intuit / oauth-pythonclient Goto Github PK

Today my integrations with QB Payments API stopped working, failing with a 404 trying to get the discovery doc as part of AuthClient initialization (client.py line 56). Debugging it, I captured the discovery URL and tried to request it directly in Chrome, which worked. Then I tried a requests.get request on it in a Python shell and it came back 404. So I set the User-Agent header to Mozilla/5.0 and tried requests.get again and it worked. So apparently something changed today on the Intuit side that's causing requests to fail if not from an "approved" User-Agent (or something).

I can't see from your client code any way to set the User-Agent header prior to making the discovery doc request. Any suggestions? Maybe some way to lazy-load the discovery doc, or pass in the request headers. Or since AuthClient is based on requests.Session, maybe just make it default to a "real" User-Agent.

I need to preserve state after redirecting (eg, using a custom parameter), but it seems the state parameter is currently only used for CSRF token. Is there another way to preserve state?

When installing another package (pip install dbt) I get an error

  AttributeError: module 'enum' has no attribute 'IntFlag'

tracking dbt-labs/dbt-core#2372

If I run

$ pip show enum34
Name: enum34
Version: 1.1.9
Summary: Python 3.4 Enum backported to 3.3, 3.2, 3.1, 2.7, 2.6, 2.5, and 2.4
Home-page: https://bitbucket.org/stoneleaf/enum34
Author: Ethan Furman
Author-email: [email protected]
License: BSD License
Location: /Users/harrymoreno/.asdf/installs/python/3.7.3/lib/python3.7/site-packages
Requires: 
Required-by: intuit-oauth

we see that this intuit-oauth module needs to be updated for python 3.6+

Related
iterative/dvc#1995

The 1.2.3 tag also has intuitlib.version.__version__ set to 1.2.2. At this point it's pretty hard to tell what source produced the sdist or the wheel on pypi.

Y'all might want to consider adopting some tooling (such as incremental for managing version numbers automatically and integrating that into whatever release automation you have.

ERROR with python 3.12.1 and intuit-oauth==1.2.4:

     from intuitlib.client import AuthClient
   File "/usr/local/lib/python3.12/site-packages/intuitlib/client.py", line 19, in <module>
     from future.moves.urllib.parse import urlencode
   File "/usr/local/lib/python3.12/site-packages/future/moves/__init__.py", line 5, in <module>
     from future.standard_library import import_top_level_modules
   File "/usr/local/lib/python3.12/site-packages/future/standard_library/__init__.py", line 65, in <module>
     import imp
 ModuleNotFoundError: No module named 'imp'

We are getting an error "HTTPSConnectionPool(host='developer.intuit.com', port=443): Max retries exceeded with url: /.well-known/openid_configuration/ (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)')))"
When we initialize AuthClient in the lib, which in turn tries to fetch discovery_doc from url https://developer.intuit.com/.well-known/openid_configuration/

Seems like the urlib / requests lib used in the project might be the culprit, did you have some similar issues like this?
Although we are getting this issue from time to time, it is creating inconsistent experience

This is mostly a question / concern

There is no information if the Python SDK is affected by the changes to identity signature that are going to be introduced on March 1st, 2024.

1. Is this SDK affected by the change?
2. Will a new version be released addressing this issue?
3. In case it's not affected, from which version should the SDK work correctly?

More info: https://app.dp.intuit.com/e/es?s=2332625&e=186&elqTrackId=efd74c1a1b7a40299e524d6e5aa03bea&elq=3a05f012fe5f4115aa4a636e773429d0&elqaid=78&elqat=1

When installing via pip, the __init__.py file is missing. See screenshot below.

And just to make sure it's not a configuration issue on my machine, I downloaded the wheel directly, unzipped it, and it's also missing the __init__.py file:
https://files.pythonhosted.org/packages/73/14/537d33a2dc19469743dc75eee317a9cf439497b7446928f345df086c5316/intuit_oauth-1.2.1-py2-none-any.whl

Whenever you initialize an instance of AuthClient it calls get_discovery_doc which will issue a request to the intuit site.

