Class: Signet::OAuth2::Client

Inherits:

Object

• Object
• Signet::OAuth2::Client

Defined in:

lib/signet/oauth_2/client.rb

Constant Summary

OOB_MODES =

["urn:ietf:wg:oauth:2.0:oob:auto", "urn:ietf:wg:oauth:2.0:oob", "oob"].freeze

Instance Attribute Summary

• #sub ⇒ Object

  The target "sub" when issuing assertions.

Instance Method Summary

• #access_token ⇒ String

  Returns the access token associated with this client.

• #access_token=(new_access_token) ⇒ Object

  Sets the access token associated with this client.

• #access_type ⇒ String, Symbol

  Returns the current access type parameter for #authorization_uri.

• #access_type=(new_access_type) ⇒ Object

  Sets the current access type parameter for #authorization_uri.

• #additional_parameters ⇒ Hash

  Returns the set of additional (non standard) parameters to be used by the client.

• #additional_parameters=(new_additional_parameters) ⇒ Object

  Sets additional (non standard) parameters to be used by the client.

• #audience ⇒ String

  Returns the target audience ID when issuing assertions.

• #audience=(new_audience) ⇒ Object

  Sets the target audience ID when issuing assertions.

• #authorization_uri(options = {}) ⇒ Addressable::URI

  Returns the authorization URI that the user should be redirected to.

• #authorization_uri=(new_authorization_uri) ⇒ Object

  Sets the authorization URI for this client.

• #clear_credentials! ⇒ Object

  Removes all credentials from the client.

• #client_id ⇒ String

  Returns the client identifier for this client.

• #client_id=(new_client_id) ⇒ Object

  Sets the client identifier for this client.

• #client_secret ⇒ String

  Returns the client secret for this client.

• #client_secret=(new_client_secret) ⇒ Object

  Sets the client secret for this client.

• #code ⇒ String

  Returns the authorization code issued to this client.

• #code=(new_code) ⇒ Object

  Sets the authorization code issued to this client.

• #coerce_uri(incoming_uri) ⇒ Object

  Addressable expects URIs formatted as hashes to come in with symbols as keys.

• #decoded_id_token(public_key = nil, options = {}, &keyfinder) ⇒ String

  Returns the decoded ID token associated with this client.

• #expired? ⇒ TrueClass, FalseClass

  Returns true if the access token has expired.

• #expires_at ⇒ Time^?

  Returns the timestamp the access token will expire at.

• #expires_at=(new_expires_at) ⇒ Object

  Limits the lifetime of the access token as number of seconds since the Epoch.

• #expires_in ⇒ Integer^?

  Returns the lifetime of the access token in seconds.

• #expires_in=(new_expires_in) ⇒ Object

  Sets the lifetime of the access token in seconds.

• #expires_within?(sec) ⇒ TrueClass, FalseClass

  Returns true if the access token has expired or expires within the next n seconds.

• #expiry ⇒ Integer

  Returns the number of seconds assertions are valid for Used only by the assertion grant type.

• #expiry=(new_expiry) ⇒ Object

  Sets the number of seconds assertions are valid for Used only by the assertion grant type.

• #extension_parameters ⇒ Hash

  Returns the set of extension parameters used by the client.

• #extension_parameters=(new_extension_parameters) ⇒ Object

  Sets extension parameters used by the client.

• #fetch_access_token(options = {}) ⇒ Object
• #fetch_access_token!(options = {}) ⇒ Object
• #fetch_protected_resource(options = {}) ⇒ Array

  Transmits a request for a protected resource.

• #generate_authenticated_request(options = {}) ⇒ Faraday::Request

  Generates an authenticated request for protected resources.

• #grant_type ⇒ String

  Returns the inferred grant type, based on the current state of the client object.

• #grant_type=(new_grant_type) ⇒ Object
• #granted_scopes ⇒ Array^?

  Returns the scopes granted by the authorization server.

• #granted_scopes=(new_granted_scopes) ⇒ Object

  Sets the scopes returned by authorization server for this client.

• #id_token ⇒ String

  Returns the ID token associated with this client.

• #id_token=(new_id_token) ⇒ Object

  Sets the ID token associated with this client.

• #initialize(options = {}) ⇒ Client constructor

  Creates an OAuth 2.0 client.

• #issued_at ⇒ Time^?

  Returns the timestamp the access token was issued at.

• #issued_at=(new_issued_at) ⇒ Object

  Sets the timestamp the access token was issued at.

• #issuer ⇒ String

  Returns the issuer ID associated with this client.

