def _call_metadata_identity_endpoint(self, request): """Request ID token from metadata identity endpoint. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Returns: Tuple[str, datetime.datetime]: The ID token and the expiry of the ID token. Raises: google.auth.exceptions.RefreshError: If the Compute Engine metadata service can't be reached or if the instance has no credentials. ValueError: If extracting expiry from the obtained ID token fails. """ try: path = "instance/service-accounts/default/identity" params = {"audience": self._target_audience, "format": "full"} id_token = _metadata.get(request, path, params=params) except exceptions.TransportError as caught_exc: new_exc = exceptions.RefreshError(caught_exc) six.raise_from(new_exc, caught_exc) _, payload, _, _ = jwt._unverified_decode(id_token) return id_token, datetime.datetime.fromtimestamp(payload["exp"])
def _call_metadata_identity_endpoint(self, request): """Request ID token from metadata identity endpoint. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Raises: google.auth.exceptions.RefreshError: If the Compute Engine metadata service can't be reached or if the instance has no credentials. ValueError: If extracting expiry from the obtained ID token fails. """ try: id_token = _metadata.get( request, "instance/service-accounts/default/identity?audience={}&format=full".format( self._target_audience ), ) except exceptions.TransportError as caught_exc: new_exc = exceptions.RefreshError(caught_exc) six.raise_from(new_exc, caught_exc) _, payload, _, _ = jwt._unverified_decode(id_token) return id_token, payload["exp"]
def test_id_token_from_metadata(http_request): credentials = compute_engine.IDTokenCredentials( http_request, "target_audience", use_metadata_identity_endpoint=True) credentials.refresh(http_request) _, payload, _, _ = jwt._unverified_decode(credentials.token) assert payload["aud"] == "target_audience" assert payload["exp"] == credentials.expiry
def test_id_token_from_metadata(http_request): credentials = compute_engine.IDTokenCredentials( http_request, AUDIENCE, use_metadata_identity_endpoint=True) credentials.refresh(http_request) _, payload, _, _ = jwt._unverified_decode(credentials.token) assert credentials.valid assert payload["aud"] == AUDIENCE assert datetime.fromtimestamp(payload["exp"]) == credentials.expiry
def test_fetch_id_token(http_request): token = google.oauth2.id_token.fetch_id_token(http_request, AUDIENCE) _, payload, _, _ = jwt._unverified_decode(token) assert payload["aud"] == AUDIENCE
def test_encode_basic(signer): test_payload = {'test': 'value'} encoded = jwt.encode(signer, test_payload) header, payload, _, _ = jwt._unverified_decode(encoded) assert payload == test_payload assert header == {'typ': 'JWT', 'alg': 'RS256', 'kid': signer.key_id}
def test_encode_basic(signer): test_payload = {"test": "value"} encoded = jwt.encode(signer, test_payload) header, payload, _, _ = jwt._unverified_decode(encoded) assert payload == test_payload assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
def test_fetch_id_token(http_request): audience = "https://pubsub.googleapis.com" token = google.oauth2.id_token.fetch_id_token(http_request, audience) _, payload, _, _ = jwt._unverified_decode(token) assert payload["aud"] == audience