Example wanted: Logging in to legacy API without OAuth 2.0 support and parsing token to oauth_token

[exetico]

Hi,

I've tried and found a way to login to a API where OAuth 2.0 are not used.
In the API, I login with username and password in the body, and I get a "token" and "expires" in return from my POST request.

I've found the oauth_token (edit: fixed link) and the oauth_token_cached. But I'm not really sure how I should cook the functions together, so I can set and reuse the token, and request a new one, once expired.

After looking through the issues and the documentation, I'm still not sure how to continue from here.

Are there a good example on how I can do this?

[hadley]

Can you point to the API docs you're binding?

[exetico]

Sure. I can also see that my link are broken.

I've noticed that there's a Authenticate request with bearer token (req_auth_bearer_token), but I'd like to make a oauth like request (basic POST), where I'm able to parse the token into oauth_token_cached so I'm able to use it in my httr2 requests, and renew the token, once it's expires. I've seen the req_oauth_password-docs.

A use case:
1/ GET to /test to get a API status (in my R-package)
2/ POST to /loginwith {"username":"<username>","password":"<password>"} (Normal JSON type) to fetch a token. The response does contain a JSON object with token and expires, so I do need to calculate expires in and parse in the token to oauth_token.
3/ By now, I expects the solution to have the token set, including expire time
4/ Use the Bearer token in other requests to user-related endpoints like /users/me
5/ Secure renewal of the token, once it's expired

I've found the req_oauth which does sounds like a functions I'd use to get the token, and cache it with httr2 utils, but I'm not really sure how to get this working as expected.

I'm not really sure if that's what you want, but I hope it does make some kind of sense. I'll be using httr2 in a R-package to wrap around a API, so in general, the documentation are *brilliant' already. It's just this use case where I need to fetch a token, store it in cache, and use it, including renewal once needed.

I've already done the 1/ + 2/ to fetch the token with just the regular requests utils, but I've not managed to assign that as a httr2 token resource, to be used in 3/+4/+5/.

[hadley]

I meant docs for the web API you were trying to wrap so I could better understand what it wants. But this more detailed explanation was helpful too, thanks 😄

Yeah, it does sound like req_oauth() is what you want, but unfortunately it's well documented, and I don't remember how it works without spending a few hours getting my brain back into httr2. You might be able to figure it yourself by looking at some of the other req_oauth_ functions; otherwise I'll try and give you more insight the next time I'm working deeply on httr2.

[exetico]

I totally understand 😄!

I'd like to mention that this is a R-lib for a API that I manage; so I've implemented a minimum level of Oauth 2.0 now, as it's clear that my R skills are not that deep (😆), compared to other languages, at least as this moment.

With that said; Maybe other people are looking for a way, to handle this case, with a API they're not able to just change in a hour.

Before updating the API i did manage to mock a "test_con_client" fnc. with oauth_client and a "req_auth" fnc. with req_oauth_password. I also sent the "login/auth" request to our API, but I was facing three problems:

1. How could I force the req_oauth_password solution to send data as a JSON obj., and not urlencoded
2. How could I force the "flow" to understand that the access_token was within a token key (not access_token)
3. How could I handle a expires_at key-value, and convert that to a expires_in value to be used in httr2

I know this is a edge-case, but if it's already possible to do a thing like this in the library, I guess it would be a good help for a beginner, with something in the docs, to play around with a API with a non-standard approch to authentication.

By handling 1+2+3, or, illustrating how it's possible to parse in the token with code, like "assign this access token y to the httr2 lib, which expires_in x", or similar.

As I've implemented the required specs in the API instead, you're more than welcome to close the issue, if you find it too niche or not that important.

[exetico]

This comment has been removed, and moved into #498.