1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
use crate::error::{AuthErrorOr, Error};
use serde::{Deserialize, Serialize};
use time::OffsetDateTime;
/// Represents a token returned by oauth2 servers. All tokens are Bearer tokens. Other types of
/// tokens are not supported.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize, Serialize)]
pub struct AccessToken {
access_token: Option<String>,
expires_at: Option<OffsetDateTime>,
}
impl AccessToken {
/// A string representation of the access token.
pub fn token(&self) -> Option<&str> {
self.access_token.as_deref()
}
/// The time at which the tokens will expire, if any.
pub fn expiration_time(&self) -> Option<OffsetDateTime> {
self.expires_at
}
/// Determine if the access token is expired.
///
/// This will report that the token is expired 1 minute prior to the expiration time to ensure
/// that when the token is actually sent to the server it's still valid.
pub fn is_expired(&self) -> bool {
// Consider the token expired if it's within 1 minute of it's expiration time.
self.expires_at
.map(|expiration_time| {
expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
})
.unwrap_or(false)
}
}
impl From<TokenInfo> for AccessToken {
fn from(
TokenInfo {
access_token,
expires_at,
..
}: TokenInfo,
) -> Self {
AccessToken {
access_token,
expires_at,
}
}
}
/// Represents a token as returned by OAuth2 servers.
///
/// It is produced by all authentication flows.
/// It authenticates certain operations, and must be refreshed once it reached it's expiry date.
#[derive(Clone, PartialEq, Debug, Deserialize, Serialize)]
pub struct TokenInfo {
/// used when authorizing calls to oauth2 enabled services.
pub access_token: Option<String>,
/// used to refresh an expired access_token.
pub refresh_token: Option<String>,
/// The time when the token expires.
pub expires_at: Option<OffsetDateTime>,
/// Optionally included by the OAuth2 server and may contain information to verify the identity
/// used to obtain the access token.
/// Specifically Google API:s include this if the additional scopes "email" and/or "profile"
/// are used. In that case the content is an JWT token.
pub id_token: Option<String>,
}
impl TokenInfo {
pub(crate) fn from_json(json_data: &[u8]) -> Result<TokenInfo, Error> {
#[derive(Deserialize)]
struct RawToken {
access_token: Option<String>,
refresh_token: Option<String>,
token_type: Option<String>,
expires_in: Option<i64>,
id_token: Option<String>,
}
// Serialize first to a `serde_json::Value` then to `AuthErrorOr<RawToken>` to work around this bug in
// serde_json: https://github.com/serde-rs/json/issues/559
let raw_token = serde_json::from_slice::<serde_json::Value>(json_data)?;
let RawToken {
access_token,
refresh_token,
token_type,
expires_in,
id_token,
} = <AuthErrorOr<RawToken>>::deserialize(raw_token)?.into_result()?;
match token_type {
Some(token_ty) if !token_ty.eq_ignore_ascii_case("bearer") => {
use std::io;
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!(
r#"unknown token type returned; expected "bearer" found {}"#,
token_ty
),
)
.into());
}
_ => (),
}
let expires_at = match expires_in {
Some(seconds_from_now) => {
Some(OffsetDateTime::now_utc() + time::Duration::seconds(seconds_from_now))
}
None if id_token.is_some() && access_token.is_none() => {
// If the response contains only an ID token, an expiration date may not be
// returned. According to the docs, the tokens are always valid for 1 hour.
//
// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oidc
Some(OffsetDateTime::now_utc() + time::Duration::HOUR)
}
None => None,
};
Ok(TokenInfo {
id_token,
access_token,
refresh_token,
expires_at,
})
}
/// Returns true if we are expired.
pub fn is_expired(&self) -> bool {
self.expires_at
.map(|expiration_time| {
expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
})
.unwrap_or(false)
}
}
/// Represents either 'installed' or 'web' applications in a json secrets file.
/// See `ConsoleApplicationSecret` for more information
#[derive(Deserialize, Serialize, Clone, Default, Debug)]
pub struct ApplicationSecret {
/// The client ID.
pub client_id: String,
/// The client secret.
pub client_secret: String,
/// The token server endpoint URI.
pub token_uri: String,
/// The authorization server endpoint URI.
pub auth_uri: String,
/// The redirect uris.
pub redirect_uris: Vec<String>,
/// Name of the google project the credentials are associated with
pub project_id: Option<String>,
/// The service account email associated with the client.
pub client_email: Option<String>,
/// The URL of the public x509 certificate, used to verify the signature on JWTs, such
/// as ID tokens, signed by the authentication provider.
pub auth_provider_x509_cert_url: Option<String>,
/// The URL of the public x509 certificate, used to verify JWTs signed by the client.
pub client_x509_cert_url: Option<String>,
}
/// A type to facilitate reading and writing the json secret file
/// as returned by the [google developer console](https://code.google.com/apis/console)
#[derive(Deserialize, Serialize, Default, Debug)]
pub struct ConsoleApplicationSecret {
/// web app secret
pub web: Option<ApplicationSecret>,
/// installed app secret
pub installed: Option<ApplicationSecret>,
}
#[cfg(test)]
pub mod tests {
use super::*;
pub const SECRET: &str =
"{\"installed\":{\"auth_uri\":\"https://accounts.google.com/o/oauth2/auth\",\
\"client_secret\":\"UqkDJd5RFwnHoiG5x5Rub8SI\",\"token_uri\":\"https://accounts.google.\
com/o/oauth2/token\",\"client_email\":\"\",\"redirect_uris\":[\"urn:ietf:wg:oauth:2.0:\
oob\",\"oob\"],\"client_x509_cert_url\":\"\",\"client_id\":\
\"14070749909-vgip2f1okm7bkvajhi9jugan6126io9v.apps.googleusercontent.com\",\
\"auth_provider_x509_cert_url\":\"https://www.googleapis.com/oauth2/v1/certs\"}}";
#[test]
fn console_secret() {
use serde_json as json;
match json::from_str::<ConsoleApplicationSecret>(SECRET) {
Ok(s) => assert!(s.installed.is_some() && s.web.is_none()),
Err(err) => panic!(
"Encountered error parsing ConsoleApplicationSecret: {}",
err
),
}
}
#[test]
fn default_expiry_for_id_token_only() {
// If only an ID token is present, set a default expiration date
let json = r#"{"id_token": "id"}"#;
let token = TokenInfo::from_json(json.as_bytes()).unwrap();
assert_eq!(token.id_token, Some("id".to_owned()));
let expiry = token.expires_at.unwrap();
assert!(expiry <= time::OffsetDateTime::now_utc() + time::Duration::HOUR);
}
#[test]
fn no_default_expiry_for_access_token() {
// Don't set a default expiration date if an access token is returned
let json = r#"{"access_token": "access", "id_token": "id"}"#;
let token = TokenInfo::from_json(json.as_bytes()).unwrap();
assert_eq!(token.access_token, Some("access".to_owned()));
assert_eq!(token.id_token, Some("id".to_owned()));
assert_eq!(token.expires_at, None);
}
}