Last active
January 29, 2019 04:30
-
-
Save tylertreat/2f756ff162b8d4cdc35e7de45a259273 to your computer and use it in GitHub Desktop.
GCP OIDC proxy get Google OIDC token
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class OIDCToken(object): | |
def __init__(self, token_str): | |
self._token_str = token_str | |
self._claims = jwt.decode(token_str, verify=False) | |
def __str__(self): | |
return self._token_str | |
def is_expired(self): | |
return int(time.time()) >= self._claims['exp'] | |
def _get_google_oidc_token(): | |
"""Get an OpenID Connect token issued by Google for the environment's | |
service account. | |
This function: | |
1. Generates a JWT signed with the service account's private key | |
containing a special "target_audience" claim. | |
2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1 | |
has a target_audience claim, that endpoint will respond with | |
an OpenID Connect token for the service account -- in other words, | |
a JWT signed by *Google*. The aud claim in this JWT will be | |
set to the value from the target_audience claim in #1. | |
For more information, see | |
https://developers.google.com/identity/protocols/OAuth2ServiceAccount . | |
The HTTP/REST example on that page describes the JWT structure and | |
demonstrates how to call the token endpoint. (The example on that page | |
shows how to get an OAuth2 access token; this code is using a | |
modified version of it to get an OpenID Connect token.) | |
""" | |
credentials = Credentials( | |
_signer, _adc_credentials.service_account_email, | |
token_uri=OAUTH_TOKEN_URI, | |
additional_claims={'target_audience': os.getenv('CLIENT_ID')} | |
) | |
service_account_jwt = credentials._make_authorization_grant_assertion() | |
request = GRequest() | |
body = { | |
'assertion': service_account_jwt, | |
'grant_type': google.oauth2._client._JWT_GRANT_TYPE, | |
} | |
token_response = google.oauth2._client._token_endpoint_request( | |
request, OAUTH_TOKEN_URI, body) | |
return OIDCToken(token_response['id_token']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment