Class: Google::APIClient::JWTAsserter

Inherits:

Object

• Object
• Google::APIClient::JWTAsserter

Defined in:

lib/google/api_client/service_account.rb

Overview

Generates access tokens using the JWT assertion profile. Requires a service account & access to the private key.

Instance Attribute Summary

• #expiry ⇒ Object

  Returns the value of attribute expiry.

• #issuer ⇒ Object

  Returns the value of attribute issuer.

• #key ⇒ Object writeonly

  Sets the attribute key.

• #scope ⇒ Object

  Returns the value of attribute scope.

Instance Method Summary

• #authorize(person = nil, options = {}) ⇒ Signet::OAuth2::Client

  Request a new access token.

• #initialize(issuer, scope, key) ⇒ JWTAsserter constructor

  Initializes the asserter for a service account.

• #to_jwt(person = nil) ⇒ String

  Builds & signs the assertion.

Constructor Details

#initialize(issuer, scope, key) ⇒ JWTAsserter

Initializes the asserter for a service account.

Parameters:

• issuer (String) —

  Name/ID of the client issuing the assertion

• scope (String or Array) —

  Scopes to authorize. May be a space delimited string or array of strings

• RSA (OpenSSL::PKey) —

  private key for signing assertions

# File 'lib/google/api_client/service_account.rb', line 68

def initialize(issuer, scope, key)
  self.issuer = issuer
  self.scope = scope
  self.expiry = 60 # 1 min default        
  self.key = key
end

Instance Attribute Details

#expiry ⇒ Object

Returns the value of attribute expiry.

# File 'lib/google/api_client/service_account.rb', line 55

def expiry
  @expiry
end

#issuer ⇒ Object

Returns the value of attribute issuer.

# File 'lib/google/api_client/service_account.rb', line 55

def issuer
  @issuer
end

#key=(value) ⇒ Object (writeonly)

Sets the attribute key

Parameters:

• value —

  the value to set the attribute key to.

# File 'lib/google/api_client/service_account.rb', line 57

def key=(value)
  @key = value
end

#scope ⇒ Object

Returns the value of attribute scope.

# File 'lib/google/api_client/service_account.rb', line 56

def scope
  @scope
end

Instance Method Details

#authorize(person = nil, options = {}) ⇒ Signet::OAuth2::Client

Request a new access token.

Parameters:

• person (String) (defaults to: nil) —

  Email address of a user, if requesting a token to act on their behalf

• options (Hash) (defaults to: {}) —

  Pass through to Signet::OAuth2::Client.fetch_access_token

Returns:

• (Signet::OAuth2::Client) —

  Access token

See Also:

• Signet::OAuth2::Client.fetch_access_token

# File 'lib/google/api_client/service_account.rb', line 122

def authorize(person = nil, options={})
  assertion = self.to_jwt(person)
  authorization = Signet::OAuth2::Client.new(
    :token_credential_uri => 'https://accounts.google.com/o/oauth2/token'
  )
  authorization.grant_type = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
  authorization.extension_parameters = { :assertion => assertion }
  authorization.fetch_access_token!(options)
  return authorization
end

#to_jwt(person = nil) ⇒ String

Builds & signs the assertion.

Parameters:

• person (String) (defaults to: nil) —

  Email address of a user, if requesting a token to act on their behalf

Returns:

• (String) —

  Encoded JWT

# File 'lib/google/api_client/service_account.rb', line 99

def to_jwt(person=nil)
  now = Time.new        
  assertion = {
    "iss" => @issuer,
    "scope" => self.scope,
    "aud" => "https://accounts.google.com/o/oauth2/token",
    "exp" => (now + expiry).to_i,
    "iat" => now.to_i
  }
  assertion['prn'] = person unless person.nil?
  return JWT.encode(assertion, @key, "RS256")
end