Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support changes to refresh tokens

See original GitHub issue

Reddit is changing how refresh tokens are handled. In a nutshell, refresh tokens will be usable only once: https://old.reddit.com/r/redditdev/comments/kvzaot/oauth2_api_changes_upcoming/

As a result, we need to consider how best to handle dynamic refresh tokens.

Here’s what I propose:

Remove support for refresh_token in both praw.ini and as a keyword argument to praw.Reddit.

Since the refresh tokens will be dynamic, it doesn’t make sense to keep them in a config file. And since we’ll need a way to allow people to manually update the refresh token on an existing instance, I don’t think we should support two distinct ways to provide a refresh token to a Reddit instance.

Provide a method to set the refresh token (and optionally the access token) on a Reddit instance. For example, reddit.auth.set_token(...).
Provide a way to register a callback function that is called whenever the refresh token, and the access token is changed. In this way users can save and synchronize these tokens however they please, e.g., via a file, a database, etc. I propose we call this: reddit.auth.token_change_callback(function).

These ideas stemmed from this part of the discussion: https://old.reddit.com/r/redditdev/comments/kvzaot/oauth2_api_changes_upcoming/gj2xcsx/

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:11 (11 by maintainers)

Top GitHub Comments

1reaction

bboecommented, Jan 31, 2021

the vast majority of individual users that use PRAW for scripts, bots, etc are likely going to pass it only once at initialization, it would be convenient and naively intuitive to do so as a parameter to the constructor, like everything else.

I think many users might be using the same credentials for multiple distinct scripts, so they likely will need a way to dynamically set the refresh token (or access token) when a new one is available. Additionally, I think having a separate method makes it clear that this attribute frequently changes and can no longer be set it and forget it.

just pass the client_id and client_secret (as parameters, from praw.ini, etc, and then call set_token(…) before actually using it

Yes, that’s what I’m thinking.

And presumably, until the token is set, the instance wouldn’t be authorized yet? Also, would this trigger the callback (I’d hope not), or just it changing after a request?

Correct. Fetching the token will only happen as needed, i.e., on request.

One thing though—is this planned to be implemented by the time the Reddit API changes go live and consumed refresh tokens will no longer work?

I’m planning to implement this feature this week.

0reactions

bboecommented, Feb 26, 2021

No worries. I like to move quick sometime. We can always adapt if there are use cases we didn’t consider.

Top Results From Across the Web

What Are Refresh Tokens and How to Use Them Securely

Since refresh tokens are typically longer-lived, you can use them to request new access tokens after the shorter-lived access tokens expire.

Microsoft identity platform refresh tokens

Refresh tokens can be revoked by the server because of a change in credentials, user action, or admin action. Refresh tokens fall into...

What Are Refresh Tokens and How Can They Boost Your ...

A Guide to Refresh Token Best Practices. Refresh tokens provide a way to bypass the temporary nature of access tokens.

Refresh access tokens - Okta Developer

This guide explains how to refresh access tokens with Okta. Learning outcomes. Understand how to set up refresh token rotation. Refresh access tokens....

Refresh Tokens - OAuth 2.0 Simplified

When the refresh token changes after each use, if the authorization server ever detects a refresh token was used twice, it means it...