Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[FEATURE] Add OAuth2 refresh token Form dependency in security/oauth2.py

See original GitHub issue

First check

I added a very descriptive title to this issue.
I used the GitHub search to find a similar issue and didn’t find it.
I searched the FastAPI documentation, with the integrated search.
I already searched in Google “How to X in FastAPI” and didn’t find any information.
I already read and followed all the tutorial in the docs and didn’t find an answer.
I already checked if it is not related to FastAPI but to Pydantic.
I already checked if it is not related to FastAPI but to Swagger UI.
I already checked if it is not related to FastAPI but to ReDoc.
After submitting this, I commit to:
- Read open issues with questions until I find 2 issues where I can help someone and add a comment to help there.
- Or, I already hit the “watch” button in this repository to receive notifications and I commit to help at least 2 people that ask questions in the future.
- Implement a Pull Request for a confirmed bug.

Description

security/oauth2.py already contains OAuth2PasswordRequestForm, why don’t we add OAuth2RerefreshRequestForm to FastAPI as well? It is also well defined in the OAuth RFC. To implement a complete OAuth2 with FastAPI, token refresh is needed. Also, the docs can be updated with a full example.

As the RFC states, the refresh request has to be exactly like this:

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

The solution you would like

from fastapi import FastAPI, Depends
from fastapi.security import OAuth2RefreshRequestForm

app = FastAPI()


@app.route("/refresh")
def refresh_token(form: OAuth2RefreshRequestForm = Depends()):
    # check if the refresh token is valid
    return {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600
    }

A possible implementation would be:

class OAuth2RefreshRequestForm:

    def __init__(
        self,
        grant_type: str = Form(None, regex="refresh_token"),
        refresh_token: str = Form(...)
    ):
        self.grant_type = grant_type
        self.refresh_token = refresh_token

It is indeed simple, but having it in builtin still saves users some time to look up in the RFC. Also, the tutorial in docs can be more complete.