Don't accept 403 challenges by default for auth challenges.

Fixes issue #230.

Reviewed in https://codereview.appspot.com/7039053/.

oauth2client/client.py

@@ -57,6 +57,9 @@ ID_TOKEN_VERIFICATON_CERTS = 'https://www.googleapis.com/oauth2/v1/certs'
 # Constant to use for the out of band OAuth 2.0 flow.
 OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob'
 
+# Google Data client libraries may need to set this to [401, 403].
+REFRESH_STATUS_CODES = [401]
+
 
 class Error(Exception):
   """Base error for this module."""
@@ -444,8 +447,7 @@ class OAuth2Credentials(Credentials):
       resp, content = request_orig(uri, method, body, clean_headers(headers),
                                    redirections, connection_type)
 
-      # Older API (GData) respond with 403
+      if resp.status in REFRESH_STATUS_CODES:
-      if resp.status in [401, 403]:
         logger.info('Refreshing due to a %s' % str(resp.status))
         self._refresh(request_orig)
         self.apply(headers)

tests/test_oauth2client.py

@@ -37,7 +37,6 @@ except ImportError:
 from apiclient.http import HttpMock
 from apiclient.http import HttpMockSequence
 from oauth2client.anyjson import simplejson
-from oauth2client.clientsecrets import _loadfile
 from oauth2client.client import AccessTokenCredentials
 from oauth2client.client import AccessTokenCredentialsError
 from oauth2client.client import AccessTokenRefreshError
@@ -49,11 +48,13 @@ from oauth2client.client import NonAsciiHeaderError
 from oauth2client.client import OAuth2Credentials
 from oauth2client.client import OAuth2WebServerFlow
 from oauth2client.client import OOB_CALLBACK_URN
+from oauth2client.client import REFRESH_STATUS_CODES
 from oauth2client.client import VerifyJwtTokenError
 from oauth2client.client import _extract_id_token
 from oauth2client.client import credentials_from_clientsecrets_and_code
 from oauth2client.client import credentials_from_code
 from oauth2client.client import flow_from_clientsecrets
+from oauth2client.clientsecrets import _loadfile
 
 DATA_DIR = os.path.join(os.path.dirname(__file__), 'data')
 
@@ -104,8 +105,7 @@ class BasicCredentialsTests(unittest.TestCase):
       user_agent)
 
   def test_token_refresh_success(self):
-    # Older API (GData) respond with 403
+    for status_code in REFRESH_STATUS_CODES:
-    for status_code in ['401', '403']:
       http = HttpMockSequence([
         ({'status': status_code}, ''),
         ({'status': '200'}, '{"access_token":"1/3w","expires_in":3600}'),
@@ -117,8 +117,7 @@ class BasicCredentialsTests(unittest.TestCase):
       self.assertFalse(self.credentials.access_token_expired)
 
   def test_token_refresh_failure(self):
-    # Older API (GData) respond with 403
+    for status_code in REFRESH_STATUS_CODES:
-    for status_code in ['401', '403']:
       http = HttpMockSequence([
         ({'status': status_code}, ''),
         ({'status': '400'}, '{"error":"access_denied"}'),
@@ -186,8 +185,7 @@ class AccessTokenCredentialsTests(unittest.TestCase):
     self.credentials = AccessTokenCredentials(access_token, user_agent)
 
   def test_token_refresh_success(self):
-    # Older API (GData) respond with 403
+    for status_code in REFRESH_STATUS_CODES:
-    for status_code in ['401', '403']:
       http = HttpMockSequence([
         ({'status': status_code}, ''),
         ])