This is inconvenient when running tests if the AuthClient is initialized at any point, even if it is not directly used:

• Drastically slows down each test due to waiting on a response for the discovery document.
• Adds an implicit dependency on one's internet connection as the affected tests will fail without one

If you want to avoid this performance penalty then you must mock the AuthClient in any test that might incidentally initialize an instance of it. In my case I was testing out an integration with quickbooks using the community python sdk and this caused my test suite to go from taking ~15s to about 1m17s.

This also means that if you have a view that redirects a user to the OAuth authorization url then your response timing will be dependent on the time for the discovery document to be retrieved.

Looking at the other intuit oauth client library, it looks like there is a split on retrieving the urls from the discovery document and storing the urls as constants in the library. The .NET and Java libraries both require you to make a request to the discovery document to get the OAuth urls whereas the PHP, Node, and Ruby libraries have them stored as constants.

From my perspective, it seems strictly better to store the urls as constants in the library as it removes any performance penalty that occurs from having to wait for a http response to retrieve the discovery doc when initializing the client.

Hi,

As mentioned here, it seems not possible to automate the way we can get authorization code, before getting access token and refresh token (which is taken into account thanks to get_bearer_token method). This is an issue for browserless, server side solutions interacting with intuit quickbooks API.

Since the refresh token doesn't last more than 1 day (the 100 days was never guaranteed), is there a planned solution for this ? Thanks a lot !

I am using intuit-oauth in django rest framework.
I created a account in intuit developer. in the key section able to find client_id and client_secret. added redirect_uri as http://localhost:8000/callback.
auth_client = AuthClient(
client_id,
client_secret,
redirect_uri,
environment,

url = auth_client.get_authorization_url([Scopes.Accounting])
how do i get the auth_code?
auth_client.get_bearer_token(auth_code, realm_id=realm_id)

This value never appears to be updated anywhere in the project. So no matter when this variable is referenced--it will always be None. One would imagine that this would need to be updated at some point, right? Of course, I could be missing something here as well.

Hi, I am running into an issue where AuthClient.refresh does not return a new refresh token, just a new access token. This goes against the behavior specified in the docs an in this Intuit Developer Forum post: https://help.developer.intuit.com/s/question/0D50f00006Kfd2X/refreshtokenasync-returning-invalidgrant.

Code:

old_access_token = client.auth_client.access_token
old_refresh_token = client.auth_client.refresh_token

client.auth_client.refresh(refresh_token=client.auth_client.refresh_token)

new_access_token = client.auth_client.access_token
new_refresh_token = client.auth_client.refresh_token

if old_access_token == new_access_token:
   raise ValueError('Access token has not been changed after refresh!')

if old_refresh_token == new_refresh_token:
    # Exception raised here
    raise ValueError('Refresh token has not been changed after refresh!')

store_new_tokens(access_token, refresh_token)

Seeing a new CVE on the scanners: CVE-2022-40899

The future library is only used here in one place, and there is already a PR #23 to remove it. This is my only third party dependency on future, so it would be very helpful if you could cut a new release without it. Thanks!

It looks like the documentation isn't accurate anymore.

Step 11: https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0

I am running into a problem with AuthClient.get_user_info(). I'm able to get the bearer token successfully, and in the sandbox get_user_info() is working. However, in production I am getting HTTP status 415. The error message is empty string.

What can I do about this? From reading years old posts on developer.intuit.com I'm wondering if there's a wrong setting on my account or something like this. But with no error message I'm guessing...

Reading through the docs here it looks like the auth_client is set up correctly to me...
https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect#obtaining-user-profile-information

Works in sandbox. Doesn't work in production. What should I do next?

Big thanks in advance!