• #issuer=(new_issuer) ⇒ Object

  Sets the issuer ID associated with this client.

• #password ⇒ String

  Returns the password associated with this client.

• #password=(new_password) ⇒ Object

  Sets the password associated with this client.

• #principal ⇒ String (also: #person)

  Returns the target resource owner for impersonation.

• #principal=(new_person) ⇒ Object (also: #person=)

  Sets the target resource owner for impersonation.

• #redirect_uri ⇒ String

  Returns the redirect URI for this client.

• #redirect_uri=(new_redirect_uri) ⇒ Object

  Sets the redirect URI for this client.

• #refresh!(options = {}) ⇒ Object

  Refresh the access token, if possible.

• #refresh_token ⇒ String

  Returns the refresh token associated with this client.

• #refresh_token=(new_refresh_token) ⇒ Object

  Sets the refresh token associated with this client.

• #scope ⇒ Array

  Returns the scope for this client.

• #scope=(new_scope) ⇒ Object

  Sets the scope for this client.

• #signing_algorithm ⇒ String

  Algorithm used for signing JWTs.

• #signing_key ⇒ String, OpenSSL::PKey

  Returns the signing key associated with this client.

• #signing_key=(new_key) ⇒ Object

  Sets the signing key when issuing assertions.

• #state ⇒ String

  Returns the client's current state value.

• #state=(new_state) ⇒ Object

  Sets the client's current state value.

• #target_audience ⇒ String

  Returns the final target audience for ID tokens fetched by this client.

• #target_audience=(new_target_audience) ⇒ Object

  Sets the final target audience for ID tokens fetched by this client.

• #to_json(*_args) ⇒ String

  Serialize the client object to JSON.

• #to_jwt(options = {}) ⇒ Object
• #token_credential_uri ⇒ Addressable::URI

  Returns the token credential URI for this client.

• #token_credential_uri=(new_token_credential_uri) ⇒ Object

  Sets the token credential URI for this client.

• #update!(options = {}) ⇒ Object

  Updates an OAuth 2.0 client.

• #update_token!(options = {}) ⇒ Object

  Updates an OAuth 2.0 client.

• #username ⇒ String

  Returns the username associated with this client.

• #username=(new_username) ⇒ Object

  Sets the username associated with this client.

Constructor Details

#initialize(options = {}) ⇒ Client

Creates an OAuth 2.0 client.

Examples:

client = Signet::OAuth2::Client.new(
  :authorization_uri =>
    'https://example.server.com/authorization',
  :token_credential_uri =>
    'https://example.server.com/token',
  :client_id => 'anonymous',
  :client_secret => 'anonymous',
  :scope => 'example',
  :redirect_uri => 'https://example.client.com/oauth'
)

Parameters:

• options (Hash) (defaults to: {}) —

  The configuration parameters for the client.

  • :authorization_uri - The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
  • :token_credential_uri - The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
  • :client_id - A unique identifier issued to the client to identify itself to the authorization server.
  • :client_secret - A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
  • :scope - The scope of the access request, expressed either as an Array or as a space-delimited String.
  • :target_audience - The final target audience for ID tokens fetched by this client, as a String.
  • :state - An arbitrary string designed to allow the client to maintain state.
  • :code - The authorization code received from the authorization server.
  • :redirect_uri - The redirection URI used in the initial request.
  • :username - The resource owner's username.
  • :password - The resource owner's password.
  • :issuer - Issuer ID when using assertion profile
  • :person - Target user for assertions
  • :expiry - Number of seconds assertions are valid for
  • :signing_key - Signing key when using assertion profile
  • :refresh_token - The refresh token associated with the access token to be refreshed.
  • :access_token - The current access token for this client.
  • :id_token - The current ID token for this client.
  • :extension_parameters - When using an extension grant type, this the set of parameters used by that extension.
  • :granted_scopes - All scopes granted by authorization server.

See Also:

• #update!

# File 'lib/signet/oauth_2/client.rb', line 97

def initialize options = {}
  @authorization_uri    = nil
  @token_credential_uri = nil
  @client_id            = nil
  @client_secret        = nil
  @code                 = nil
  @expires_at           = nil
  @issued_at            = nil
  @issuer               = nil
  @password             = nil
  @principal            = nil
  @redirect_uri         = nil
  @scope                = nil
  @target_audience      = nil
  @state                = nil
  @username             = nil
  @access_type          = nil
  @granted_scopes       = nil
  update! options
end

Instance Attribute Details

#sub ⇒ Object

The target "sub" when issuing assertions. Used in some Admin SDK APIs.

