OAuth2Session doesn't use token if netrc is present

[ryanhiebert]

The Heroku Toolbelt client uses a .netrc file to store its credentials locally. When using OAuth2Session, giving a properly-formed token to the constructor, the auth property on the session is not set, and requests goes and looks for a netrc file to add them in automatically when the request is made. When we have set the token, this really needs to not happen.

The "ideal" fix would be to have the OAuth2Session.auth property set to OAuth2. I definitely don't know the complexities of how difficult this is, but this bug makes OAuth2Session unusable for me, and I'm having to drop down to using OAuth2 auth directly instead for my use-case.

[Lukasa]

Yeah, this is a moderate annoyance. Probably a better fix is to provide a no-op auth handler that can deal with this.

[ryanhiebert]

That makes sense. I'm thinking that it wouldn't need to be exposed as a public API, since it's just a way of saying "we've already got authentication covered, don't mess with us".

Could that be added universally in the init method, or do we need to add it conditionally, when we have a token to use? If we need to do it selectively, we'll likely need to set and unset it in several places.

[Lukasa]

Selectively, sadly. There are some situations where we deliberately use basic auth or other auth handlers.

[ryanhiebert]

I was thinking that those cases could be handled the same as with a standard Session, by initializing it with the No-op auth, and then setting the auth after initialization. This is exactly what's required from a normal Session anyway.

session = OAuth2Session(token=token)
session.auth = MyAuth()

Are you saying that there's further complexity within requests-oauthlib that makes that pattern unsuitable?

[Lukasa]

That's certainly possible. Worth seeing how that looks in the code, at any rate.