FYI: OAuth library updates

[Rachel Lorencz]

Hello Blue Button 2.0 Community,
Last week we upgraded our systems including OAuth (oauthlib==3.1.0), which no longer allows token refresh parameters be provided as url query parameters, they now have to be encoded as a form (sent over as http body).  This means that prior to the update, OAuth was throwing a 401 error when this was done, and after the update, it is now throwing a 400 error. There are two changes you may notice based on this update:

1. Before the upgrade, the “invalid grant” error response was using http code 401 (unauthorized), now it is “invalid grant” with error code 400 (bad request)
2. Before the upgrade, POST operations on token endpoints (e.g. refresh token) allowed parameters to be sent over as query parameters (encoded and as part of the URL), now that is not allowed. This may not affect apps that are not sending token operations parameters as “query parameters” on the URL, but for those that are affected, the recommended action is to refactor your POST token operation putting parameters in the body (e.g. form data) and/or headers. Here is an example curl command doing token refresh, where data is send in the body of the request (not as query parameters):

curl -s -w “%{http_code}” -X POST “${BB_SERVER}/v1/o/token/” \
        -u “${BB_CLIENT_ID}:${BB_CLIENT_SECRET}” \
        -d “grant_type=refresh_token&client_id=${BB_CLIENT_ID}&refresh_token=${REFRESH_TOKEN}”

Please reach out if you have any questions, 

Rachel Lorencz

Blue Button 2.0 Product Manager