# File 'lib/signet/oauth_2/client.rb', line 601

def sub
  @sub
end

Instance Method Details

#access_token ⇒ String

Returns the access token associated with this client.

Returns:

• (String) —

  The access token.

# File 'lib/signet/oauth_2/client.rb', line 715

def access_token
  @access_token ||= nil
end

#access_token=(new_access_token) ⇒ Object

Sets the access token associated with this client.

Parameters:

• new_access_token (String) —

  The access token.

# File 'lib/signet/oauth_2/client.rb', line 724

def access_token= new_access_token
  @access_token = new_access_token
end

#access_type ⇒ String, Symbol

Returns the current access type parameter for #authorization_uri.

Returns:

• (String, Symbol) —

  The current access type.

# File 'lib/signet/oauth_2/client.rb', line 342

def access_type
  @access_type
end

#access_type=(new_access_type) ⇒ Object

Sets the current access type parameter for #authorization_uri.

Parameters:

• new_access_type (String, Symbol) —

  The current access type.

# File 'lib/signet/oauth_2/client.rb', line 351

def access_type= new_access_type
  @access_type = new_access_type
end

#additional_parameters ⇒ Hash

Returns the set of additional (non standard) parameters to be used by the client.

Returns:

• (Hash) —

  The pass through parameters.

# File 'lib/signet/oauth_2/client.rb', line 676

def additional_parameters
  @additional_parameters ||= {}
end

#additional_parameters=(new_additional_parameters) ⇒ Object

Sets additional (non standard) parameters to be used by the client.

Parameters:

• new_additional_parameters (Hash) —

  The parameters.

# File 'lib/signet/oauth_2/client.rb', line 685

def additional_parameters= new_additional_parameters
  if new_additional_parameters.respond_to? :to_hash
    @additional_parameters = new_additional_parameters.to_hash
  else
    raise TypeError,
          "Expected Hash, got #{new_additional_parameters.class}."
  end
end

#audience ⇒ String

Returns the target audience ID when issuing assertions. Used only by the assertion grant type.

Returns:

• (String) —

  Target audience ID.

# File 'lib/signet/oauth_2/client.rb', line 561

def audience
  @audience
end

#audience=(new_audience) ⇒ Object

Sets the target audience ID when issuing assertions. Used only by the assertion grant type.

Parameters:

• new_audience (String) —

  Target audience ID

# File 'lib/signet/oauth_2/client.rb', line 571

def audience= new_audience
  @audience = new_audience
end

#authorization_uri(options = {}) ⇒ Addressable::URI

Returns the authorization URI that the user should be redirected to.

Returns:

• (Addressable::URI) —

  The authorization URI.

Raises:

• (ArgumentError)

See Also:

• Signet::OAuth2.generate_authorization_uri

# File 'lib/signet/oauth_2/client.rb', line 271

def authorization_uri options = {}
  # Normalize external input
  options = deep_hash_normalize options

  return nil if @authorization_uri.nil?
  options[:response_type] = :code unless options[:response_type]
  options[:access_type] = access_type if !options[:access_type] && access_type
  options[:client_id] ||= client_id
  options[:redirect_uri] ||= redirect_uri
  if options[:prompt] && options[:approval_prompt]
    raise ArgumentError, "prompt and approval_prompt are mutually exclusive parameters"
  end
  raise ArgumentError, "Missing required client identifier." unless options[:client_id]
  raise ArgumentError, "Missing required redirect URI." unless options[:redirect_uri]
  options[:scope] = scope.join " " if !options[:scope] && scope
  options[:state] = state unless options[:state]
  options.merge!(additional_parameters.merge(options[:additional_parameters] || {}))
  options.delete :additional_parameters
  options = options.transform_keys(&:to_s)
  uri = Addressable::URI.parse(
    ::Signet::OAuth2.generate_authorization_uri(
      @authorization_uri, options
    )
  )
  if uri.normalized_scheme != "https"
    raise Signet::UnsafeOperationError,
          "Authorization endpoint must be protected by TLS."
  end
  uri
end

#authorization_uri=(new_authorization_uri) ⇒ Object

Sets the authorization URI for this client.

Parameters:

• new_authorization_uri (Addressable::URI, Hash, String, #to_str) —

  The authorization URI.

# File 'lib/signet/oauth_2/client.rb', line 307

def authorization_uri= new_authorization_uri
  @authorization_uri = coerce_uri new_authorization_uri
end

#clear_credentials! ⇒ Object

Removes all credentials from the client.

