def test_id_token_jwt_grant_no_access_token(): request = make_request({ # No access token. 'expires_in': 500, 'extra': 'data' }) with pytest.raises(exceptions.RefreshError): _client.id_token_jwt_grant(request, 'http://example.com', 'assertion_value')
def test_id_token_jwt_grant_no_access_token(): request = make_request({ # No access token. "expires_in": 500, "extra": "data", }) with pytest.raises(exceptions.RefreshError): _client.id_token_jwt_grant(request, "http://example.com", "assertion_value")
def refresh(self, request): assertion = self._make_authorization_grant_assertion() access_token, expiry, _ = _client.id_token_jwt_grant( request, self._token_uri, assertion ) self.token = access_token self.expiry = expiry
def test_id_token_jwt_grant(): now = _helpers.utcnow() id_token_expiry = _helpers.datetime_to_secs(now) id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8") request = make_request({"id_token": id_token, "extra": "data"}) token, expiry, extra_data = _client.id_token_jwt_grant( request, "http://example.com", "assertion_value") # Check request call verify_request_params(request, { "grant_type": _client._JWT_GRANT_TYPE, "assertion": "assertion_value" }) # Check result assert token == id_token # JWT does not store microseconds now = now.replace(microsecond=0) assert expiry == now assert extra_data["extra"] == "data"
def refresh(self, request): """Refreshes the ID token. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Raises: google.auth.exceptions.RefreshError: If the credentials could not be refreshed. ValueError: If extracting expiry from the obtained ID token fails. """ if self._use_metadata_identity_endpoint: self.token, self.expiry = self._call_metadata_identity_endpoint(request) else: assertion = self._make_authorization_grant_assertion() access_token, expiry, _ = _client.id_token_jwt_grant( request, self._token_uri, assertion ) self.token = access_token self.expiry = expiry
def test_id_token_jwt_grant(): now = _helpers.utcnow() id_token_expiry = _helpers.datetime_to_secs(now) id_token = jwt.encode(SIGNER, {'exp': id_token_expiry}).decode('utf-8') request = make_request({'id_token': id_token, 'extra': 'data'}) token, expiry, extra_data = _client.id_token_jwt_grant( request, 'http://example.com', 'assertion_value') # Check request call verify_request_params(request, { 'grant_type': _client._JWT_GRANT_TYPE, 'assertion': 'assertion_value' }) # Check result assert token == id_token # JWT does not store microseconds now = now.replace(microsecond=0) assert expiry == now assert extra_data['extra'] == 'data'
def force_obtain_id_token( credentials: service_account.IDTokenCredentials) -> str: """ Can be used to obtain an OIDC-Token for authenticating to GoogleCloud services and some Google APIs. This is effectively manually forcing the equivalent of `credentials.refresh()`. Examples: ```python from drizm_commons.google import force_obtain_id_token from google.oauth2 import service_account auth = service_account.IDTokenCredentials.from_service_account_file( "/path/to/svc.json", target_audience="https://example.com/" ) token = force_obtain_id_token(auth) ``` Returns: Returns a Google OpenID-Connect access token as a string. """ assertion = credentials._make_authorization_grant_assertion( ) # noqa protected request = construct_service_authentication_request() try: access_token, *_ = id_token_jwt_grant( request, credentials._token_uri, # noqa protected assertion, # noqa expected type ) except google.auth.exceptions.RefreshError as exc: raise Exception( "Error when requesting the token, " "you may have provided an empty target_audience parameter," " for the Credentials object.") from exc return access_token
def refresh(self, request): assertion = self._make_authorization_grant_assertion() access_token, expiry, _ = _client.id_token_jwt_grant( request, self._token_uri, assertion) self.token = access_token self.expiry = expiry