Open Sinclert opened 4 years ago
Replacing Flask-OAuthlib is quite big task as it's both in Invenio-OAuthClient and Invenio-OAuth2Server. Also, authlib is, like Flask-OAuthlib, a one-man show by the same person and I must admit that I'm quite concerned of spending a lot of effort migrating to authlib if he makes the same move again.
Obviously there's a problem here, just not clear what the solution is - i.e stay and fork flask-oauthlib, or switch to authlib, or …?
That's a good point.
Maybe for now just locking the Flask-OAuthlib
version to 0.9.3
or 0.9.4
is enough. It is just the latest version (0.9.5
) the one that does not play well with requests-oauthlib
.
Both 0.9.3
(check here) and 0.9.4
(check here) do not bound oauthlib
with the "<3.0.0" bomb.
In the setup.py
we also pin requests-oauthlib
to <1.2.0
:
...which should be enough to protect anyone doing pip install invenio-oauthclient
.
The actual issue might be that pip
messes up the installation order of the packages, which can indeed cause problems, e.g. if Flask-OAuthlib
is installed first, what @Sinclert described above happens...
Unfortunately, this is not an easy issue to fix, and that's also why when deploying Python apps in production, people have requirements.txt
with the exact combination of pinned dependencies that are known to work, or use tools like pipenv
, poetry
and dephell
exist.
Also, I guess Flask-OAuthlib
pins requests-oauthlib
for a reason (e.g. incompatibility)
You are right, invenio-oauthclient
specifies requests-oauthlib...<1.2.0
, which would solve the problem if the order is appropriate.
However, given that anyone who uses requirements.txt is likely to specify dependencies in alphabetical order, Flask-OAuthlib
will most certainly be installed before invenio-oauthclient
for all requirements.txt users, creating the incompatibility.
Could you limit Flask-OAuthlib
in that regard?
Something like:
'Flask-OAuthlib>=0.9.3,<0.9.5',
The package Flask-OAuthlib has been discontinued and replaced by
authlib
(claimed both in the GitHub repository, and in its docs).Additionally, the usage of Flask-OAuthlib with the syntax
Flask-OAuthlib >= 0.9.3
, as it is currently specified inside the setup.py file, leads to inconsistentoauthlib
versions being installInconsistency tracking
Let's track dependencies down, shall we?
Flask-OAuthlib >= 0.9.3
resolves intov0.9.5
(last version in Pypi), which declares the following (check here):oauthlib >= 1.1.2, ... <3.0.0
👀requests-oauthlib >= 0.6.2
, which ends up asrequests-oauthlib v1.3.0
(latest version), with the following declaration (check here):oauthlib>=3.0.0
👀