# File 'lib/signet/oauth_2/client.rb', line 883

def clear_credentials!
  @access_token = nil
  @refresh_token = nil
  @id_token = nil
  @username = nil
  @password = nil
  @code = nil
  @issued_at = nil
  @expires_at = nil
  @granted_scopes = nil
end

#client_id ⇒ String

Returns the client identifier for this client.

Returns:

• (String) —

  The client identifier.

# File 'lib/signet/oauth_2/client.rb', line 359

def client_id
  @client_id
end

#client_id=(new_client_id) ⇒ Object

Sets the client identifier for this client.

Parameters:

• new_client_id (String) —

  The client identifier.

# File 'lib/signet/oauth_2/client.rb', line 368

def client_id= new_client_id
  @client_id = new_client_id
end

#client_secret ⇒ String

Returns the client secret for this client.

Returns:

• (String) —

  The client secret.

# File 'lib/signet/oauth_2/client.rb', line 376

def client_secret
  @client_secret
end

#client_secret=(new_client_secret) ⇒ Object

Sets the client secret for this client.

Parameters:

• new_client_secret (String) —

  The client secret.

# File 'lib/signet/oauth_2/client.rb', line 385

def client_secret= new_client_secret
  @client_secret = new_client_secret
end

#code ⇒ String

Returns the authorization code issued to this client. Used only by the authorization code access grant type.

Returns:

• (String) —

  The authorization code.

# File 'lib/signet/oauth_2/client.rb', line 462

def code
  @code
end

#code=(new_code) ⇒ Object

Sets the authorization code issued to this client. Used only by the authorization code access grant type.

Parameters:

• new_code (String) —

  The authorization code.

# File 'lib/signet/oauth_2/client.rb', line 472

def code= new_code
  @code = new_code
end

#coerce_uri(incoming_uri) ⇒ Object

Addressable expects URIs formatted as hashes to come in with symbols as keys. Returns nil implicitly for the nil case.

# File 'lib/signet/oauth_2/client.rb', line 330

def coerce_uri incoming_uri
  if incoming_uri.is_a? Hash
    Addressable::URI.new deep_hash_normalize(incoming_uri)
  elsif incoming_uri
    Addressable::URI.parse incoming_uri
  end
end

#decoded_id_token(public_key = nil, options = {}, &keyfinder) ⇒ String

Returns the decoded ID token associated with this client.

Parameters:

• public_key (OpenSSL::PKey::RSA, Object) (defaults to: nil) —

  The public key to use to verify the ID token. Skips verification if omitted.

Returns:

• (String) —

  The decoded ID token.

Raises:

• (Signet::UnsafeOperationError)

# File 'lib/signet/oauth_2/client.rb', line 753

def decoded_id_token public_key = nil, options = {}, &keyfinder
  options[:algorithm] ||= signing_algorithm
  verify = !public_key.nil? || block_given?
  payload, _header = JWT.decode(id_token, public_key, verify, options, &keyfinder)
  raise Signet::UnsafeOperationError, "No ID token audience declared." unless payload.key? "aud"
  unless Array(payload["aud"]).include?(client_id)
    raise Signet::UnsafeOperationError,
          "ID token audience did not match Client ID."
  end
  payload
end

#expired? ⇒ TrueClass, FalseClass

Returns true if the access token has expired. Returns false if the token has not expired or has an nil @expires_at.

Returns:

• (TrueClass, FalseClass) —

  The expiration state of the access token.

# File 'lib/signet/oauth_2/client.rb', line 864

def expired?
  !expires_at.nil? && Time.now >= expires_at
end

#expires_at ⇒ Time^?

Returns the timestamp the access token will expire at. Returns nil if the token does not expire.

Returns:

• (Time, nil) —

  The access token lifetime.

# File 'lib/signet/oauth_2/client.rb', line 817

def expires_at
  @expires_at
end

#expires_at=(new_expires_at) ⇒ Object

Limits the lifetime of the access token as number of seconds since the Epoch. Nil values will be treated as though the token does not expire.

Parameters:

• new_expires_at (String, Integer, Time, nil) —

  The access token expiration time.

# File 'lib/signet/oauth_2/client.rb', line 827

def expires_at= new_expires_at
  @expires_at = normalize_timestamp new_expires_at
end

#expires_in ⇒ Integer^?

Returns the lifetime of the access token in seconds. Returns nil if the token does not expire.

Returns:

• (Integer, nil) —

  The access token lifetime.

