1 # Copyright 2010 Google Inc.
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
16 require 'signet/oauth_2/client'
22 # Generates access tokens using the JWT assertion profile. Requires a
23 # service account & access to the private key.
25 # @example Using Signet
27 # key = Google::APIClient::KeyUtils.load_from_pkcs12('client.p12', 'notasecret')
28 # client.authorization = Signet::OAuth2::Client.new(
29 # :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
30 # :audience => 'https://accounts.google.com/o/oauth2/token',
31 # :scope => 'https://www.googleapis.com/auth/prediction',
32 # :issuer => '123456-abcdef@developer.gserviceaccount.com',
33 # :signing_key => key)
34 # client.authorization.fetch_access_token!
37 # @example Deprecated version
39 # client = Google::APIClient.new
40 # key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')
41 # service_account = Google::APIClient::JWTAsserter.new(
42 # '123456-abcdef@developer.gserviceaccount.com',
43 # 'https://www.googleapis.com/auth/prediction',
45 # client.authorization = service_account.authorize
49 # Service accounts are now supported directly in Signet
50 # @see https://developers.google.com/accounts/docs/OAuth2ServiceAccount
52 # @return [String] ID/email of the issuing party
54 # @return [Fixnum] How long, in seconds, the assertion is valid for
56 # @return [Fixnum] Seconds to expand the issued at/expiry window to account for clock skew
58 # @return [String] Scopes to authorize
60 # @return [String,OpenSSL::PKey] key for signing assertions
62 # @return [String] Algorithm used for signing
63 attr_accessor :algorithm
66 # Initializes the asserter for a service account.
68 # @param [String] issuer
69 # Name/ID of the client issuing the assertion
70 # @param [String, Array] scope
71 # Scopes to authorize. May be a space delimited string or array of strings
72 # @param [String,OpenSSL::PKey] key
73 # Key for signing assertions
74 # @param [String] algorithm
75 # Algorithm to use, either 'RS256' for RSA with SHA-256
76 # or 'HS256' for HMAC with SHA-256
77 def initialize(issuer, scope, key, algorithm = "RS256")
80 self.expiry = 60 # 1 min default
83 self.algorithm = algorithm
87 # Set the scopes to authorize
89 # @param [String, Array] new_scope
90 # Scopes to authorize. May be a space delimited string or array of strings
94 @scope = new_scope.join(' ')
100 raise TypeError, "Expected Array or String, got #{new_scope.class}"
105 # Request a new access token.
107 # @param [String] person
108 # Email address of a user, if requesting a token to act on their behalf
109 # @param [Hash] options
110 # Pass through to Signet::OAuth2::Client.fetch_access_token
111 # @return [Signet::OAuth2::Client] Access token
113 # @see Signet::OAuth2::Client.fetch_access_token!
114 def authorize(person = nil, options={})
115 authorization = self.to_authorization(person)
116 authorization.fetch_access_token!(options)
121 # Builds a Signet OAuth2 client
123 # @return [Signet::OAuth2::Client] Access token
124 def to_authorization(person = nil)
125 return Signet::OAuth2::Client.new(
126 :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
127 :audience => 'https://accounts.google.com/o/oauth2/token',
128 :scope => self.scope,
130 :signing_key => @key,
131 :signing_algorithm => @algorithm,