Store original encoded and signed identity JWT in OAuth2Credentials (#…

…680)
googleapis · Nov 28, 2016 · f7f656d · f7f656d
1 parent 2da8ccd
commit f7f656d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/oauth2client/client.py b/oauth2client/client.py
@@ -451,7 +451,7 @@ class OAuth2Credentials(Credentials):
     def __init__(self, access_token, client_id, client_secret, refresh_token,
                  token_expiry, token_uri, user_agent, revoke_uri=None,
                  id_token=None, token_response=None, scopes=None,
-                 token_info_uri=None):
+                 token_info_uri=None, id_token_jwt=None):
         """Create an instance of OAuth2Credentials.
 
         This constructor is not usually called by the user, instead
@@ -474,8 +474,11 @@ def __init__(self, access_token, client_id, client_secret, refresh_token,
                             because some providers (e.g. wordpress.com) include
                             extra fields that clients may want.
             scopes: list, authorized scopes for these credentials.
-          token_info_uri: string, the URI for the token info endpoint. Defaults
-                          to None; scopes can not be refreshed if this is None.
+            token_info_uri: string, the URI for the token info endpoint.
+                            Defaults to None; scopes can not be refreshed if
+                            this is None.
+            id_token_jwt: string, the encoded and signed identity JWT. The
+                          decoded version of this is stored in id_token.
 
         Notes:
             store: callable, A callable that when passed a Credential
@@ -493,6 +496,7 @@ def __init__(self, access_token, client_id, client_secret, refresh_token,
         self.user_agent = user_agent
         self.revoke_uri = revoke_uri
         self.id_token = id_token
+        self.id_token_jwt = id_token_jwt
         self.token_response = token_response
         self.scopes = set(_helpers.string_to_scopes(scopes or []))
         self.token_info_uri = token_info_uri
@@ -621,6 +625,7 @@ def from_json(cls, json_data):
             data['user_agent'],
             revoke_uri=data.get('revoke_uri', None),
             id_token=data.get('id_token', None),
+            id_token_jwt=data.get('id_token_jwt', None),
             token_response=data.get('token_response', None),
             scopes=data.get('scopes', None),
             token_info_uri=data.get('token_info_uri', None))
@@ -786,8 +791,10 @@ def _do_refresh_request(self, http):
                 self.token_expiry = None
             if 'id_token' in d:
                 self.id_token = _extract_id_token(d['id_token'])
+                self.id_token_jwt = d['id_token']
             else:
                 self.id_token = None
+                self.id_token_jwt = None
             # On temporary refresh errors, the user does not actually have to
             # re-authorize, so we unflag here.
             self.invalid = False
@@ -2059,15 +2066,17 @@ def step2_exchange(self, code=None, http=None, device_flow_info=None):
                 token_expiry = delta + _UTCNOW()
 
             extracted_id_token = None
+            id_token_jwt = None
             if 'id_token' in d:
                 extracted_id_token = _extract_id_token(d['id_token'])
+                id_token_jwt = d['id_token']
 
             logger.info('Successfully retrieved access token')
             return OAuth2Credentials(
                 access_token, self.client_id, self.client_secret,
                 refresh_token, token_expiry, self.token_uri, self.user_agent,
                 revoke_uri=self.revoke_uri, id_token=extracted_id_token,
-                token_response=d, scopes=self.scope,
+                id_token_jwt=id_token_jwt, token_response=d, scopes=self.scope,
                 token_info_uri=self.token_info_uri)
         else:
             logger.info('Failed to retrieve access token: %s', content)

diff --git a/tests/test_client.py b/tests/test_client.py
@@ -1479,6 +1479,7 @@ def test_refresh_updates_id_token(self):
             http = self.credentials.authorize(http)
             resp, content = transport.request(http, 'http://example.com')
             self.assertEqual(self.credentials.id_token, body)
+            self.assertEqual(self.credentials.id_token_jwt, jwt.decode())
 
 
 class AccessTokenCredentialsTests(unittest.TestCase):
@@ -2085,6 +2086,7 @@ def test_exchange_id_token(self):
         credentials = self.flow.step2_exchange(code='some random code',
                                                http=http)
         self.assertEqual(credentials.id_token, body)
+        self.assertEqual(credentials.id_token_jwt, jwt.decode())
 
 
 class FlowFromCachedClientsecrets(unittest.TestCase):