# File 'lib/signet/oauth_2/client.rb', line 770

def expires_in
  if @expires_at.nil? || @issued_at.nil?
    nil
  else
    (@expires_at - @issued_at).to_i
  end
end

#expires_in=(new_expires_in) ⇒ Object

Sets the lifetime of the access token in seconds. Resets the issued_at timestamp. Nil values will be treated as though the token does not expire.

Parameters:

• new_expires_in (String, Integer, nil) —

  The access token lifetime.

# File 'lib/signet/oauth_2/client.rb', line 785

def expires_in= new_expires_in
  if new_expires_in.nil?
    @expires_at = nil
    @issued_at = nil
  else
    @issued_at = Time.now
    @expires_at = @issued_at + new_expires_in.to_i
  end
end

#expires_within?(sec) ⇒ TrueClass, FalseClass

Returns true if the access token has expired or expires within the next n seconds. Returns false for tokens with a nil @expires_at.

Parameters:

• sec (Integer) —

  Max number of seconds from now where a token is still considered expired.

Returns:

• (TrueClass, FalseClass) —

  The expiration state of the access token.

# File 'lib/signet/oauth_2/client.rb', line 877

def expires_within? sec
  !expires_at.nil? && Time.now >= (expires_at - sec)
end

#expiry ⇒ Integer

Returns the number of seconds assertions are valid for Used only by the assertion grant type.

Returns:

• (Integer) —

  Assertion expiry, in seconds

# File 'lib/signet/oauth_2/client.rb', line 608

def expiry
  @expiry
end

#expiry=(new_expiry) ⇒ Object

Sets the number of seconds assertions are valid for Used only by the assertion grant type.

Parameters:

• new_expiry (Integer, String) —

  Assertion expiry, in seconds

# File 'lib/signet/oauth_2/client.rb', line 618

def expiry= new_expiry
  @expiry = new_expiry&.to_i
end

#extension_parameters ⇒ Hash

Returns the set of extension parameters used by the client. Used only by extension access grant types.

Returns:

• (Hash) —

  The extension parameters.

# File 'lib/signet/oauth_2/client.rb', line 653

def extension_parameters
  @extension_parameters ||= {}
end

#extension_parameters=(new_extension_parameters) ⇒ Object

Sets extension parameters used by the client. Used only by extension access grant types.

Parameters:

• new_extension_parameters (Hash) —

  The parameters.

# File 'lib/signet/oauth_2/client.rb', line 663

def extension_parameters= new_extension_parameters
  if new_extension_parameters.respond_to? :to_hash
    @extension_parameters = new_extension_parameters.to_hash
  else
    raise TypeError,
          "Expected Hash, got #{new_extension_parameters.class}."
  end
end

#fetch_access_token(options = {}) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/signet/oauth_2/client.rb', line 1022

def fetch_access_token options = {}
  raise ArgumentError, "Missing token endpoint URI." if token_credential_uri.nil?

  options = deep_hash_normalize options

  client = options[:connection] ||= Faraday.default_connection
  url = Addressable::URI.parse token_credential_uri
  parameters = generate_access_token_request options
  if client.is_a? Faraday::Connection
    if options[:use_basic_auth]
      # The Basic Auth middleware usage differs before and after Faraday v2
      if Gem::Version.new(Faraday::VERSION).segments.first >= 2
        client.request :authorization, :basic, client_id, client_secret
      else
        client.request :basic_auth, client_id, client_secret
      end
    end
    response = client.post url.normalize.to_s,
                           Addressable::URI.form_encode(parameters),
                           "Content-Type" => "application/x-www-form-urlencoded"
    status = response.status.to_i
    body = response.body
    content_type = response.headers["Content-type"]
  else
    # Hurley
    if options[:use_basic_auth]
      url.user = client_id
      url.password = client_secret
    end
    response = client.post url.normalize.to_s, parameters
    status = response.status_code.to_i
    body = response.body
    content_type = response.header[:content_type]
  end

  message = "  Server message:\n#{response.body.to_s.strip}" unless body.to_s.strip.empty?

  if [400, 401, 403].include? status
    message = "Authorization failed.#{message}"
    raise ::Signet::AuthorizationError.new message, response: response
  elsif status.to_s[0] == "5"
    message = "Remote server error.#{message}"
    raise ::Signet::RemoteServerError, message
  elsif status != 200
    message = "Unexpected status code: #{response.status}.#{message}"
    raise ::Signet::UnexpectedStatusError, message
  end
  # status == 200
  parsed_response = ::Signet::OAuth2.parse_credentials body, content_type
  parsed_response["granted_scopes"] = parsed_response.delete("scope") if parsed_response
  parsed_response
end

#fetch_access_token!(options = {}) ⇒ Object

# File 'lib/signet/oauth_2/client.rb', line 1075

def fetch_access_token! options = {}
  token_hash = fetch_access_token options
  if token_hash
    # No-op for grant types other than `authorization_code`.
    # An authorization code is a one-time use token and is immediately
    # revoked after usage.
    self.code = nil
    self.issued_at = Time.now
    update_token! token_hash
  end
  token_hash
end

#fetch_protected_resource(options = {}) ⇒ Array

Transmits a request for a protected resource.

