def _call_metadata_identity_endpoint(self, request):
"""Request ID token from metadata identity endpoint.
Args:
request (google.auth.transport.Request): The object used to make
HTTP requests.
Returns:
Tuple[str, datetime.datetime]: The ID token and the expiry of the ID token.
Raises:
google.auth.exceptions.RefreshError: If the Compute Engine metadata
service can't be reached or if the instance has no credentials.
ValueError: If extracting expiry from the obtained ID token fails.
"""
try:
path = "instance/service-accounts/default/identity"
params = {"audience": self._target_audience, "format": "full"}
id_token = _metadata.get(request, path, params=params)
except exceptions.TransportError as caught_exc:
new_exc = exceptions.RefreshError(caught_exc)
six.raise_from(new_exc, caught_exc)
_, payload, _, _ = jwt._unverified_decode(id_token)
return id_token, datetime.datetime.fromtimestamp(payload["exp"])
def _call_metadata_identity_endpoint(self, request):
"""Request ID token from metadata identity endpoint.
Args:
request (google.auth.transport.Request): The object used to make
HTTP requests.
Raises:
google.auth.exceptions.RefreshError: If the Compute Engine metadata
service can't be reached or if the instance has no credentials.
ValueError: If extracting expiry from the obtained ID token fails.
"""
try:
id_token = _metadata.get(
request,
"instance/service-accounts/default/identity?audience={}&format=full".format(
self._target_audience
),
)
except exceptions.TransportError as caught_exc:
new_exc = exceptions.RefreshError(caught_exc)
six.raise_from(new_exc, caught_exc)
_, payload, _, _ = jwt._unverified_decode(id_token)
return id_token, payload["exp"]
def test_id_token_from_metadata(http_request):
credentials = compute_engine.IDTokenCredentials(
http_request, "target_audience", use_metadata_identity_endpoint=True)
credentials.refresh(http_request)
_, payload, _, _ = jwt._unverified_decode(credentials.token)
assert payload["aud"] == "target_audience"
assert payload["exp"] == credentials.expiry
def test_id_token_from_metadata(http_request):
credentials = compute_engine.IDTokenCredentials(
http_request, AUDIENCE, use_metadata_identity_endpoint=True)
credentials.refresh(http_request)
_, payload, _, _ = jwt._unverified_decode(credentials.token)
assert credentials.valid
assert payload["aud"] == AUDIENCE
assert datetime.fromtimestamp(payload["exp"]) == credentials.expiry
def test_fetch_id_token(http_request):
token = google.oauth2.id_token.fetch_id_token(http_request, AUDIENCE)
_, payload, _, _ = jwt._unverified_decode(token)
assert payload["aud"] == AUDIENCE
def test_encode_basic(signer):
test_payload = {'test': 'value'}
encoded = jwt.encode(signer, test_payload)
header, payload, _, _ = jwt._unverified_decode(encoded)
assert payload == test_payload
assert header == {'typ': 'JWT', 'alg': 'RS256', 'kid': signer.key_id}
def test_encode_basic(signer):
test_payload = {"test": "value"}
encoded = jwt.encode(signer, test_payload)
header, payload, _, _ = jwt._unverified_decode(encoded)
assert payload == test_payload
assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
def test_fetch_id_token(http_request):
audience = "https://pubsub.googleapis.com"
token = google.oauth2.id_token.fetch_id_token(http_request, audience)
_, payload, _, _ = jwt._unverified_decode(token)
assert payload["aud"] == audience
