##
# Helper for loading keys from the PKCS12 files downloaded when
# setting up service accounts at the APIs Console.
+ #
+
module PKCS12
##
##
# Generates access tokens using the JWT assertion profile. Requires a
# service account & access to the private key.
+ #
+ # @example
+ #
+ # client = Google::APIClient.new
+ # key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')
+ # service_account = Google::APIClient::JWTAsserter(
+ # '123456-abcdef@developer.gserviceaccount.com',
+ # 'https://www.googleapis.com/auth/prediction',
+ # key)
+ # client.authorization = service_account.authorize
+ # client.execute(...)
class JWTAsserter
- attr_accessor :issuer, :expiry
+ attr_accessor :issuer, :expiry, :skew
attr_reader :scope
attr_writer :key
# Name/ID of the client issuing the assertion
# @param [String or Array] scope
# Scopes to authorize. May be a space delimited string or array of strings
- # @param [OpenSSL::PKey]
+ # @param [OpenSSL::PKey] key
# RSA private key for signing assertions
def initialize(issuer, scope, key)
self.issuer = issuer
self.scope = scope
- self.expiry = 60 # 1 min default
+ self.expiry = 60 # 1 min default
+ self.skew = 60
self.key = key
end
##
# Set the scopes to authorize
#
- # @param [String or Array] scope
+ # @param [String, Array] new_scope
# Scopes to authorize. May be a space delimited string or array of strings
def scope=(new_scope)
case new_scope
"scope" => self.scope,
"aud" => "https://accounts.google.com/o/oauth2/token",
"exp" => (now + expiry).to_i,
- "iat" => now.to_i
+ "iat" => (now - skew).to_i
}
assertion['prn'] = person unless person.nil?
return JWT.encode(assertion, @key, "RS256")
projects / arvados.git / blobdiff