Examples:

# Using Net::HTTP
response = client.fetch_protected_resource(
  :uri => 'http://www.example.com/protected/resource'
)

Parameters:

• options (Hash) (defaults to: {}) —

  The configuration parameters for the request.

  • :request - A pre-constructed request. An OAuth 2 Authorization header will be added to it, as well as an explicit Cache-Control no-store directive.
  • :method - The HTTP method for the request. Defaults to 'GET'.
  • :uri - The URI for the request.
  • :headers - The HTTP headers for the request.
  • :body - The HTTP body for the request.
  • :realm - The Authorization realm. See RFC 2617.
  • :connection - The HTTP connection to use. Must be of type Faraday::Connection.

Returns:

• (Array) —

  The response object.

Raises:

• (::Signet::AuthorizationError)

# File 'lib/signet/oauth_2/client.rb', line 1190

def fetch_protected_resource options = {}
  options = deep_hash_normalize options

  options[:connection] ||= Faraday.default_connection
  request = generate_authenticated_request options
  request_env = request.to_env options[:connection]
  request_env[:request] ||= request
  response = options[:connection].app.call request_env
  return response unless response.status.to_i == 401
  # When accessing a protected resource, we only want to raise an
  # error for 401 responses.
  message = "Authorization failed."
  message += "  Server message:\n#{response.body.to_s.strip}" unless response.body.to_s.strip.empty?
  raise ::Signet::AuthorizationError.new(
    message, request: request, response: response
  )
end

#generate_authenticated_request(options = {}) ⇒ Faraday::Request

Generates an authenticated request for protected resources.

Parameters:

• options (Hash) (defaults to: {}) —

  The configuration parameters for the request.

  • :request - A pre-constructed request. An OAuth 2 Authorization header will be added to it, as well as an explicit Cache-Control no-store directive.
  • :method - The HTTP method for the request. Defaults to 'GET'.
  • :uri - The URI for the request.
  • :headers - The HTTP headers for the request.
  • :body - The HTTP body for the request.
  • :realm - The Authorization realm. See RFC 2617.

Returns:

• (Faraday::Request) —

  The request object.

Raises:

• (ArgumentError)

# File 'lib/signet/oauth_2/client.rb', line 1114

def generate_authenticated_request options = {}
  options = deep_hash_normalize options

  raise ArgumentError, "Missing access token." if access_token.nil?
  options = {
    realm: nil
  }.merge(options)

  if options[:request].is_a? Faraday::Request
    request = options[:request]
  else
    if options[:request].is_a? Array
      method, uri, headers, body = options[:request]
    else
      method = options[:method] || :get
      uri = options[:uri]
      headers = options[:headers] || []
      body = options[:body] || ""
    end
    headers = headers.to_a if headers.is_a? Hash
    request_components = {
      method:  method,
      uri:     uri,
      headers: headers,
      body:    body
    }
    # Verify that we have all pieces required to return an HTTP request
    request_components.each do |(key, value)|
      raise ArgumentError, "Missing :#{key} parameter." unless value
    end
    method = method.to_s.downcase.to_sym
    request = options[:connection].build_request method.to_s.downcase.to_sym do |req|
      req.url Addressable::URI.parse(uri).normalize.to_s
      req.headers = Faraday::Utils::Headers.new headers
      req.body = body
    end
  end

  request["Authorization"] = ::Signet::OAuth2.generate_bearer_authorization_header(
    access_token,
    options[:realm] ? [["realm", options[:realm]]] : nil
  )
  request["Cache-Control"] = "no-store"
  request
end

#grant_type ⇒ String

Returns the inferred grant type, based on the current state of the client object. Returns "none" if the client has insufficient information to make an in-band authorization request.

Returns:

• (String) —

  The inferred grant type.

