Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/google/oauth2/service_account.py: 34%

236 statements  

« prev     ^ index     » next       coverage.py v7.3.1, created at 2023-09-25 06:37 +0000

1# Copyright 2016 Google LLC 

2# 

3# Licensed under the Apache License, Version 2.0 (the "License"); 

4# you may not use this file except in compliance with the License. 

5# You may obtain a copy of the License at 

6# 

7# http://www.apache.org/licenses/LICENSE-2.0 

8# 

9# Unless required by applicable law or agreed to in writing, software 

10# distributed under the License is distributed on an "AS IS" BASIS, 

11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

12# See the License for the specific language governing permissions and 

13# limitations under the License. 

14 

15"""Service Accounts: JSON Web Token (JWT) Profile for OAuth 2.0 

16 

17This module implements the JWT Profile for OAuth 2.0 Authorization Grants 

18as defined by `RFC 7523`_ with particular support for how this RFC is 

19implemented in Google's infrastructure. Google refers to these credentials 

20as *Service Accounts*. 

21 

22Service accounts are used for server-to-server communication, such as 

23interactions between a web application server and a Google service. The 

24service account belongs to your application instead of to an individual end 

25user. In contrast to other OAuth 2.0 profiles, no users are involved and your 

26application "acts" as the service account. 

27 

28Typically an application uses a service account when the application uses 

29Google APIs to work with its own data rather than a user's data. For example, 

30an application that uses Google Cloud Datastore for data persistence would use 

31a service account to authenticate its calls to the Google Cloud Datastore API. 

32However, an application that needs to access a user's Drive documents would 

33use the normal OAuth 2.0 profile. 

34 

35Additionally, Google Apps domain administrators can grant service accounts 

36`domain-wide delegation`_ authority to access user data on behalf of users in 

37the domain. 

38 

39This profile uses a JWT to acquire an OAuth 2.0 access token. The JWT is used 

40in place of the usual authorization token returned during the standard 

41OAuth 2.0 Authorization Code grant. The JWT is only used for this purpose, as 

42the acquired access token is used as the bearer token when making requests 

43using these credentials. 

44 

45This profile differs from normal OAuth 2.0 profile because no user consent 

46step is required. The use of the private key allows this profile to assert 

47identity directly. 

48 

49This profile also differs from the :mod:`google.auth.jwt` authentication 

50because the JWT credentials use the JWT directly as the bearer token. This 

51profile instead only uses the JWT to obtain an OAuth 2.0 access token. The 

52obtained OAuth 2.0 access token is used as the bearer token. 

53 

54Domain-wide delegation 

55---------------------- 

56 

57Domain-wide delegation allows a service account to access user data on 

58behalf of any user in a Google Apps domain without consent from the user. 

59For example, an application that uses the Google Calendar API to add events to 

60the calendars of all users in a Google Apps domain would use a service account 

61to access the Google Calendar API on behalf of users. 

62 

63The Google Apps administrator must explicitly authorize the service account to 

64do this. This authorization step is referred to as "delegating domain-wide 

65authority" to a service account. 

66 

67You can use domain-wise delegation by creating a set of credentials with a 

68specific subject using :meth:`~Credentials.with_subject`. 

69 

70.. _RFC 7523: https://tools.ietf.org/html/rfc7523 

71""" 

72 

73import copy 

74import datetime 

75 

76from google.auth import _helpers 

77from google.auth import _service_account_info 

78from google.auth import credentials 

79from google.auth import exceptions 

80from google.auth import jwt 

81from google.auth import metrics 

82from google.oauth2 import _client 

83 

84_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds 

85_DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" 

86_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" 

87 

88 

89class Credentials( 

90 credentials.Signing, 

91 credentials.Scoped, 

92 credentials.CredentialsWithQuotaProject, 

93 credentials.CredentialsWithTokenUri, 

94): 

95 """Service account credentials 

96 

97 Usually, you'll create these credentials with one of the helper 

98 constructors. To create credentials using a Google service account 

99 private key JSON file:: 

100 

101 credentials = service_account.Credentials.from_service_account_file( 

102 'service-account.json') 

103 

104 Or if you already have the service account file loaded:: 

105 

106 service_account_info = json.load(open('service_account.json')) 

107 credentials = service_account.Credentials.from_service_account_info( 

108 service_account_info) 

