maciejstromich , the changes can be tested on a branch for

pip install git+https://github.com/oauthlib/oauthlib.git@release-3.3.1

The release will be available soon anyway based on this branch.