Authentication on refresh has to be explicit but shouldn't be

[jsfan]

RFC 6749 recommends the use of HTTP Basic auth for OAuth2. While requests-oauthlib allows for authentication details to be sent along explicitly when fetching tokens, the credentials would have to be passed to every single request in order for the refresh to work.

Oauth2Session should probably either take the credentials on fetch and then store them to use for refresh or already take them in the constructor.

I am happy to contribute the patch but would like to have an opinion first as to which path to go down.

[Lukasa]

@jsfan Do you have a proposed API for this?

[jsfan]

The approach I tried turned out not to work and I haven't had a chance to revisit and try something else. It has not been forgotten though.

[mmerickel]

Yes auto-refresh seems to be currently broken unless you pass the client_secret along with every request. Ideally this would be stored in the OAuth2Session itself so that it was there when it was needed.

[btimby]

My proposal is to accept client_secret in __init__() for use in refresh_token(). client_id is already passed and accessible.

#264