109 

110 Both helper methods pass on arguments to the constructor, so you can 

111 specify additional scopes and a subject if necessary:: 

112 

113 credentials = service_account.Credentials.from_service_account_file( 

114 'service-account.json', 

115 scopes=['email'], 

116 subject='user@example.com') 

117 

118 The credentials are considered immutable. If you want to modify the scopes 

119 or the subject used for delegation, use :meth:`with_scopes` or 

120 :meth:`with_subject`:: 

121 

122 scoped_credentials = credentials.with_scopes(['email']) 

123 delegated_credentials = credentials.with_subject(subject) 

124 

125 To add a quota project, use :meth:`with_quota_project`:: 

126 

127 credentials = credentials.with_quota_project('myproject-123') 

128 """ 

129 

130 def __init__( 

131 self, 

132 signer, 

133 service_account_email, 

134 token_uri, 

135 scopes=None, 

136 default_scopes=None, 

137 subject=None, 

138 project_id=None, 

139 quota_project_id=None, 

140 additional_claims=None, 

141 always_use_jwt_access=False, 

142 universe_domain=_DEFAULT_UNIVERSE_DOMAIN, 

143 trust_boundary=None, 

144 ): 

145 """ 

146 Args: 

147 signer (google.auth.crypt.Signer): The signer used to sign JWTs. 

148 service_account_email (str): The service account's email. 

149 scopes (Sequence[str]): User-defined scopes to request during the 

150 authorization grant. 

151 default_scopes (Sequence[str]): Default scopes passed by a 

152 Google client library. Use 'scopes' for user-defined scopes. 

153 token_uri (str): The OAuth 2.0 Token URI. 

154 subject (str): For domain-wide delegation, the email address of the 

155 user to for which to request delegated access. 

156 project_id (str): Project ID associated with the service account 

157 credential. 

158 quota_project_id (Optional[str]): The project ID used for quota and 

159 billing. 

160 additional_claims (Mapping[str, str]): Any additional claims for 

161 the JWT assertion used in the authorization grant. 

162 always_use_jwt_access (Optional[bool]): Whether self signed JWT should 

163 be always used. 

164 universe_domain (str): The universe domain. The default 

165 universe domain is googleapis.com. For default value self 

166 signed jwt is used for token refresh. 

167 trust_boundary (str): String representation of trust boundary meta. 

168 

169 .. note:: Typically one of the helper constructors 

170 :meth:`from_service_account_file` or 

171 :meth:`from_service_account_info` are used instead of calling the 

172 constructor directly. 

173 """ 

174 super(Credentials, self).__init__() 

175 

176 self._scopes = scopes 

177 self._default_scopes = default_scopes 

178 self._signer = signer 

179 self._service_account_email = service_account_email 

180 self._subject = subject 

181 self._project_id = project_id 

182 self._quota_project_id = quota_project_id 

183 self._token_uri = token_uri 

184 self._always_use_jwt_access = always_use_jwt_access 

185 if not universe_domain: 

186 self._universe_domain = _DEFAULT_UNIVERSE_DOMAIN 

187 else: 

188 self._universe_domain = universe_domain 

189 

190 if universe_domain != _DEFAULT_UNIVERSE_DOMAIN: 

191 self._always_use_jwt_access = True 

192 

193 self._jwt_credentials = None 

194 

195 if additional_claims is not None: 

196 self._additional_claims = additional_claims 

197 else: 

198 self._additional_claims = {} 

199 self._trust_boundary = "0" 

200 

201 @classmethod 

202 def _from_signer_and_info(cls, signer, info, **kwargs): 

203 """Creates a Credentials instance from a signer and service account 

204 info. 

205 

206 Args: 

207 signer (google.auth.crypt.Signer): The signer used to sign JWTs. 

208 info (Mapping[str, str]): The service account info. 

209 kwargs: Additional arguments to pass to the constructor. 

210 

211 Returns: 

212 google.auth.jwt.Credentials: The constructed credentials. 

213 

214 Raises: 

215 ValueError: If the info is not in the expected format. 

216 """ 

217 return cls( 

218 signer, 

219 service_account_email=info["client_email"], 

220 token_uri=info["token_uri"], 

221 project_id=info.get("project_id"), 

222 universe_domain=info.get("universe_domain", _DEFAULT_UNIVERSE_DOMAIN), 

223 trust_boundary=info.get("trust_boundary"), 

224 **kwargs 

225 ) 

226 

227 @classmethod 

228 def from_service_account_info(cls, info, **kwargs): 

229 """Creates a Credentials instance from parsed service account info. 

