Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 26a1637697a6849394a612c088aded510190601e / . / google / oauth2 / credentials.py
blob: 6a635ddad99bade2b7c6486e92c7aef6fed8cb0e [file] [log] [blame]
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]1# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""OAuth 2.0 Credentials.
16
17This module provides credentials based on OAuth 2.0 access and refresh tokens.
18These credentials usually access resources on behalf of a user (resource
19owner).
20
21Specifically, this is intended to use access tokens acquired using the
22`Authorization Code grant`_ and can refresh those tokens using a
23optional `refresh token`_.
24
25Obtaining the initial access and refresh token is outside of the scope of this
26module. Consult `rfc6749 section 4.1`_ for complete details on the
27Authorization Code grant flow.
28
29.. _Authorization Code grant: https://tools.ietf.org/html/rfc6749#section-1.3.1
30.. _refresh token: https://tools.ietf.org/html/rfc6749#section-6
31.. _rfc6749 section 4.1: https://tools.ietf.org/html/rfc6749#section-4.1
32"""
33
34from google.auth import _helpers
35from google.auth import credentials
36from google.oauth2 import _client
37
38
39class Credentials(credentials.Scoped, credentials.Credentials):
40 """Credentials using OAuth 2.0 access and refresh tokens."""
41
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]42 def __init__(self, token, refresh_token=None, id_token=None,
43 token_uri=None, client_id=None, client_secret=None,
44 scopes=None):
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]45 """
46 Args:
47 token (Optional(str)): The OAuth 2.0 access token. Can be None
48 if refresh information is provided.
49 refresh_token (str): The OAuth 2.0 refresh token. If specified,
50 credentials can be refreshed.
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]51 id_token (str): The Open ID Connect ID Token.
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]52 token_uri (str): The OAuth 2.0 authorization server's token
53 endpoint URI. Must be specified for refresh, can be left as
54 None if the token can not be refreshed.
55 client_id (str): The OAuth 2.0 client ID. Must be specified for
56 refresh, can be left as None if the token can not be refreshed.
57 client_secret(str): The OAuth 2.0 client secret. Must be specified
58 for refresh, can be left as None if the token can not be
59 refreshed.
60 scopes (Sequence[str]): The scopes that were originally used
61 to obtain authorization. This is a purely informative parameter
62 that can be used by :meth:`has_scopes`. OAuth 2.0 credentials
63 can not request additional scopes after authorization.
64 """
65 super(Credentials, self).__init__()
66 self.token = token
67 self._refresh_token = refresh_token
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]68 self._id_token = id_token
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]69 self._scopes = scopes
70 self._token_uri = token_uri
71 self._client_id = client_id
72 self._client_secret = client_secret
73
74 @property
Jon Wayne Parrott2d0549a2017-03-01 09:27:16 -0800[diff] [blame]75 def refresh_token(self):
76 """Optional[str]: The OAuth 2.0 refresh token."""
77 return self._refresh_token
78
79 @property
80 def token_uri(self):
81 """Optional[str]: The OAuth 2.0 authorization server's token endpoint
82 URI."""
83 return self._token_uri
84
85 @property
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]86 def id_token(self):
87 """Optional[str]: The Open ID Connect ID Token.
88
89 Depending on the authorization server and the scopes requested, this
90 may be populated when credentials are obtained and updated when
91 :meth:`refresh` is called. This token is a JWT. It can be verified
92 and decoded using :func:`google.oauth2.id_token.verify_oauth2_token`.
93 """
94 return self._id_token
95
96 @property
Jon Wayne Parrott2d0549a2017-03-01 09:27:16 -0800[diff] [blame]97 def client_id(self):
98 """Optional[str]: The OAuth 2.0 client ID."""
99 return self._client_id
100
101 @property
102 def client_secret(self):
103 """Optional[str]: The OAuth 2.0 client secret."""
104 return self._client_secret
105
106 @property
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]107 def requires_scopes(self):
108 """False: OAuth 2.0 credentials have their scopes set when
109 the initial token is requested and can not be changed."""
110 return False
111
112 def with_scopes(self, scopes):
113 """Unavailable, OAuth 2.0 credentials can not be re-scoped.
114
115 OAuth 2.0 credentials have their scopes set when the initial token is
116 requested and can not be changed.
117 """
118 raise NotImplementedError(
119 'OAuth 2.0 Credentials can not modify their scopes.')
120
121 @_helpers.copy_docstring(credentials.Credentials)
122 def refresh(self, request):
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]123 access_token, refresh_token, expiry, grant_response = (
124 _client.refresh_grant(
125 request, self._token_uri, self._refresh_token, self._client_id,
126 self._client_secret))
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]127
128 self.token = access_token
129 self.expiry = expiry
130 self._refresh_token = refresh_token
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame^]131 self._id_token = grant_response.get('id_token')