ERROR: Cannot install intuit-oauth==1.1.1, intuit-oauth==1.2.0 and intuit-oauth==1.2.4 because these package versions have conflicting dependencies.

The conflict is caused by:
intuit-oauth 1.2.4 depends on future>=0.16.0
intuit-oauth 1.2.0 depends on future>=0.16.0
intuit-oauth 1.1.1 depends on future>=0.16.0

On expiry, a new access token can be retrieved from an existing refresh token. It is outlined [https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0#understand-token-expiration](in the docs.)

It doesn't seem like the auth_client.refresh() function supports that yet. Any workarounds?

It doesn't need to be a Session to have a Session. Subclassing Session drastically increases it's API surface for no benefit.

setuptools 67.3.0 has deprecated pkg_resources.declare_namespace(): https://setuptools.pypa.io/en/latest/history.html#v67-3-0

This is being triggered by importing intuit-oauth:

DeprecationWarning: Deprecated call to `pkg_resources.declare_namespace('intuitlib')`.
  Implementing implicit namespace packages (as specified in PEP 420) is preferred to `pkg_resources.declare_namespace`. See https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
    declare_namespace(pkg)

To remain a namespace package, the __init__.py may be deleted. But I'm not sure the package needs to be a namespace package, and we may be able to use an empty __init__.py instead.

Currently these only set the values in the json response as attributes of the AuthClient this makes it difficult to know which attributes will be available when, for instance, get_bearer_token sets realm_id but refresh doesn't.

We want results of talking to AuthClient to be able to participate in our strict runtime type checking which involves converting a primitive python type into an attrs dataclass. Having to construct this dictionary out of the AuthClient before we can do that is annoying and error prone.

all builds of intuit-oauth (1.1.0 and 1.0.2) will fail when attempting to use pip-compile

Could not find a version that matches coverage==4.0.3,>=4.4
Tried: 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.3.1, 3.4, 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.7, 3.7.1, 4.0, 4.0, 4.0.1, 4.0.1, 4.0.2, 4.0.2, 4.0.3, 4.0.3, 4.1, 4.1, 4.2, 4.2, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4, 4.4.1, 4.4.2, 4.5, 4.5.1, 4.5.2
Skipped pre-versions: 3.0b3, 3.1b1, 3.2b1, 3.2b2, 3.2b3, 3.2b4, 3.4b1, 3.4b2, 3.5b1, 3.5.1b1, 3.5.2b1, 3.6b1, 3.6b2, 3.6b3, 4.0a1, 4.0a2, 4.0a3, 4.0a4, 4.0a5, 4.0a5, 4.0a5, 4.0a6, 4.0a6, 4.0a6, 4.0b1, 4.0b1, 4.0b2, 4.0b2, 4.0b3, 4.0b3, 4.1b1, 4.1b1, 4.1b2, 4.1b2, 4.1b3, 4.1b3, 4.2b1, 4.2b1, 4.4b1, 5.0a1, 5.0a2, 5.0a3, 5.0a4
There are incompatible versions in the resolved dependencies.

in requirements.txt intuit-oauth specifies python-coveralls and coverage >=4.4

however python-coveralls (v2.9.1 from 2017) requires coverage==4.0.3
in it's setup.py line 25

it is of course impossible to have both coverage>=4.4 and coverage==4.0.3

please adjust your requirements.txt

https://nvd.nist.gov/vuln/detail/CVE-2024-23342

refresh token is expiring within 24hrs. So please let me know
How we can generate new refresh token?

i am tried to below code but is it not working.
new_token = auth_client.refresh

I´m using the Oauth 2.0 flow process with Python SDK, in the step 12 using the get_bearer_token function i get the error shown in the image. I make the peticion in a instance made in node JS and the redirect URl is located in a lambda function made in python. All the credentials are the same (sandbox).

Following the steps this error appears and i verified all the steps and anythings works. I update the python-jose library used by intuit but nothing has worked. Anyone has seen this error? Any hint /advice.