230 

231 Args: 

232 info (Mapping[str, str]): The service account info in Google 

233 format. 

234 kwargs: Additional arguments to pass to the constructor. 

235 

236 Returns: 

237 google.auth.service_account.Credentials: The constructed 

238 credentials. 

239 

240 Raises: 

241 ValueError: If the info is not in the expected format. 

242 """ 

243 signer = _service_account_info.from_dict( 

244 info, require=["client_email", "token_uri"] 

245 ) 

246 return cls._from_signer_and_info(signer, info, **kwargs) 

247 

248 @classmethod 

249 def from_service_account_file(cls, filename, **kwargs): 

250 """Creates a Credentials instance from a service account json file. 

251 

252 Args: 

253 filename (str): The path to the service account json file. 

254 kwargs: Additional arguments to pass to the constructor. 

255 

256 Returns: 

257 google.auth.service_account.Credentials: The constructed 

258 credentials. 

259 """ 

260 info, signer = _service_account_info.from_filename( 

261 filename, require=["client_email", "token_uri"] 

262 ) 

263 return cls._from_signer_and_info(signer, info, **kwargs) 

264 

265 @property 

266 def service_account_email(self): 

267 """The service account email.""" 

268 return self._service_account_email 

269 

270 @property 

271 def project_id(self): 

272 """Project ID associated with this credential.""" 

273 return self._project_id 

274 

275 @property 

276 def requires_scopes(self): 

277 """Checks if the credentials requires scopes. 

278 

279 Returns: 

280 bool: True if there are no scopes set otherwise False. 

281 """ 

282 return True if not self._scopes else False 

283 

284 def _make_copy(self): 

285 cred = self.__class__( 

286 self._signer, 

287 service_account_email=self._service_account_email, 

288 scopes=copy.copy(self._scopes), 

289 default_scopes=copy.copy(self._default_scopes), 

290 token_uri=self._token_uri, 

291 subject=self._subject, 

292 project_id=self._project_id, 

293 quota_project_id=self._quota_project_id, 

294 additional_claims=self._additional_claims.copy(), 

295 always_use_jwt_access=self._always_use_jwt_access, 

296 universe_domain=self._universe_domain, 

297 ) 

298 return cred 

299 

300 @_helpers.copy_docstring(credentials.Scoped) 

301 def with_scopes(self, scopes, default_scopes=None): 

302 cred = self._make_copy() 

303 cred._scopes = scopes 

304 cred._default_scopes = default_scopes 

305 return cred 

306 

307 def with_always_use_jwt_access(self, always_use_jwt_access): 

308 """Create a copy of these credentials with the specified always_use_jwt_access value. 

309 

310 Args: 

311 always_use_jwt_access (bool): Whether always use self signed JWT or not. 

312 

313 Returns: 

314 google.auth.service_account.Credentials: A new credentials 

315 instance. 

316 Raises: 

317 google.auth.exceptions.InvalidValue: If the universe domain is not 

318 default and always_use_jwt_access is False. 

319 """ 

320 cred = self._make_copy() 

321 if ( 

322 cred._universe_domain != _DEFAULT_UNIVERSE_DOMAIN 

323 and not always_use_jwt_access 

324 ): 

325 raise exceptions.InvalidValue( 

326 "always_use_jwt_access should be True for non-default universe domain" 

327 ) 

328 cred._always_use_jwt_access = always_use_jwt_access 

329 return cred 

330 

331 def with_subject(self, subject): 

332 """Create a copy of these credentials with the specified subject. 

333 

334 Args: 

335 subject (str): The subject claim. 

336 

337 Returns: 

338 google.auth.service_account.Credentials: A new credentials 

339 instance. 

340 """ 

341 cred = self._make_copy() 

342 cred._subject = subject 

343 return cred 

344 

345 def with_claims(self, additional_claims): 

346 """Returns a copy of these credentials with modified claims. 

347 

348 Args: 

349 additional_claims (Mapping[str, str]): Any additional claims for 

350 the JWT payload. This will be merged with the current 

351 additional claims. 

