ecederstrand / exchangelib

Python client for Microsoft Exchange Web Services (EWS)
BSD 2-Clause "Simplified" License
1.18k stars 248 forks source link

Why token auto-refresh is supported with `OAuth2AuthorizationCodeCredentials` only? #1151

Closed cmin764 closed 1 year ago

cmin764 commented 1 year ago

Describe the bug As we can see in the method session_params of exchangelib.credentials.OAuth2AuthorizationCodeCredentials, there's token auto-refresh capability implemented. The same is missing from the basic OAuth2Credentials class, but this one supports single-tenant apps through its token_url property:

@property
def token_url(self):
    return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/v2.0/token"

Therefore I fixed the behavior on Robocorp side with this simple patch. Can you explain why the OAuth2AuthorizationCodeCredentials flow is bound to multi-tenant apps and OAuth2Credentials to single-tenant ones? (why not deciding if it's about a multi or single tenant app based on the value we provide to tenant_id -- if not provided, common (multi-tenant) is assumed)

To Reproduce Just use OAuth2AuthorizationCodeCredentials with single-tenant apps as OAuth2Credentials doesn't seem to provide indefinite auto-refresh capability and the obtained token seems to fail with this one.

Expected behavior Expecting to distinguish from single/multi-tenant client apps based on tenant_id parameter (if provided), not given the picked up credentials class. Or at least having the same auto-refresh behaviour available in both if I have to choose between the classes given the app type.

How about clearer docs at the same time as they explain this small difference between the two, but by judging the behaviour and implementation, there are a LOT of differences.

Log output N/A

Additional context While using Robot Framework's Authorize keyword with rpaframework library.

ecederstrand commented 1 year ago

Thanks for the report! I'm pretty sure this is not due to some explicit decision.

If you can come up with a patch that allows auto-refreshing tokens, that would be most helpful.