diff options
Diffstat (limited to 'google/oauth2/_id_token_async.py')
-rw-r--r-- | google/oauth2/_id_token_async.py | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/google/oauth2/_id_token_async.py b/google/oauth2/_id_token_async.py index 31fcbc6..20630e0 100644 --- a/google/oauth2/_id_token_async.py +++ b/google/oauth2/_id_token_async.py @@ -99,7 +99,11 @@ async def _fetch_certs(request, certs_url): async def verify_token( - id_token, request, audience=None, certs_url=sync_id_token._GOOGLE_OAUTH2_CERTS_URL + id_token, + request, + audience=None, + certs_url=sync_id_token._GOOGLE_OAUTH2_CERTS_URL, + clock_skew_in_seconds=0, ): """Verifies an ID token and returns the decoded token. @@ -112,16 +116,25 @@ async def verify_token( certs_url (str): The URL that specifies the certificates to use to verify the token. This URL should return JSON in the format of ``{'key id': 'x509 certificate'}``. + clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` + validation. Returns: Mapping[str, Any]: The decoded token. """ certs = await _fetch_certs(request, certs_url) - return jwt.decode(id_token, certs=certs, audience=audience) + return jwt.decode( + id_token, + certs=certs, + audience=audience, + clock_skew_in_seconds=clock_skew_in_seconds, + ) -async def verify_oauth2_token(id_token, request, audience=None): +async def verify_oauth2_token( + id_token, request, audience=None, clock_skew_in_seconds=0 +): """Verifies an ID Token issued by Google's OAuth 2.0 authorization server. Args: @@ -131,6 +144,8 @@ async def verify_oauth2_token(id_token, request, audience=None): audience (str): The audience that this token is intended for. This is typically your application's OAuth 2.0 client ID. If None then the audience is not verified. + clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` + validation. Returns: Mapping[str, Any]: The decoded token. @@ -143,6 +158,7 @@ async def verify_oauth2_token(id_token, request, audience=None): request, audience=audience, certs_url=sync_id_token._GOOGLE_OAUTH2_CERTS_URL, + clock_skew_in_seconds=clock_skew_in_seconds, ) if idinfo["iss"] not in sync_id_token._GOOGLE_ISSUERS: @@ -155,7 +171,9 @@ async def verify_oauth2_token(id_token, request, audience=None): return idinfo -async def verify_firebase_token(id_token, request, audience=None): +async def verify_firebase_token( + id_token, request, audience=None, clock_skew_in_seconds=0 +): """Verifies an ID Token issued by Firebase Authentication. Args: @@ -165,6 +183,8 @@ async def verify_firebase_token(id_token, request, audience=None): audience (str): The audience that this token is intended for. This is typically your Firebase application ID. If None then the audience is not verified. + clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` + validation. Returns: Mapping[str, Any]: The decoded token. @@ -174,6 +194,7 @@ async def verify_firebase_token(id_token, request, audience=None): request, audience=audience, certs_url=sync_id_token._GOOGLE_APIS_CERTS_URL, + clock_skew_in_seconds=clock_skew_in_seconds, ) |