# File 'lib/signet/oauth_2/client.rb', line 902

def grant_type
  @grant_type ||= nil
  return @grant_type if @grant_type
  if code && redirect_uri
    "authorization_code"
  elsif refresh_token
    "refresh_token"
  elsif username && password
    "password"
  elsif issuer && signing_key
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  end
end

#grant_type=(new_grant_type) ⇒ Object

# File 'lib/signet/oauth_2/client.rb', line 916

def grant_type= new_grant_type
  @grant_type =
    case new_grant_type
    when "authorization_code", "refresh_token", "password", "client_credentials"
      new_grant_type
    else
      Addressable::URI.parse new_grant_type
    end
end

#granted_scopes ⇒ Array^?

Returns the scopes granted by the authorization server.

Returns:

• (Array, nil) —

  The scope of access returned by the authorization server.

# File 'lib/signet/oauth_2/client.rb', line 835

def granted_scopes
  @granted_scopes
end

#granted_scopes=(new_granted_scopes) ⇒ Object

Sets the scopes returned by authorization server for this client.

Parameters:

• new_granted_scopes (String, Array, nil) —

  The scope of access returned by authorization server. This will ideally be expressed as space-delimited String.

# File 'lib/signet/oauth_2/client.rb', line 845

def granted_scopes= new_granted_scopes
  case new_granted_scopes
  when Array
    @granted_scopes = new_granted_scopes
  when String
    @granted_scopes = new_granted_scopes.split
  when nil
    @granted_scopes = nil
  else
    raise TypeError, "Expected Array or String, got #{new_granted_scopes.class}"
  end
end

#id_token ⇒ String

Returns the ID token associated with this client.

Returns:

• (String) —

  The ID token.

# File 'lib/signet/oauth_2/client.rb', line 732

def id_token
  @id_token ||= nil
end

#id_token=(new_id_token) ⇒ Object

Sets the ID token associated with this client.

Parameters:

• new_id_token (String) —

  The ID token.

# File 'lib/signet/oauth_2/client.rb', line 741

def id_token= new_id_token
  @id_token = new_id_token
end

#issued_at ⇒ Time^?

Returns the timestamp the access token was issued at.

Returns:

• (Time, nil) —

  The access token issuance time.

# File 'lib/signet/oauth_2/client.rb', line 799

def issued_at
  @issued_at
end

#issued_at=(new_issued_at) ⇒ Object

Sets the timestamp the access token was issued at.

Parameters:

• new_issued_at (String, Integer, Time) —

  The access token issuance time.

# File 'lib/signet/oauth_2/client.rb', line 808

def issued_at= new_issued_at
  @issued_at = normalize_timestamp new_issued_at
end

#issuer ⇒ String

Returns the issuer ID associated with this client. Used only by the assertion grant type.

Returns:

• (String) —

  Issuer id.

# File 'lib/signet/oauth_2/client.rb', line 542

def issuer
  @issuer
end

#issuer=(new_issuer) ⇒ Object

Sets the issuer ID associated with this client. Used only by the assertion grant type.

Parameters:

• new_issuer (String) —

  Issuer ID (typical in email adddress form).

# File 'lib/signet/oauth_2/client.rb', line 552

def issuer= new_issuer
  @issuer = new_issuer
end

#password ⇒ String

Returns the password associated with this client. Used only by the resource owner password credential access grant type.

Returns:

• (String) —

  The password.

# File 'lib/signet/oauth_2/client.rb', line 523

def password
  @password
end

#password=(new_password) ⇒ Object

Sets the password associated with this client. Used only by the resource owner password credential access grant type.

Parameters:

• new_password (String) —

  The password.

# File 'lib/signet/oauth_2/client.rb', line 533

def password= new_password
  @password = new_password
end

#principal ⇒ String Also known as: person

Returns the target resource owner for impersonation. Used only by the assertion grant type.

Returns:

• (String) —

  Target user for impersonation.

# File 'lib/signet/oauth_2/client.rb', line 580

def principal
  @principal
end

#principal=(new_person) ⇒ Object Also known as: person=

Sets the target resource owner for impersonation. Used only by the assertion grant type.

Parameters:

• new_person (String) —

  Target user for impersonation

# File 'lib/signet/oauth_2/client.rb', line 590

def principal= new_person
  @principal = new_person
end

#redirect_uri ⇒ String

Returns the redirect URI for this client.

Returns:

• (String) —

  The redirect URI.

# File 'lib/signet/oauth_2/client.rb', line 480

def redirect_uri
  @redirect_uri
end

#redirect_uri=(new_redirect_uri) ⇒ Object

Sets the redirect URI for this client.

