Dependency flask-oauthllib is deprecated in favour of lepture/authlib

[alexdutton]

Per https://github.com/lepture/flask-oauthlib, flask-oauthlib is deprecated in favour of https://github.com/lepture/authlib.

flask-oauthlib has a bug in which a Basic Authorization header is parsed with werkzeug.http:parse_authorization_header into a dict and then interpreted as a string:

  File "…/invenio_oauth2server/ext.py", line 180, in verify_oauth_token_and_set_current_user
    valid, req = oauth2.verify_request(scopes)
  File "…/flask_oauthlib/provider/oauth2.py", line 476, in verify_request
    uri, http_method, body, headers, scopes
  File "…/oauthlib/oauth2/rfc6749/endpoints/base.py", line 64, in wrapper
    return f(endpoint, uri, *args, **kwargs)
  File "…/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 69, in verify_request
    request.token_type = self.find_token_type(request)
  File "…/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 86, in find_token_type
    for n, t in self.tokens.items()))
  File "…/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 86, in <genexpr>
    for n, t in self.tokens.items()))
  File "…/oauthlib/oauth2/rfc6749/tokens.py", line 300, in estimate_type
    if request.headers.get('Authorization', '').startswith('Bearer'):
AttributeError: 'dict' object has no attribute 'startswith'

I don't know whether this is fixed in authlib, but I guess it'll never be fixed in flask-oauthlib.

[alexdutton]

flask-oauthlib is now breaking builds of invenio-sword as it's incompatible with werkzeug 1.0 (the same issue as https://github.com/pytest-dev/pytest-flask/issues/108).