Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 82e224b0854950a5607cd028edbcbcdc3e9e6505 / . / tests / test_impersonated_credentials.py
blob: 31075ca8492228c2025b1604c9688ef259d5fdc2 [file] [log] [blame]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]1# Copyright 2018 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15import datetime
16import json
17import os
18
19import mock
20import pytest
21from six.moves import http_client
22
23from google.auth import _helpers
24from google.auth import crypt
25from google.auth import exceptions
26from google.auth import impersonated_credentials
27from google.auth import transport
28from google.auth.impersonated_credentials import Credentials
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame^]29from google.oauth2 import credentials
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]30from google.oauth2 import service_account
31
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]32DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]33
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]34with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]35 PRIVATE_KEY_BYTES = fh.read()
36
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]37SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]38
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]39ID_TOKEN_DATA = (
40 "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"
41 "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"
42 "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"
43 "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"
44 "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"
45 "zA4NTY4In0.redacted"
46)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]47ID_TOKEN_EXPIRY = 1564475051
48
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]49with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]50 SERVICE_ACCOUNT_INFO = json.load(fh)
51
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]52SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
53TOKEN_URI = "https://example.com/oauth2/token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]54
55
56@pytest.fixture
57def mock_donor_credentials():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]58 with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]59 grant.return_value = (
60 "source token",
61 _helpers.utcnow() + datetime.timedelta(seconds=500),
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]62 {},
63 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]64 yield grant
65
66
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]67class MockResponse:
68 def __init__(self, json_data, status_code):
69 self.json_data = json_data
70 self.status_code = status_code
71
72 def json(self):
73 return self.json_data
74
75
76@pytest.fixture
77def mock_authorizedsession_sign():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]78 with mock.patch(
79 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
80 ) as auth_session:
81 data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]82 auth_session.return_value = MockResponse(data, http_client.OK)
83 yield auth_session
84
85
86@pytest.fixture
87def mock_authorizedsession_idtoken():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]88 with mock.patch(
89 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
90 ) as auth_session:
91 data = {"token": ID_TOKEN_DATA}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]92 auth_session.return_value = MockResponse(data, http_client.OK)
93 yield auth_session
94
95
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]96class TestImpersonatedCredentials(object):
97
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]98 SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
99 TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"
100 TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]101 DELEGATES = []
102 LIFETIME = 3600
103 SOURCE_CREDENTIALS = service_account.Credentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]104 SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI
105 )
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame^]106 USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]107
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame^]108 def make_credentials(
109 self,
110 source_credentials=SOURCE_CREDENTIALS,
111 lifetime=LIFETIME,
112 target_principal=TARGET_PRINCIPAL,
113 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]114
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]115 return Credentials(
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame^]116 source_credentials=source_credentials,
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]117 target_principal=target_principal,
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]118 target_scopes=self.TARGET_SCOPES,
119 delegates=self.DELEGATES,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]120 lifetime=lifetime,
121 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]122
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame^]123 def test_make_from_user_credentials(self):
124 credentials = self.make_credentials(
125 source_credentials=self.USER_SOURCE_CREDENTIALS
126 )
127 assert not credentials.valid
128 assert credentials.expired
129
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]130 def test_default_state(self):
131 credentials = self.make_credentials()
132 assert not credentials.valid
133 assert credentials.expired
134
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]135 def make_request(self, data, status=http_client.OK, headers=None, side_effect=None):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]136 response = mock.create_autospec(transport.Response, instance=False)
137 response.status = status
138 response.data = _helpers.to_bytes(data)
139 response.headers = headers or {}
140
141 request = mock.create_autospec(transport.Request, instance=False)
142 request.side_effect = side_effect
143 request.return_value = response
144
145 return request
146
147 def test_refresh_success(self, mock_donor_credentials):
148 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]149 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]150
151 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]152 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
153 ).isoformat("T") + "Z"
154 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]155
156 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]157 data=json.dumps(response_body), status=http_client.OK
158 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]159
160 credentials.refresh(request)
161
162 assert credentials.valid
163 assert not credentials.expired
164
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]165 def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]166 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]167 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]168
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]169 expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(
170 "T"
171 )
172 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]173
174 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]175 data=json.dumps(response_body), status=http_client.OK
176 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]177
178 with pytest.raises(exceptions.RefreshError) as excinfo:
179 credentials.refresh(request)
180
181 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
182
183 assert not credentials.valid
184 assert credentials.expired
185
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]186 def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
187 credentials = self.make_credentials(lifetime=None)
188
189 response_body = {
190 "error": {
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]191 "code": 403,
192 "message": "The caller does not have permission",
193 "status": "PERMISSION_DENIED",
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]194 }
195 }
196
197 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]198 data=json.dumps(response_body), status=http_client.UNAUTHORIZED
