Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / cb7b3c4f543bc8458863723d47c16ed685440700 / . / google / oauth2 / credentials.py
blob: f1df88791645af12cbc85d6b5d1d97e4a28ae5df [file] [log] [blame]
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]1# Copyright 2016 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""OAuth 2.0 Credentials.
16
17This module provides credentials based on OAuth 2.0 access and refresh tokens.
18These credentials usually access resources on behalf of a user (resource
19owner).
20
21Specifically, this is intended to use access tokens acquired using the
22`Authorization Code grant`_ and can refresh those tokens using a
23optional `refresh token`_.
24
25Obtaining the initial access and refresh token is outside of the scope of this
26module. Consult `rfc6749 section 4.1`_ for complete details on the
27Authorization Code grant flow.
28
29.. _Authorization Code grant: https://tools.ietf.org/html/rfc6749#section-1.3.1
30.. _refresh token: https://tools.ietf.org/html/rfc6749#section-6
31.. _rfc6749 section 4.1: https://tools.ietf.org/html/rfc6749#section-4.1
32"""
33
34from google.auth import _helpers
35from google.auth import credentials
36from google.oauth2 import _client
37
38
Mahmoud Bassiounycb7b3c42017-09-20 09:01:28 -0700[diff] [blame^]39class Credentials(credentials.ReadOnlyScoped, credentials.Credentials):
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]40 """Credentials using OAuth 2.0 access and refresh tokens."""
41
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]42 def __init__(self, token, refresh_token=None, id_token=None,
43 token_uri=None, client_id=None, client_secret=None,
44 scopes=None):
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]45 """
46 Args:
47 token (Optional(str)): The OAuth 2.0 access token. Can be None
48 if refresh information is provided.
49 refresh_token (str): The OAuth 2.0 refresh token. If specified,
50 credentials can be refreshed.
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]51 id_token (str): The Open ID Connect ID Token.
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]52 token_uri (str): The OAuth 2.0 authorization server's token
53 endpoint URI. Must be specified for refresh, can be left as
54 None if the token can not be refreshed.
55 client_id (str): The OAuth 2.0 client ID. Must be specified for
56 refresh, can be left as None if the token can not be refreshed.
57 client_secret(str): The OAuth 2.0 client secret. Must be specified
58 for refresh, can be left as None if the token can not be
59 refreshed.
60 scopes (Sequence[str]): The scopes that were originally used
61 to obtain authorization. This is a purely informative parameter
62 that can be used by :meth:`has_scopes`. OAuth 2.0 credentials
63 can not request additional scopes after authorization.
64 """
65 super(Credentials, self).__init__()
66 self.token = token
67 self._refresh_token = refresh_token
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]68 self._id_token = id_token
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]69 self._scopes = scopes
70 self._token_uri = token_uri
71 self._client_id = client_id
72 self._client_secret = client_secret
73
74 @property
Jon Wayne Parrott2d0549a2017-03-01 09:27:16 -0800[diff] [blame]75 def refresh_token(self):
76 """Optional[str]: The OAuth 2.0 refresh token."""
77 return self._refresh_token
78
79 @property
80 def token_uri(self):
81 """Optional[str]: The OAuth 2.0 authorization server's token endpoint
82 URI."""
83 return self._token_uri
84
85 @property
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]86 def id_token(self):
87 """Optional[str]: The Open ID Connect ID Token.
88
89 Depending on the authorization server and the scopes requested, this
90 may be populated when credentials are obtained and updated when
91 :meth:`refresh` is called. This token is a JWT. It can be verified
92 and decoded using :func:`google.oauth2.id_token.verify_oauth2_token`.
93 """
94 return self._id_token
95
96 @property
Jon Wayne Parrott2d0549a2017-03-01 09:27:16 -0800[diff] [blame]97 def client_id(self):
98 """Optional[str]: The OAuth 2.0 client ID."""
99 return self._client_id
100
101 @property
102 def client_secret(self):
103 """Optional[str]: The OAuth 2.0 client secret."""
104 return self._client_secret
105
106 @property
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]107 def requires_scopes(self):
108 """False: OAuth 2.0 credentials have their scopes set when
109 the initial token is requested and can not be changed."""
110 return False
111
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]112 @_helpers.copy_docstring(credentials.Credentials)
113 def refresh(self, request):
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]114 access_token, refresh_token, expiry, grant_response = (
115 _client.refresh_grant(
116 request, self._token_uri, self._refresh_token, self._client_id,
117 self._client_secret))
Jon Wayne Parrott10ec7e92016-10-17 10:46:38 -0700[diff] [blame]118
119 self.token = access_token
120 self.expiry = expiry
121 self._refresh_token = refresh_token
Jon Wayne Parrott26a16372017-03-28 13:03:33 -0700[diff] [blame]122 self._id_token = grant_response.get('id_token')