352 

353 Returns: 

354 google.auth.service_account.Credentials: A new credentials 

355 instance. 

356 """ 

357 new_additional_claims = copy.deepcopy(self._additional_claims) 

358 new_additional_claims.update(additional_claims or {}) 

359 cred = self._make_copy() 

360 cred._additional_claims = new_additional_claims 

361 return cred 

362 

363 @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) 

364 def with_quota_project(self, quota_project_id): 

365 cred = self._make_copy() 

366 cred._quota_project_id = quota_project_id 

367 return cred 

368 

369 @_helpers.copy_docstring(credentials.CredentialsWithTokenUri) 

370 def with_token_uri(self, token_uri): 

371 cred = self._make_copy() 

372 cred._token_uri = token_uri 

373 return cred 

374 

375 def _make_authorization_grant_assertion(self): 

376 """Create the OAuth 2.0 assertion. 

377 

378 This assertion is used during the OAuth 2.0 grant to acquire an 

379 access token. 

380 

381 Returns: 

382 bytes: The authorization grant assertion. 

383 """ 

384 now = _helpers.utcnow() 

385 lifetime = datetime.timedelta(seconds=_DEFAULT_TOKEN_LIFETIME_SECS) 

386 expiry = now + lifetime 

387 

388 payload = { 

389 "iat": _helpers.datetime_to_secs(now), 

390 "exp": _helpers.datetime_to_secs(expiry), 

391 # The issuer must be the service account email. 

392 "iss": self._service_account_email, 

393 # The audience must be the auth token endpoint's URI 

394 "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, 

395 "scope": _helpers.scopes_to_string(self._scopes or ()), 

396 } 

397 

398 payload.update(self._additional_claims) 

399 

400 # The subject can be a user email for domain-wide delegation. 

401 if self._subject: 

402 payload.setdefault("sub", self._subject) 

403 

404 token = jwt.encode(self._signer, payload) 

405 

406 return token 

407 

408 def _use_self_signed_jwt(self): 

409 # Since domain wide delegation doesn't work with self signed JWT. If 

410 # subject exists, then we should not use self signed JWT. 

411 return self._subject is None and self._jwt_credentials is not None 

412 

413 def _metric_header_for_usage(self): 

414 if self._use_self_signed_jwt(): 

415 return metrics.CRED_TYPE_SA_JWT 

416 return metrics.CRED_TYPE_SA_ASSERTION 

417 

418 @_helpers.copy_docstring(credentials.Credentials) 

419 def refresh(self, request): 

420 if ( 

421 self._universe_domain != _DEFAULT_UNIVERSE_DOMAIN 

422 and not self._jwt_credentials 

423 ): 

424 raise exceptions.RefreshError( 

425 "self._jwt_credentials is missing for non-default universe domain" 

426 ) 

427 if self._universe_domain != _DEFAULT_UNIVERSE_DOMAIN and self._subject: 

428 raise exceptions.RefreshError( 

429 "domain wide delegation is not supported for non-default universe domain" 

430 ) 

431 

432 if self._use_self_signed_jwt(): 

433 self._jwt_credentials.refresh(request) 

434 self.token = self._jwt_credentials.token.decode() 

435 self.expiry = self._jwt_credentials.expiry 

436 else: 

437 assertion = self._make_authorization_grant_assertion() 

438 access_token, expiry, _ = _client.jwt_grant( 

439 request, self._token_uri, assertion 

440 ) 

441 self.token = access_token 

442 self.expiry = expiry 

443 

444 def _create_self_signed_jwt(self, audience): 

445 """Create a self-signed JWT from the credentials if requirements are met. 

446 

447 Args: 

448 audience (str): The service URL. ``https://[API_ENDPOINT]/`` 

449 """ 

450 # https://google.aip.dev/auth/4111 

451 if self._always_use_jwt_access: 

452 if self._scopes: 

453 additional_claims = {"scope": " ".join(self._scopes)} 

454 if ( 

455 self._jwt_credentials is None 

456 or self._jwt_credentials.additional_claims != additional_claims 

457 ): 

458 self._jwt_credentials = jwt.Credentials.from_signing_credentials( 

459 self, None, additional_claims=additional_claims 

460 ) 

461 elif audience: 

462 if ( 

463 self._jwt_credentials is None 

464 or self._jwt_credentials._audience != audience 

465 ): 

