fix: add SAML challenge to reauth (#819)
* fix: add SAML challenge to reauth
* add enable_reauth_refresh flag
* address comments
* fix unit test
* address comments
* update
* update
* update
* update
* 🦉 Updates from OwlBot
See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Tres Seaver <tseaver@palladion.com>
diff --git a/google/oauth2/challenges.py b/google/oauth2/challenges.py
index 7756a80..0baff62 100644
--- a/google/oauth2/challenges.py
+++ b/google/oauth2/challenges.py
@@ -25,6 +25,9 @@
REAUTH_ORIGIN = "https://accounts.google.com"
+SAML_CHALLENGE_MESSAGE = (
+ "Please run `gcloud auth login` to complete reauthentication with SAML."
+)
def get_user_password(text):
@@ -148,7 +151,30 @@
return None
+class SamlChallenge(ReauthChallenge):
+ """Challenge that asks the users to browse to their ID Providers.
+
+ Currently SAML challenge is not supported. When obtaining the challenge
+ input, exception will be raised to instruct the users to run
+ `gcloud auth login` for reauthentication.
+ """
+
+ @property
+ def name(self):
+ return "SAML"
+
+ @property
+ def is_locally_eligible(self):
+ return True
+
+ def obtain_challenge_input(self, metadata):
+ # Magic Arch has not fully supported returning a proper dedirect URL
+ # for programmatic SAML users today. So we error our here and request
+ # users to use gcloud to complete a login.
+ raise exceptions.ReauthSamlChallengeFailError(SAML_CHALLENGE_MESSAGE)
+
+
AVAILABLE_CHALLENGES = {
challenge.name: challenge
- for challenge in [SecurityKeyChallenge(), PasswordChallenge()]
+ for challenge in [SecurityKeyChallenge(), PasswordChallenge(), SamlChallenge()]
}