199 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]200
201 with pytest.raises(exceptions.RefreshError) as excinfo:
202 credentials.refresh(request)
203
204 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
205
206 assert not credentials.valid
207 assert credentials.expired
208
209 def test_refresh_failure_http_error(self, mock_donor_credentials):
210 credentials = self.make_credentials(lifetime=None)
211
212 response_body = {}
213
214 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]215 data=json.dumps(response_body), status=http_client.HTTPException
216 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]217
218 with pytest.raises(exceptions.RefreshError) as excinfo:
219 credentials.refresh(request)
220
221 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
222
223 assert not credentials.valid
224 assert credentials.expired
225
226 def test_expired(self):
227 credentials = self.make_credentials(lifetime=None)
228 assert credentials.expired
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]229
230 def test_signer(self):
231 credentials = self.make_credentials()
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]232 assert isinstance(credentials.signer, impersonated_credentials.Credentials)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]233
234 def test_signer_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]235 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]236 assert credentials.signer_email == self.TARGET_PRINCIPAL
237
238 def test_service_account_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]239 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]240 assert credentials.service_account_email == self.TARGET_PRINCIPAL
241
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]242 def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]243 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]244 token = "token"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]245
246 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]247 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
248 ).isoformat("T") + "Z"
249 token_response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]250
251 response = mock.create_autospec(transport.Response, instance=False)
252 response.status = http_client.OK
253 response.data = _helpers.to_bytes(json.dumps(token_response_body))
254
255 request = mock.create_autospec(transport.Request, instance=False)
256 request.return_value = response
257
258 credentials.refresh(request)
259
260 assert credentials.valid
261 assert not credentials.expired
262
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]263 signature = credentials.sign_bytes(b"signed bytes")
264 assert signature == b"signature"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]265
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]266 def test_id_token_success(
267 self, mock_donor_credentials, mock_authorizedsession_idtoken
268 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]269 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]270 token = "token"
271 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]272
273 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]274 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
275 ).isoformat("T") + "Z"
276 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]277
278 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]279 data=json.dumps(response_body), status=http_client.OK
280 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]281
282 credentials.refresh(request)
283
284 assert credentials.valid
285 assert not credentials.expired
286
287 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]288 credentials, target_audience=target_audience
289 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]290 id_creds.refresh(request)
291
292 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]293 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]294
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]295 def test_id_token_from_credential(
296 self, mock_donor_credentials, mock_authorizedsession_idtoken
297 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]298 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]299 token = "token"
300 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]301
302 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]303 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
304 ).isoformat("T") + "Z"
305 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]306
307 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]308 data=json.dumps(response_body), status=http_client.OK
309 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]310
311 credentials.refresh(request)
312
313 assert credentials.valid
314 assert not credentials.expired
315
316 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]317 credentials, target_audience=target_audience
318 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]319 id_creds = id_creds.from_credentials(target_credentials=credentials)
320 id_creds.refresh(request)
321
322 assert id_creds.token == ID_TOKEN_DATA
323
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]324 def test_id_token_with_target_audience(
325 self, mock_donor_credentials, mock_authorizedsession_idtoken
326 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]327 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]328 token = "token"
329 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]330
331 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]332 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
333 ).isoformat("T") + "Z"
334 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]335
336 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]337 data=json.dumps(response_body), status=http_client.OK
338 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]339
340 credentials.refresh(request)
341
342 assert credentials.valid
343 assert not credentials.expired
344
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]345 id_creds = impersonated_credentials.IDTokenCredentials(credentials)
346 id_creds = id_creds.with_target_audience(target_audience=target_audience)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]347 id_creds.refresh(request)
348
349 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]350 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]351
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]352 def test_id_token_invalid_cred(
353 self, mock_donor_credentials, mock_authorizedsession_idtoken
354 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]355 credentials = None
356
357 with pytest.raises(exceptions.GoogleAuthError) as excinfo:
358 impersonated_credentials.IDTokenCredentials(credentials)
359
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]360 assert excinfo.match("Provided Credential must be" " impersonated_credentials")
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]361
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]362 def test_id_token_with_include_email(
363 self, mock_donor_credentials, mock_authorizedsession_idtoken
364 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]365 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]366 token = "token"
367 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]368
369 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]370 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
371 ).isoformat("T") + "Z"
372 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]373
374 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]375 data=json.dumps(response_body), status=http_client.OK
376 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]377
378 credentials.refresh(request)
379
380 assert credentials.valid
381 assert not credentials.expired
382
383 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]384 credentials, target_audience=target_audience
385 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]386 id_creds = id_creds.with_include_email(True)
387 id_creds.refresh(request)
388
389 assert id_creds.token == ID_TOKEN_DATA