Allow adjusting issued-at time to minimize clock skew issues

This commit is contained in:
Steven Bazyl 2012-09-28 12:06:15 -07:00
parent a3e0ea8451
commit 9bbc3224ff
1 changed files with 19 additions and 5 deletions

View File

@ -20,6 +20,8 @@ module Google
## ##
# Helper for loading keys from the PKCS12 files downloaded when # Helper for loading keys from the PKCS12 files downloaded when
# setting up service accounts at the APIs Console. # setting up service accounts at the APIs Console.
#
module PKCS12 module PKCS12
## ##
@ -51,8 +53,19 @@ module Google
## ##
# Generates access tokens using the JWT assertion profile. Requires a # Generates access tokens using the JWT assertion profile. Requires a
# service account & access to the private key. # service account & access to the private key.
#
# @example
#
# client = Google::APIClient.new
# key = Google::APIClient::PKCS12.load_key('client.p12', 'notasecret')
# service_account = Google::APIClient::JWTAsserter(
# '123456-abcdef@developer.gserviceaccount.com',
# 'https://www.googleapis.com/auth/prediction',
# key)
# client.authorization = service_account.authorize
# client.execute(...)
class JWTAsserter class JWTAsserter
attr_accessor :issuer, :expiry attr_accessor :issuer, :expiry, :skew
attr_reader :scope attr_reader :scope
attr_writer :key attr_writer :key
@ -63,19 +76,20 @@ module Google
# Name/ID of the client issuing the assertion # Name/ID of the client issuing the assertion
# @param [String or Array] scope # @param [String or Array] scope
# Scopes to authorize. May be a space delimited string or array of strings # Scopes to authorize. May be a space delimited string or array of strings
# @param [OpenSSL::PKey] # @param [OpenSSL::PKey] key
# RSA private key for signing assertions # RSA private key for signing assertions
def initialize(issuer, scope, key) def initialize(issuer, scope, key)
self.issuer = issuer self.issuer = issuer
self.scope = scope self.scope = scope
self.expiry = 60 # 1 min default self.expiry = 60 # 1 min default
self.skew = 60
self.key = key self.key = key
end end
## ##
# Set the scopes to authorize # Set the scopes to authorize
# #
# @param [String or Array] scope # @param [String, Array] new_scope
# Scopes to authorize. May be a space delimited string or array of strings # Scopes to authorize. May be a space delimited string or array of strings
def scope=(new_scope) def scope=(new_scope)
case new_scope case new_scope
@ -103,7 +117,7 @@ module Google
"scope" => self.scope, "scope" => self.scope,
"aud" => "https://accounts.google.com/o/oauth2/token", "aud" => "https://accounts.google.com/o/oauth2/token",
"exp" => (now + expiry).to_i, "exp" => (now + expiry).to_i,
"iat" => now.to_i "iat" => (now - skew).to_i
} }
assertion['prn'] = person unless person.nil? assertion['prn'] = person unless person.nil?
return JWT.encode(assertion, @key, "RS256") return JWT.encode(assertion, @key, "RS256")