466 

467 self._jwt_credentials = jwt.Credentials.from_signing_credentials( 

468 self, audience 

469 ) 

470 elif self._default_scopes: 

471 additional_claims = {"scope": " ".join(self._default_scopes)} 

472 if ( 

473 self._jwt_credentials is None 

474 or additional_claims != self._jwt_credentials.additional_claims 

475 ): 

476 self._jwt_credentials = jwt.Credentials.from_signing_credentials( 

477 self, None, additional_claims=additional_claims 

478 ) 

479 elif not self._scopes and audience: 

480 self._jwt_credentials = jwt.Credentials.from_signing_credentials( 

481 self, audience 

482 ) 

483 

484 @_helpers.copy_docstring(credentials.Signing) 

485 def sign_bytes(self, message): 

486 return self._signer.sign(message) 

487 

488 @property # type: ignore 

489 @_helpers.copy_docstring(credentials.Signing) 

490 def signer(self): 

491 return self._signer 

492 

493 @property # type: ignore 

494 @_helpers.copy_docstring(credentials.Signing) 

495 def signer_email(self): 

496 return self._service_account_email 

497 

498 

499class IDTokenCredentials( 

500 credentials.Signing, 

501 credentials.CredentialsWithQuotaProject, 

502 credentials.CredentialsWithTokenUri, 

503): 

504 """Open ID Connect ID Token-based service account credentials. 

505 

506 These credentials are largely similar to :class:`.Credentials`, but instead 

507 of using an OAuth 2.0 Access Token as the bearer token, they use an Open 

508 ID Connect ID Token as the bearer token. These credentials are useful when 

509 communicating to services that require ID Tokens and can not accept access 

510 tokens. 

511 

512 Usually, you'll create these credentials with one of the helper 

513 constructors. To create credentials using a Google service account 

514 private key JSON file:: 

515 

516 credentials = ( 

517 service_account.IDTokenCredentials.from_service_account_file( 

518 'service-account.json')) 

519 

520 

521 Or if you already have the service account file loaded:: 

522 

523 service_account_info = json.load(open('service_account.json')) 

524 credentials = ( 

525 service_account.IDTokenCredentials.from_service_account_info( 

526 service_account_info)) 

527 

528 

529 Both helper methods pass on arguments to the constructor, so you can 

530 specify additional scopes and a subject if necessary:: 

531 

532 credentials = ( 

533 service_account.IDTokenCredentials.from_service_account_file( 

534 'service-account.json', 

535 scopes=['email'], 

536 subject='user@example.com')) 

537 

538 

539 The credentials are considered immutable. If you want to modify the scopes 

540 or the subject used for delegation, use :meth:`with_scopes` or 

541 :meth:`with_subject`:: 

542 

543 scoped_credentials = credentials.with_scopes(['email']) 

544 delegated_credentials = credentials.with_subject(subject) 

545 

546 """ 

547 

548 def __init__( 

549 self, 

550 signer, 

551 service_account_email, 

552 token_uri, 

553 target_audience, 

554 additional_claims=None, 

555 quota_project_id=None, 

556 universe_domain=_DEFAULT_UNIVERSE_DOMAIN, 

557 ): 

558 """ 

559 Args: 

560 signer (google.auth.crypt.Signer): The signer used to sign JWTs. 

561 service_account_email (str): The service account's email. 

562 token_uri (str): The OAuth 2.0 Token URI. 

563 target_audience (str): The intended audience for these credentials, 

564 used when requesting the ID Token. The ID Token's ``aud`` claim 

565 will be set to this string. 

566 additional_claims (Mapping[str, str]): Any additional claims for 

567 the JWT assertion used in the authorization grant. 

568 quota_project_id (Optional[str]): The project ID used for quota and billing. 

569 universe_domain (str): The universe domain. The default 

570 universe domain is googleapis.com. For default value IAM ID 

571 token endponint is used for token refresh. Note that 

572 iam.serviceAccountTokenCreator role is required to use the IAM 

573 endpoint. 

574 .. note:: Typically one of the helper constructors 

575 :meth:`from_service_account_file` or 

576 :meth:`from_service_account_info` are used instead of calling the 

577 constructor directly. 

578 """ 

579 super(IDTokenCredentials, self).__init__() 

580 self._signer = signer 

581 self._service_account_email = service_account_email 

582 self._token_uri = token_uri 

583 self._target_audience = target_audience 

584 self._quota_project_id = quota_project_id 

585 self._use_iam_endpoint = False 

586 

587 if not universe_domain: 

588 self._universe_domain = _DEFAULT_UNIVERSE_DOMAIN 

589 else: 

590 self._universe_domain = universe_domain 

591 

592 if universe_domain != _DEFAULT_UNIVERSE_DOMAIN: 

593 self._use_iam_endpoint = True 

594 

595 if additional_claims is not None: 

596 self._additional_claims = additional_claims 

597 else: 

598 self._additional_claims = {} 

599 

600 @classmethod 

601 def _from_signer_and_info(cls, signer, info, **kwargs): 

602 """Creates a credentials instance from a signer and service account 

603 info. 

604 

605 Args: 

606 signer (google.auth.crypt.Signer): The signer used to sign JWTs. 

607 info (Mapping[str, str]): The service account info. 

608 kwargs: Additional arguments to pass to the constructor. 

609 

610 Returns: 

611 google.auth.jwt.IDTokenCredentials: The constructed credentials. 

612 

613 Raises: 

614 ValueError: If the info is not in the expected format. 

615 """ 

616 kwargs.setdefault("service_account_email", info["client_email"]) 

617 kwargs.setdefault("token_uri", info["token_uri"]) 

618 if "universe_domain" in info: 

619 kwargs["universe_domain"] = info["universe_domain"] 

620 return cls(signer, **kwargs) 

621 

622 @classmethod 

623 def from_service_account_info(cls, info, **kwargs): 

624 """Creates a credentials instance from parsed service account info. 

625 

626 Args: 

627 info (Mapping[str, str]): The service account info in Google 

628 format. 

629 kwargs: Additional arguments to pass to the constructor. 

630 

631 Returns: 

632 google.auth.service_account.IDTokenCredentials: The constructed 

633 credentials. 

634 

635 Raises: 

636 ValueError: If the info is not in the expected format. 

637 """ 

638 signer = _service_account_info.from_dict( 

639 info, require=["client_email", "token_uri"] 

640 ) 

641 return cls._from_signer_and_info(signer, info, **kwargs) 

642 

643 @classmethod 

644 def from_service_account_file(cls, filename, **kwargs): 

645 """Creates a credentials instance from a service account json file. 

646 

647 Args: 

648 filename (str): The path to the service account json file. 

649 kwargs: Additional arguments to pass to the constructor. 

650 

651 Returns: 

652 google.auth.service_account.IDTokenCredentials: The constructed 

653 credentials. 

654 """ 

655 info, signer = _service_account_info.from_filename( 

656 filename, require=["client_email", "token_uri"] 

657 ) 

658 return cls._from_signer_and_info(signer, info, **kwargs) 

659 

660 def _make_copy(self): 

661 cred = self.__class__( 

662 self._signer, 

663 service_account_email=self._service_account_email, 

664 token_uri=self._token_uri, 

665 target_audience=self._target_audience, 

666 additional_claims=self._additional_claims.copy(), 

667 quota_project_id=self.quota_project_id, 

668 universe_domain=self._universe_domain, 

669 ) 

670 # _use_iam_endpoint is not exposed in the constructor 

671 cred._use_iam_endpoint = self._use_iam_endpoint 

672 return cred 

673 

674 def with_target_audience(self, target_audience): 

675 """Create a copy of these credentials with the specified target 

676 audience. 

677 

678 Args: 

679 target_audience (str): The intended audience for these credentials, 

680 used when requesting the ID Token. 

681 

682 Returns: 

683 google.auth.service_account.IDTokenCredentials: A new credentials 

684 instance. 

685 """ 

686 cred = self._make_copy() 

687 cred._target_audience = target_audience 

688 return cred 

689 

690 def _with_use_iam_endpoint(self, use_iam_endpoint): 

691 """Create a copy of these credentials with the use_iam_endpoint value. 

692 

693 Args: 

694 use_iam_endpoint (bool): If True, IAM generateIdToken endpoint will 

695 be used instead of the token_uri. Note that 

696 iam.serviceAccountTokenCreator role is required to use the IAM 

697 endpoint. The default value is False. This feature is currently 

698 experimental and subject to change without notice. 

