starred/OAuthSwift
1
0
Fork 0
mirror of https://github.com/OAuthSwift/OAuthSwift.git synced 2026-04-26 12:45:52 +03:00
Code Issues 56 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #663] new Withings token refresh endpoint breaks OAuthSwift #431

New issue
Open
opened 2026-03-03 16:48:38 +03:00 by kerem · 1 comment
kerem commented 2026-03-03 16:48:38 +03:00
Owner
Copy link

Originally created by @ceramicatheist on GitHub (May 27, 2021).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/663

Description:

Withings recently sent out this announcement to their api users:

Important: Deprecating access and refresh tokens endpoints

As part of our continual improvement, we are migrating the OAuth 2.0 endpoints. The deprecated services will continue to operate normally until September 2021. Please review the article below to get more information on the breaking change.

with more detail here: https://support.withings.com/hc/en-us/articles/360016745358-Deprecating-access-and-refresh-tokens-endpoints
and here: http://developer.withings.com/api-reference#operation/oauth2-refreshaccesstoken

Unfortunately, the new endpoint:

  • requires a parameter action, with value "requesttoken"
  • requires parameter grant_type to equal "refresh_token" (not "authorization_code");
  • and has the response structured differently: the keys of the response are now just body and status, with the former keys, including code, all in an object down below body.

This breaks OAuthSwift. The parameters it sends when getting or renewing an access token are wrong, and so Withings responds with an error. Looking at the source, it's also clear that the new response format would not be correctly parsed.

Handling of the above is all hard-coded in OAuthSwift, with no obvious way to override with e.g. a subclass: while certain functions are open, the functions they themselves call are private, so I can't intercept either the parameter construction or the response parsing. I reviewed #628, and it does not address the problem: non-public methods of OAuth2Swift make replacing the relevant methods not possible.

What should be done here? Is this properly dealt with at the OAuthSwift end or the Withings end? Could there be a strategy for handling this bizarre token-refresh endpoint that I'm not seeing?

I will send Withings a note pointing at this ticket to see if they have anything to contribute.

OAuth Provider:

Withings

OAuth Version:

  • Version 1
  • Version 2

OS (Please fill the version) :

  • iOS : 14.6
  • OSX :
  • TVOS :
  • WatchOS :

Installation method:

  • Carthage
  • CocoaPods
  • Swift Package Manager
  • Manually

Library version:

  • head
  • v2.1.0
  • v2.0.0
  • v1.4.1
  • other: (Please fill in the version you are using.)

Xcode version:

  • 11.4 (Swift 5.2)

  • 11.x (Swift 5.1)

  • 10.x (Swift 5.0)

  • other: (Please fill in the version you are using.)

  • objective c

Originally created by @ceramicatheist on GitHub (May 27, 2021). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/663 ### Description: Withings recently sent out this announcement to their api users: > Important: Deprecating access and refresh tokens endpoints > -- > As part of our continual improvement, we are migrating the OAuth 2.0 endpoints. The deprecated services will continue to operate normally until September 2021. Please review the article below to get more information on the breaking change. with more detail here: https://support.withings.com/hc/en-us/articles/360016745358-Deprecating-access-and-refresh-tokens-endpoints and here: http://developer.withings.com/api-reference#operation/oauth2-refreshaccesstoken Unfortunately, the new endpoint: - requires a parameter `action`, with value "requesttoken" - requires parameter `grant_type` to equal "refresh_token" (not "authorization_code"); - and has the response structured differently: the keys of the response are now just `body` and `status`, with the former keys, including `code`, all in an object down below `body`. This breaks OAuthSwift. The parameters it sends when getting or renewing an access token are wrong, and so Withings responds with an error. Looking at the source, it's also clear that the new response format would not be correctly parsed. Handling of the above is all hard-coded in OAuthSwift, with no obvious way to override with e.g. a subclass: while certain functions are `open`, the functions they themselves call are private, so I can't intercept either the parameter construction or the response parsing. I reviewed #628, and it does not address the problem: non-public methods of `OAuth2Swift` make replacing the relevant methods not possible. What should be done here? Is this properly dealt with at the OAuthSwift end or the Withings end? Could there be a strategy for handling this bizarre token-refresh endpoint that I'm not seeing? I will send Withings a note pointing at this ticket to see if they have anything to contribute. ### OAuth Provider: Withings ### OAuth Version: - [ ] Version 1 - [X] Version 2 ### OS (Please fill the version) : - [x] iOS : 14.6 - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [ ] CocoaPods - [X] Swift Package Manager - [ ] Manually ### Library version: - [X] head - [ ] v2.1.0 - [ ] v2.0.0 - [ ] v1.4.1 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [X] 11.4 (Swift 5.2) - [ ] 11.x (Swift 5.1) - [ ] 10.x (Swift 5.0) - [ ] other: (Please fill in the version you are using.) - [ ] objective c
kerem commented 2026-03-03 16:48:39 +03:00
Author
Owner
Copy link

@phimage commented on GitHub (May 27, 2021):

We are open to code modification if they not break other services

It could be some way to override and some variable to configure for this specific service ( a bool for instance, there is already some, yes because no body was to use same spec 😭 )

Making all public/open could make code less maintenable and have a lot of breaking change. So it depends.
So I prefer new parameter with default value, or configuration var when possible

<!-- gh-comment-id:849789023 --> @phimage commented on GitHub (May 27, 2021): We are open to code modification if they not break other services It could be some way to `override` and some variable to configure for this specific service ( a `bool` for instance, there is already some, yes because no body was to use same spec 😭 ) Making all public/open could make code less maintenable and have a lot of breaking change. So it depends. So I prefer new parameter with default value, or configuration var when possible
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
ci/action/danger
ci/action/release-drafter
pkce
ci/action/tvos
ci/travis
2.1.0
2.0.0
fix/fitbiterror
swift3
digu-demo
swift3.0objc
swift2.2
swift2.3
swift2.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.4.1
1.4.0
1.3.0
1.2.2
1.2.1
1.2.0
1.1.2
1.1.1
1.1.0
1.0.0
0.6.0
0.5.2
v0.5.2
0.5.1
0.5.0
0.4.8
0.4.6
v0.4.6
0.4.5
v0.4.5
0.4.4
v0.4.4
0.4.3
0.4.2
0.4.1
v0.4.1
0.4.0
v0.4.0
Swift1.x
0.3.7
v0.3.7
0.3.6
v0.3.6
0.3.5
v0.3.5
0.3.4
v0.3.4
0.3.3
v0.3.3
v0.3.2
0.3.2
0.3.1
v0.3.1
0.3.0
v0.3.0
0.2.1
0.2.0
v0.2.0
0.1.9
0.1.8
0.1.7
v0.1.7
v0.1.6
Labels
Clear labels   
bug

   
cocoapod

   
duplicate

   
enhancement

   
feature-request

   
help wanted

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
cocoapod
duplicate
enhancement
feature-request
help wanted
help wanted
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/OAuthSwift#431
No description provided.