feat: auto-fetch token for client_credentials grant in OAuth2Session/OAuth2Client#895
Open
liudonggalaxy wants to merge 1 commit into
Conversation
5d72302 to
a588623
Compare
When OAuth2Session/OAuth2Client is configured with grant_type='client_credentials' and token_endpoint, automatically fetch an access token on the first request instead of raising MissingTokenError/OAuthError. The logic lives in a single _ensure_token() method on the base OAuth2Client class. For async clients, a thin override awaits the coroutine returned by the parent. Co-authored-by: Copilot <[email protected]>
a588623 to
5171bc6
Compare
liudonggalaxy
commented
May 19, 2026
Comment on lines
-137
to
-138
| if not self.token: | ||
| raise MissingTokenError() |
Contributor
Author
There was a problem hiding this comment.
Why the if not self.token: raise MissingTokenError() was removed from requests_client/oauth2_session.py's request() method:
The token check and auto-fetch is now handled automatically by the auth layer. When request() sets auth = self.token_auth, it creates an OAuth2Auth instance. During the request, OAuth2Auth.__call__() invokes self.client.ensure_active_token(self.token), which:
- If
token is Noneandgrant_type="client_credentials"→ callsself.fetch_token()automatically - If
token is Noneand no auto-fetch is possible → raisesMissingTokenError - If token exists but is expired → refreshes it
So the explicit check in request() was redundant — OAuth2Auth already triggers ensure_active_token() which handles all cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
This is a feature implementation.
When using
OAuth2Session(requests) orOAuth2Client(httpx) with theclient_credentialsgrant type, the caller must explicitly callfetch_token()before making any resource request, even though all the required metadata (token_endpoint,grant_type,client_id,client_secret) is already configured on the session. This is inconsistent withAssertionSession, which transparently auto-fetches tokens viaensure_active_token().Before:
After:
Solution: In
request()(andstream()for httpx), whenself.tokenisNoneand the configuredgrant_typeis"client_credentials", callself.fetch_token()automatically. Sincefetch_token()already readstoken_endpointandgrant_typefromself.metadatawhen not explicitly provided, the call is simplyself.fetch_token()with no arguments needed.For non-
client_credentialsgrant types, the existingMissingTokenError/OAuthErrorbehavior is preserved unchanged.Fully backward compatible — sessions that already call
fetch_token()explicitly continue to work identically.Checklist
prek.pragma: no cover