OLD | NEW |
(Empty) | |
| 1 # Copyright 2016 Google Inc. |
| 2 # |
| 3 # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 # you may not use this file except in compliance with the License. |
| 5 # You may obtain a copy of the License at |
| 6 # |
| 7 # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 # |
| 9 # Unless required by applicable law or agreed to in writing, software |
| 10 # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 # See the License for the specific language governing permissions and |
| 13 # limitations under the License. |
| 14 |
| 15 """OAuth 2.0 Credentials. |
| 16 |
| 17 This module provides credentials based on OAuth 2.0 access and refresh tokens. |
| 18 These credentials usually access resources on behalf of a user (resource |
| 19 owner). |
| 20 |
| 21 Specifically, this is intended to use access tokens acquired using the |
| 22 `Authorization Code grant`_ and can refresh those tokens using a |
| 23 optional `refresh token`_. |
| 24 |
| 25 Obtaining the initial access and refresh token is outside of the scope of this |
| 26 module. Consult `rfc6749 section 4.1`_ for complete details on the |
| 27 Authorization Code grant flow. |
| 28 |
| 29 .. _Authorization Code grant: https://tools.ietf.org/html/rfc6749#section-1.3.1 |
| 30 .. _refresh token: https://tools.ietf.org/html/rfc6749#section-6 |
| 31 .. _rfc6749 section 4.1: https://tools.ietf.org/html/rfc6749#section-4.1 |
| 32 """ |
| 33 |
| 34 from google.auth import _helpers |
| 35 from google.auth import credentials |
| 36 from google.oauth2 import _client |
| 37 |
| 38 |
| 39 class Credentials(credentials.Scoped, credentials.Credentials): |
| 40 """Credentials using OAuth 2.0 access and refresh tokens.""" |
| 41 |
| 42 def __init__(self, token, refresh_token=None, id_token=None, |
| 43 token_uri=None, client_id=None, client_secret=None, |
| 44 scopes=None): |
| 45 """ |
| 46 Args: |
| 47 token (Optional(str)): The OAuth 2.0 access token. Can be None |
| 48 if refresh information is provided. |
| 49 refresh_token (str): The OAuth 2.0 refresh token. If specified, |
| 50 credentials can be refreshed. |
| 51 id_token (str): The Open ID Connect ID Token. |
| 52 token_uri (str): The OAuth 2.0 authorization server's token |
| 53 endpoint URI. Must be specified for refresh, can be left as |
| 54 None if the token can not be refreshed. |
| 55 client_id (str): The OAuth 2.0 client ID. Must be specified for |
| 56 refresh, can be left as None if the token can not be refreshed. |
| 57 client_secret(str): The OAuth 2.0 client secret. Must be specified |
| 58 for refresh, can be left as None if the token can not be |
| 59 refreshed. |
| 60 scopes (Sequence[str]): The scopes that were originally used |
| 61 to obtain authorization. This is a purely informative parameter |
| 62 that can be used by :meth:`has_scopes`. OAuth 2.0 credentials |
| 63 can not request additional scopes after authorization. |
| 64 """ |
| 65 super(Credentials, self).__init__() |
| 66 self.token = token |
| 67 self._refresh_token = refresh_token |
| 68 self._id_token = id_token |
| 69 self._scopes = scopes |
| 70 self._token_uri = token_uri |
| 71 self._client_id = client_id |
| 72 self._client_secret = client_secret |
| 73 |
| 74 @property |
| 75 def refresh_token(self): |
| 76 """Optional[str]: The OAuth 2.0 refresh token.""" |
| 77 return self._refresh_token |
| 78 |
| 79 @property |
| 80 def token_uri(self): |
| 81 """Optional[str]: The OAuth 2.0 authorization server's token endpoint |
| 82 URI.""" |
| 83 return self._token_uri |
| 84 |
| 85 @property |
| 86 def id_token(self): |
| 87 """Optional[str]: The Open ID Connect ID Token. |
| 88 |
| 89 Depending on the authorization server and the scopes requested, this |
| 90 may be populated when credentials are obtained and updated when |
| 91 :meth:`refresh` is called. This token is a JWT. It can be verified |
| 92 and decoded using :func:`google.oauth2.id_token.verify_oauth2_token`. |
| 93 """ |
| 94 return self._id_token |
| 95 |
| 96 @property |
| 97 def client_id(self): |
| 98 """Optional[str]: The OAuth 2.0 client ID.""" |
| 99 return self._client_id |
| 100 |
| 101 @property |
| 102 def client_secret(self): |
| 103 """Optional[str]: The OAuth 2.0 client secret.""" |
| 104 return self._client_secret |
| 105 |
| 106 @property |
| 107 def requires_scopes(self): |
| 108 """False: OAuth 2.0 credentials have their scopes set when |
| 109 the initial token is requested and can not be changed.""" |
| 110 return False |
| 111 |
| 112 def with_scopes(self, scopes): |
| 113 """Unavailable, OAuth 2.0 credentials can not be re-scoped. |
| 114 |
| 115 OAuth 2.0 credentials have their scopes set when the initial token is |
| 116 requested and can not be changed. |
| 117 """ |
| 118 raise NotImplementedError( |
| 119 'OAuth 2.0 Credentials can not modify their scopes.') |
| 120 |
| 121 @_helpers.copy_docstring(credentials.Credentials) |
| 122 def refresh(self, request): |
| 123 access_token, refresh_token, expiry, grant_response = ( |
| 124 _client.refresh_grant( |
| 125 request, self._token_uri, self._refresh_token, self._client_id, |
| 126 self._client_secret)) |
| 127 |
| 128 self.token = access_token |
| 129 self.expiry = expiry |
| 130 self._refresh_token = refresh_token |
| 131 self._id_token = grant_response.get('id_token') |
OLD | NEW |