feeds_http_oauth

This module (feeds_http_oauth) provides an OAuth 2.0–enabled HTTP fetcher for the Feeds module (Feeds 3.x).

This module adds a new fetcher plugin: Download from url (OAuth 2.0)

It allows Feeds to retrieve data from OAuth-protected HTTP endpoints while preserving all existing core HTTP fetcher behavior.

This module does not patch or modify Feeds core.

Background / Why this module exists

This functionality originally began as a merge from the contrib Feeds module issue:
https://www.drupal.org/project/feeds/issues/3030847

That patch modified the core HTTP Fetcher to add OAuth 2.0 functionality.

That approach proved problematic for several reasons:

• It overloaded the core HTTP fetcher with authentication concerns
• It mixed feed-type configuration and per-feed credentials
• It introduced OAuth-specific schema and UI into all HTTP feeds
• It created long-term maintenance and upstreaming challenges
• It increased the security surface area of a simple fetcher

After review, the OAuth logic was extracted and re-implemented here as a
separate fetcher plugin, which aligns with Feeds’ plugin architecture and separation of concerns.

This module is the result of that refactor.

Design philosophy

This module follows a thin extension model:

• It extends Feeds’ core HttpFetcher
• It reuses the core HTTP fetcher configuration form
• It injects OAuth values at request time only
• It keeps OAuth credentials per feed, not per feed type
• It avoids duplicating or forking core Feeds logic

In other words:

This is the core HTTP fetcher, plus OAuth headers — nothing more.

What this module does

• Adds a new Feeds fetcher: Download from url (OAuth 2.0)
• Supports OAuth 2.0 token acquisition, currently:
  • client_credentials
  • password grant
• Injects the resulting Authorization value into the request
• Preserves all existing HTTP fetcher features:
  • Caching
  • Conditional requests
  • Timeouts
  • Always-download behavior
• Keeps OAuth configuration scoped to individual feed instances

What this module does NOT do

• It does not modify or override the core HTTP fetcher
• It does not add OAuth toggles to existing fetchers
• It does not store credentials globally (see KEY module)
• It does not implement refresh-token caching (yet)
• It does not attempt to normalize provider-specific OAuth quirks

Requirements

• Drupal 10 or 11
• Feeds 3.x
• Key 8.1.x

Enabling

1. Set a feed type to use the new fetcher Download from url (OAuth 2.0)
2. Configure the standard HTTP fetcher options as needed:
   • Request timeout
   • Always download
   • (Optional) Auto detect feeds
   • (Optional) PubSubHubbub
3. Create Key module values for ID & Password
4. Create or edit a Feed entity of the above feed type:
   • Enter the Source URL (the protected API endpoint)
   • Configure OAuth settings:
     • Access Token URL
     • Grant type
     • Send Client ID and secret in (Body or Header)
     • Client ID (select from Key choices)
     • Client Secret (select from Key choices)
     • Scope (optional)
     • Username / Password (password grant only)
   • Run the feed

When the feed runs:

1. An access token is requested from the configured token endpoint
2. The token is added to the HTTP request via the method you selected for the feed.
3. The feed is fetched using Feeds’ normal HTTP handling
4. Parsing and processing proceed as usual

If token acquisition fails, the feed will fail gracefully.

Recommendation Customizations

If you want to set default values for your feed type, consider a hook_form_alter or equivelant. Here is some sample code:

if (
    $form['#form_id'] == "FEED_FORM_ID_HERE"
  ) {
    $form['plugin']['fetcher']['plugin']['fetcher']['oauth']['#title'] .= ' ' . t('(Defaults Already Set)');
    $form['plugin']['fetcher']['plugin']['fetcher']['oauth']['#open'] = FALSE;
    $form['plugin']['fetcher']['plugin']['fetcher']['oauth']['access_token_url']['#default_value'] = 'http://accesstokenurlhere.com/whatever-endpoint';
    $form['plugin']['fetcher']['plugin']['fetcher']['oauth']['client_id']['#default_value'] = 'KEY_MACHINE_NAME_HERE_FOR_ID';
    $form['plugin']['fetcher']['plugin']['fetcher']['oauth']['client_secret']['#default_value'] = 'KEY_MACHINE_NAME_HERE_FOR_SECRET';
  }

Security notes

This module now implements the Key module for maintaining ID and Secret for oAuth token requests. Implement it wisely.

Release Version Plans

• This is currently available as an Alpha state release
• We've had success with it at our Organization.
• Another fellow has had success with it on their projects.
• After a year or so of stability from us or implementation by others, we'll give it a stable release
• Sponsor a pizza party for my team and I'll make it a stable release and fix any issues you may find.