Allow adjusting issued-at time to minimize clock skew issues
This commit is contained in:
Steven Bazyl
parent
a3e0ea8451
commit
9bbc3224ff
|
|
@ -20,6 +20,8 @@ module Google
|
||||||
##
|
##
|
||||||
# Helper for loading keys from the PKCS12 files downloaded when
|
# Helper for loading keys from the PKCS12 files downloaded when
|
||||||
# setting up service accounts at the APIs Console.
|
# setting up service accounts at the APIs Console.
|
||||||
|
#
|
||||||
|
|
||||||
module PKCS12
|
module PKCS12
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
@ -51,8 +53,19 @@ module Google
|
||||||
##
|
##
|
||||||
# Generates access tokens using the JWT assertion profile. Requires a
|
# Generates access tokens using the JWT assertion profile. Requires a
|
||||||
# service account & access to the private key.
|
# service account & access to the private key.
|
||||||
|
#
|
||||||
|
# @example
|
||||||
|
#
|
||||||
|
# client = Google::APIClient.new
|
||||||
|
# key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')
|
||||||
|
# service_account = Google::APIClient::JWTAsserter(
|
||||||
|
# '123456-abcdef@developer.gserviceaccount.com',
|
||||||
|
# 'https://www.googleapis.com/auth/prediction',
|
||||||
|
# key)
|
||||||
|
# client.authorization = service_account.authorize
|
||||||
|
# client.execute(...)
|
||||||
class JWTAsserter
|
class JWTAsserter
|
||||||
attr_accessor :issuer, :expiry
|
attr_accessor :issuer, :expiry, :skew
|
||||||
attr_reader :scope
|
attr_reader :scope
|
||||||
attr_writer :key
|
attr_writer :key
|
||||||
|
|
||||||
|
|
@ -63,19 +76,20 @@ module Google
|
||||||
# Name/ID of the client issuing the assertion
|
# Name/ID of the client issuing the assertion
|
||||||
# @param [String or Array] scope
|
# @param [String or Array] scope
|
||||||
# Scopes to authorize. May be a space delimited string or array of strings
|
# Scopes to authorize. May be a space delimited string or array of strings
|
||||||
# @param [OpenSSL::PKey]
|
# @param [OpenSSL::PKey] key
|
||||||
# RSA private key for signing assertions
|
# RSA private key for signing assertions
|
||||||
def initialize(issuer, scope, key)
|
def initialize(issuer, scope, key)
|
||||||
self.issuer = issuer
|
self.issuer = issuer
|
||||||
self.scope = scope
|
self.scope = scope
|
||||||
self.expiry = 60 # 1 min default
|
self.expiry = 60 # 1 min default
|
||||||
|
self.skew = 60
|
||||||
self.key = key
|
self.key = key
|
||||||
end
|
end
|
||||||
|
|
||||||
##
|
##
|
||||||
# Set the scopes to authorize
|
# Set the scopes to authorize
|
||||||
#
|
#
|
||||||
# @param [String or Array] scope
|
# @param [String, Array] new_scope
|
||||||
# Scopes to authorize. May be a space delimited string or array of strings
|
# Scopes to authorize. May be a space delimited string or array of strings
|
||||||
def scope=(new_scope)
|
def scope=(new_scope)
|
||||||
case new_scope
|
case new_scope
|
||||||
|
|
@ -103,7 +117,7 @@ module Google
|
||||||
"scope" => self.scope,
|
"scope" => self.scope,
|
||||||
"aud" => "https://accounts.google.com/o/oauth2/token",
|
"aud" => "https://accounts.google.com/o/oauth2/token",
|
||||||
"exp" => (now + expiry).to_i,
|
"exp" => (now + expiry).to_i,
|
||||||
"iat" => now.to_i
|
"iat" => (now - skew).to_i
|
||||||
}
|
}
|
||||||
assertion['prn'] = person unless person.nil?
|
assertion['prn'] = person unless person.nil?
|
||||||
return JWT.encode(assertion, @key, "RS256")
|
return JWT.encode(assertion, @key, "RS256")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue