From db514116f0360e20c82dc2a797fdf31943916e53 Mon Sep 17 00:00:00 2001
From: Hugh Chan <huchan@cochlear.com>
Date: Mon, 3 Dec 2018 15:01:41 +1100
Subject: [PATCH 1/3] OAuth2Session request shouldn't require a client_secret
 for token refresh

---
 requests_oauthlib/oauth2_session.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/requests_oauthlib/oauth2_session.py b/requests_oauthlib/oauth2_session.py
index 7ad7b46c..632154ff 100644
--- a/requests_oauthlib/oauth2_session.py
+++ b/requests_oauthlib/oauth2_session.py
@@ -313,7 +313,7 @@ def refresh_token(self, token_url, refresh_token=None, body='', auth=None,
         return self.token
 
     def request(self, method, url, data=None, headers=None, withhold_token=False,
-                client_id=None, client_secret=None, **kwargs):
+                client_id=None, client_secret='', **kwargs):
         """Intercept all requests and add the OAuth 2 token if present."""
         if not is_secure_transport(url):
             raise InsecureTransportError()
@@ -336,7 +336,7 @@ def request(self, method, url, data=None, headers=None, withhold_token=False,
 
                     # We mustn't pass auth twice.
                     auth = kwargs.pop('auth', None)
-                    if client_id and client_secret and (auth is None):
+                    if client_id and (auth is None):
                         log.debug('Encoding client_id "%s" with client_secret as Basic auth credentials.', client_id)
                         auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
                     token = self.refresh_token(

From 736b3c490933f61f05723cdce3250165a7109682 Mon Sep 17 00:00:00 2001
From: Hugh Chan <huchan@cochlear.com>
Date: Mon, 3 Dec 2018 15:47:37 +1100
Subject: [PATCH 2/3] client_id is not a request level value. auth should be
 available through auto_refresh_kwargs

---
 requests_oauthlib/oauth2_session.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/requests_oauthlib/oauth2_session.py b/requests_oauthlib/oauth2_session.py
index 632154ff..903a9643 100644
--- a/requests_oauthlib/oauth2_session.py
+++ b/requests_oauthlib/oauth2_session.py
@@ -282,6 +282,15 @@ def refresh_token(self, token_url, refresh_token=None, body='', auth=None,
         log.debug('Adding auto refresh key word arguments %s.',
                   self.auto_refresh_kwargs)
         kwargs.update(self.auto_refresh_kwargs)
+
+        auth = auth or kwargs.get('auth', None)
+        client_id = kwargs.get('client_id', None)
+        client_secret = kwargs.get('client_secret', '')
+
+        if client_id and (auth is None):
+            log.debug('Encoding client_id "%s" with client_secret as Basic auth credentials.', client_id)
+            auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
+
         body = self._client.prepare_refresh_body(body=body,
                 refresh_token=refresh_token, scope=self.scope, **kwargs)
         log.debug('Prepared refresh token request body %s', body)
@@ -312,8 +321,7 @@ def refresh_token(self, token_url, refresh_token=None, body='', auth=None,
             self.token['refresh_token'] = refresh_token
         return self.token
 
-    def request(self, method, url, data=None, headers=None, withhold_token=False,
-                client_id=None, client_secret='', **kwargs):
+    def request(self, method, url, data=None, headers=None, withhold_token=False, **kwargs):
         """Intercept all requests and add the OAuth 2 token if present."""
         if not is_secure_transport(url):
             raise InsecureTransportError()
@@ -334,14 +342,7 @@ def request(self, method, url, data=None, headers=None, withhold_token=False,
                     log.debug('Auto refresh is set, attempting to refresh at %s.',
                               self.auto_refresh_url)
 
-                    # We mustn't pass auth twice.
-                    auth = kwargs.pop('auth', None)
-                    if client_id and (auth is None):
-                        log.debug('Encoding client_id "%s" with client_secret as Basic auth credentials.', client_id)
-                        auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
-                    token = self.refresh_token(
-                        self.auto_refresh_url, auth=auth, **kwargs
-                    )
+                    token = self.refresh_token(self.auto_refresh_url, **kwargs)
                     if self.token_updater:
                         log.debug('Updating token to %s using %s.',
                                   token, self.token_updater)

From 2ae1eb693e9f0c3024ffb392b4ab74c96a23f74f Mon Sep 17 00:00:00 2001
From: Hugh Chan <huchan@cochlear.com>
Date: Mon, 3 Dec 2018 16:01:32 +1100
Subject: [PATCH 3/3] None not needed for failed get

---
 requests_oauthlib/oauth2_session.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/requests_oauthlib/oauth2_session.py b/requests_oauthlib/oauth2_session.py
index 903a9643..6d4f3902 100644
--- a/requests_oauthlib/oauth2_session.py
+++ b/requests_oauthlib/oauth2_session.py
@@ -283,8 +283,8 @@ def refresh_token(self, token_url, refresh_token=None, body='', auth=None,
                   self.auto_refresh_kwargs)
         kwargs.update(self.auto_refresh_kwargs)
 
-        auth = auth or kwargs.get('auth', None)
-        client_id = kwargs.get('client_id', None)
+        auth = auth or kwargs.get('auth')
+        client_id = kwargs.get('client_id')
         client_secret = kwargs.get('client_secret', '')
 
         if client_id and (auth is None):