commit 26a1637697a6849394a612c088aded510190601e
author Jon Wayne Parrott <jonwayne@google.com> Tue Mar 28 13:03:33 2017 -0700
committer GitHub <noreply@github.com> Tue Mar 28 13:03:33 2017 -0700
tree 2664ac645c279b953734e57bb540ce81f4cde2f1
parent cfbfd25ddeaefd6c484541922b8da6bb1ebf9c36

Expose id_token in OAuth 2.0 credentials (#150)

google/oauth2/credentials.py

diff --git a/google/oauth2/credentials.py b/google/oauth2/credentials.py
index 077a95f..6a635dd 100644
--- a/google/oauth2/credentials.py
+++ b/google/oauth2/credentials.py
@@ -39,14 +39,16 @@
 class Credentials(credentials.Scoped, credentials.Credentials):
     """Credentials using OAuth 2.0 access and refresh tokens."""
 
-    def __init__(self, token, refresh_token=None, token_uri=None,
-                 client_id=None, client_secret=None, scopes=None):
+    def __init__(self, token, refresh_token=None, id_token=None,
+                 token_uri=None, client_id=None, client_secret=None,
+                 scopes=None):
         """
         Args:
             token (Optional(str)): The OAuth 2.0 access token. Can be None
                 if refresh information is provided.
             refresh_token (str): The OAuth 2.0 refresh token. If specified,
                 credentials can be refreshed.
+            id_token (str): The Open ID Connect ID Token.
             token_uri (str): The OAuth 2.0 authorization server's token
                 endpoint URI. Must be specified for refresh, can be left as
                 None if the token can not be refreshed.
@@ -63,6 +65,7 @@
         super(Credentials, self).__init__()
         self.token = token
         self._refresh_token = refresh_token
+        self._id_token = id_token
         self._scopes = scopes
         self._token_uri = token_uri
         self._client_id = client_id
@@ -80,6 +83,17 @@
         return self._token_uri
 
     @property
+    def id_token(self):
+        """Optional[str]: The Open ID Connect ID Token.
+
+        Depending on the authorization server and the scopes requested, this
+        may be populated when credentials are obtained and updated when
+        :meth:`refresh` is called. This token is a JWT. It can be verified
+        and decoded using :func:`google.oauth2.id_token.verify_oauth2_token`.
+        """
+        return self._id_token
+
+    @property
     def client_id(self):
         """Optional[str]: The OAuth 2.0 client ID."""
         return self._client_id
@@ -106,10 +120,12 @@
 
     @_helpers.copy_docstring(credentials.Credentials)
     def refresh(self, request):
-        access_token, refresh_token, expiry, _ = _client.refresh_grant(
-            request, self._token_uri, self._refresh_token, self._client_id,
-            self._client_secret)
+        access_token, refresh_token, expiry, grant_response = (
+            _client.refresh_grant(
+                request, self._token_uri, self._refresh_token, self._client_id,
+                self._client_secret))
 
         self.token = access_token
         self.expiry = expiry
         self._refresh_token = refresh_token
+        self._id_token = grant_response.get('id_token')