Store original encoded and signed identity JWT in OAuth2Credentials (#680)

author: Clancy Childs <clancychilds@users.noreply.github.com> 2016-11-28 19:09:30 +0000
committer: Jon Wayne Parrott <jonwayne@google.com> 2016-11-28 11:09:30 -0800
commit: f7f656d6aa0ac111a6692ded3eaaa7b1caf1fedc (patch)
tree: 1bc48780b38f534cd06f37612a12b725e60508e6
parent: 2da8ccde3f74507990cb551fe48f6d25820e6ab3 (diff)
download: oauth2client-f7f656d6aa0ac111a6692ded3eaaa7b1caf1fedc.tar.gz
2 files changed, 15 insertions, 4 deletions
diff --git a/oauth2client/client.py b/oauth2client/client.py
index 0a1aff9..de2a314 100644
--- a/oauth2client/client.py
+++ b/oauth2client/client.py
@@ -451,7 +451,7 @@ class OAuth2Credentials(Credentials):
     def __init__(self, access_token, client_id, client_secret, refresh_token,
                  token_expiry, token_uri, user_agent, revoke_uri=None,
                  id_token=None, token_response=None, scopes=None,
-                 token_info_uri=None):
+                 token_info_uri=None, id_token_jwt=None):
         """Create an instance of OAuth2Credentials.
 
         This constructor is not usually called by the user, instead
@@ -474,8 +474,11 @@ class OAuth2Credentials(Credentials):
                             because some providers (e.g. wordpress.com) include
                             extra fields that clients may want.
             scopes: list, authorized scopes for these credentials.
-          token_info_uri: string, the URI for the token info endpoint. Defaults
-                          to None; scopes can not be refreshed if this is None.
+            token_info_uri: string, the URI for the token info endpoint.
+                            Defaults to None; scopes can not be refreshed if
+                            this is None.
+            id_token_jwt: string, the encoded and signed identity JWT. The
+                          decoded version of this is stored in id_token.
 
         Notes:
             store: callable, A callable that when passed a Credential
@@ -493,6 +496,7 @@ class OAuth2Credentials(Credentials):
         self.user_agent = user_agent
         self.revoke_uri = revoke_uri
         self.id_token = id_token
+        self.id_token_jwt = id_token_jwt
         self.token_response = token_response
         self.scopes = set(_helpers.string_to_scopes(scopes or []))
         self.token_info_uri = token_info_uri
@@ -621,6 +625,7 @@ class OAuth2Credentials(Credentials):
             data['user_agent'],
             revoke_uri=data.get('revoke_uri', None),
             id_token=data.get('id_token', None),
+            id_token_jwt=data.get('id_token_jwt', None),
             token_response=data.get('token_response', None),
             scopes=data.get('scopes', None),
             token_info_uri=data.get('token_info_uri', None))
@@ -786,8 +791,10 @@ class OAuth2Credentials(Credentials):
                 self.token_expiry = None
             if 'id_token' in d:
                 self.id_token = _extract_id_token(d['id_token'])
+                self.id_token_jwt = d['id_token']
             else:
                 self.id_token = None
+                self.id_token_jwt = None
             # On temporary refresh errors, the user does not actually have to
             # re-authorize, so we unflag here.
             self.invalid = False
@@ -2059,15 +2066,17 @@ class OAuth2WebServerFlow(Flow):
                 token_expiry = delta + _UTCNOW()
 
             extracted_id_token = None
+            id_token_jwt = None
             if 'id_token' in d:
                 extracted_id_token = _extract_id_token(d['id_token'])
+                id_token_jwt = d['id_token']
 
             logger.info('Successfully retrieved access token')
             return OAuth2Credentials(
                 access_token, self.client_id, self.client_secret,
                 refresh_token, token_expiry, self.token_uri, self.user_agent,
                 revoke_uri=self.revoke_uri, id_token=extracted_id_token,
-                token_response=d, scopes=self.scope,
+                id_token_jwt=id_token_jwt, token_response=d, scopes=self.scope,
                 token_info_uri=self.token_info_uri)
         else:
             logger.info('Failed to retrieve access token: %s', content)
diff --git a/tests/test_client.py b/tests/test_client.py
index 786b818..18b7df4 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -1479,6 +1479,7 @@ class BasicCredentialsTests(unittest.TestCase):
             http = self.credentials.authorize(http)
             resp, content = transport.request(http, 'http://example.com')
             self.assertEqual(self.credentials.id_token, body)
+            self.assertEqual(self.credentials.id_token_jwt, jwt.decode())
 
 
 class AccessTokenCredentialsTests(unittest.TestCase):
@@ -2085,6 +2086,7 @@ class OAuth2WebServerFlowTest(unittest.TestCase):
         credentials = self.flow.step2_exchange(code='some random code',
                                                http=http)
         self.assertEqual(credentials.id_token, body)
+        self.assertEqual(credentials.id_token_jwt, jwt.decode())
 
 
 class FlowFromCachedClientsecrets(unittest.TestCase):
author	Clancy Childs <clancychilds@users.noreply.github.com>	2016-11-28 19:09:30 +0000
committer	Jon Wayne Parrott <jonwayne@google.com>	2016-11-28 11:09:30 -0800
commit	f7f656d6aa0ac111a6692ded3eaaa7b1caf1fedc (patch)
tree	1bc48780b38f534cd06f37612a12b725e60508e6
parent	2da8ccde3f74507990cb551fe48f6d25820e6ab3 (diff)
download	oauth2client-f7f656d6aa0ac111a6692ded3eaaa7b1caf1fedc.tar.gz