699 

700 Returns: 

701 google.auth.service_account.IDTokenCredentials: A new credentials 

702 instance. 

703 Raises: 

704 google.auth.exceptions.InvalidValue: If the universe domain is not 

705 default and use_iam_endpoint is False. 

706 """ 

707 cred = self._make_copy() 

708 if cred._universe_domain != _DEFAULT_UNIVERSE_DOMAIN and not use_iam_endpoint: 

709 raise exceptions.InvalidValue( 

710 "use_iam_endpoint should be True for non-default universe domain" 

711 ) 

712 cred._use_iam_endpoint = use_iam_endpoint 

713 return cred 

714 

715 @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) 

716 def with_quota_project(self, quota_project_id): 

717 cred = self._make_copy() 

718 cred._quota_project_id = quota_project_id 

719 return cred 

720 

721 @_helpers.copy_docstring(credentials.CredentialsWithTokenUri) 

722 def with_token_uri(self, token_uri): 

723 cred = self._make_copy() 

724 cred._token_uri = token_uri 

725 return cred 

726 

727 def _make_authorization_grant_assertion(self): 

728 """Create the OAuth 2.0 assertion. 

729 

730 This assertion is used during the OAuth 2.0 grant to acquire an 

731 ID token. 

732 

733 Returns: 

734 bytes: The authorization grant assertion. 

735 """ 

736 now = _helpers.utcnow() 

737 lifetime = datetime.timedelta(seconds=_DEFAULT_TOKEN_LIFETIME_SECS) 

738 expiry = now + lifetime 

739 

740 payload = { 

741 "iat": _helpers.datetime_to_secs(now), 

742 "exp": _helpers.datetime_to_secs(expiry), 

743 # The issuer must be the service account email. 

744 "iss": self.service_account_email, 

745 # The audience must be the auth token endpoint's URI 

746 "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, 

747 # The target audience specifies which service the ID token is 

748 # intended for. 

749 "target_audience": self._target_audience, 

750 } 

751 

752 payload.update(self._additional_claims) 

753 

754 token = jwt.encode(self._signer, payload) 

755 

756 return token 

757 

758 def _refresh_with_iam_endpoint(self, request): 

759 """Use IAM generateIdToken endpoint to obtain an ID token. 

760 

761 It works as follows: 

762 

763 1. First we create a self signed jwt with 

764 https://www.googleapis.com/auth/iam being the scope. 

765 

766 2. Next we use the self signed jwt as the access token, and make a POST 

767 request to IAM generateIdToken endpoint. The request body is: 

768 { 

769 "audience": self._target_audience, 

770 "includeEmail": "true", 

771 "useEmailAzp": "true", 

772 } 

773 

774 If the request is succesfully, it will return {"token":"the ID token"}, 

775 and we can extract the ID token and compute its expiry. 

776 """ 

777 jwt_credentials = jwt.Credentials.from_signing_credentials( 

778 self, 

779 None, 

780 additional_claims={"scope": "https://www.googleapis.com/auth/iam"}, 

781 ) 

782 jwt_credentials.refresh(request) 

783 self.token, self.expiry = _client.call_iam_generate_id_token_endpoint( 

784 request, 

785 self.signer_email, 

786 self._target_audience, 

787 jwt_credentials.token.decode(), 

788 ) 

789 

790 @_helpers.copy_docstring(credentials.Credentials) 

791 def refresh(self, request): 

792 if self._use_iam_endpoint: 

793 self._refresh_with_iam_endpoint(request) 

794 else: 

795 assertion = self._make_authorization_grant_assertion() 

796 access_token, expiry, _ = _client.id_token_jwt_grant( 

797 request, self._token_uri, assertion 

798 ) 

799 self.token = access_token 

800 self.expiry = expiry 

801 

802 @property 

803 def service_account_email(self): 

804 """The service account email.""" 

805 return self._service_account_email 

806 

807 @_helpers.copy_docstring(credentials.Signing) 

808 def sign_bytes(self, message): 

809 return self._signer.sign(message) 

810 

811 @property # type: ignore 

812 @_helpers.copy_docstring(credentials.Signing) 

813 def signer(self): 

814 return self._signer 

815 

816 @property # type: ignore 

817 @_helpers.copy_docstring(credentials.Signing) 

818 def signer_email(self): 

819 return self._service_account_email