Parameters:

• new_redirect_uri (String) —

  The redirect URI.

# File 'lib/signet/oauth_2/client.rb', line 489

def redirect_uri= new_redirect_uri
  new_redirect_uri = Addressable::URI.parse new_redirect_uri
  # TODO: - Better solution to allow google postmessage flow. For now, make an exception to the spec.
  unless new_redirect_uri.nil? || new_redirect_uri.absolute? || uri_is_postmessage?(new_redirect_uri) ||
         uri_is_oob?(new_redirect_uri)
    raise ArgumentError, "Redirect URI must be an absolute URI."
  end
  @redirect_uri = new_redirect_uri
end

#refresh!(options = {}) ⇒ Object

Refresh the access token, if possible

# File 'lib/signet/oauth_2/client.rb', line 1090

def refresh! options = {}
  fetch_access_token! options
end

#refresh_token ⇒ String

Returns the refresh token associated with this client.

Returns:

• (String) —

  The refresh token.

# File 'lib/signet/oauth_2/client.rb', line 698

def refresh_token
  @refresh_token ||= nil
end

#refresh_token=(new_refresh_token) ⇒ Object

Sets the refresh token associated with this client.

Parameters:

• new_refresh_token (String) —

  The refresh token.

# File 'lib/signet/oauth_2/client.rb', line 707

def refresh_token= new_refresh_token
  @refresh_token = new_refresh_token
end

#scope ⇒ Array

Returns the scope for this client. Scope is a list of access ranges defined by the authorization server.

Returns:

• (Array) —

  The scope of access the client is requesting.

# File 'lib/signet/oauth_2/client.rb', line 394

def scope
  @scope
end

#scope=(new_scope) ⇒ Object

Sets the scope for this client.

Parameters:

• new_scope (Array, String) —

  The scope of access the client is requesting. This may be expressed as either an Array of String objects or as a space-delimited String.

# File 'lib/signet/oauth_2/client.rb', line 405

def scope= new_scope
  case new_scope
  when Array
    new_scope.each do |scope|
      if scope.include? " "
        raise ArgumentError,
              "Individual scopes cannot contain the space character."
      end
    end
    @scope = new_scope
  when String
    @scope = new_scope.split
  when nil
    @scope = nil
  else
    raise TypeError, "Expected Array or String, got #{new_scope.class}"
  end
end

#signing_algorithm ⇒ String

Algorithm used for signing JWTs

Returns:

• (String) —

  Signing algorithm

# File 'lib/signet/oauth_2/client.rb', line 644

def signing_algorithm
  signing_key.is_a?(String) ? "HS256" : "RS256"
end

#signing_key ⇒ String, OpenSSL::PKey

Returns the signing key associated with this client. Used only by the assertion grant type.

Returns:

• (String, OpenSSL::PKey) —

  Signing key

# File 'lib/signet/oauth_2/client.rb', line 627

def signing_key
  @signing_key
end

#signing_key=(new_key) ⇒ Object

Sets the signing key when issuing assertions. Used only by the assertion grant type.

Parameters:

• new_key (String, OpenSSL::Pkey) —

  Signing key. Either private key for RSA or string for HMAC algorithm

# File 'lib/signet/oauth_2/client.rb', line 637

def signing_key= new_key
  @signing_key = new_key
end

#state ⇒ String

Returns the client's current state value.

Returns:

• (String) —

  The state value.

# File 'lib/signet/oauth_2/client.rb', line 444

def state
  @state
end

#state=(new_state) ⇒ Object

Sets the client's current state value.

Parameters:

• new_state (String) —

  The state value.

# File 'lib/signet/oauth_2/client.rb', line 453

def state= new_state
  @state = new_state
end

#target_audience ⇒ String

Returns the final target audience for ID tokens fetched by this client.

Returns:

• (String) —

  The target audience.

# File 'lib/signet/oauth_2/client.rb', line 428

def target_audience
  @target_audience
end

#target_audience=(new_target_audience) ⇒ Object

Sets the final target audience for ID tokens fetched by this client.

Parameters:

• new_target_audience (String) —

  The new target audience.

# File 'lib/signet/oauth_2/client.rb', line 436

def target_audience= new_target_audience
  @target_audience = new_target_audience
end

#to_json(*_args) ⇒ String

Note:

A serialized client contains sensitive information. Persist or transmit with care.

Serialize the client object to JSON.

Returns:

• (String) —

  A serialized JSON representation of the client.

# File 'lib/signet/oauth_2/client.rb', line 950

def to_json *_args
  MultiJson.dump(
    "authorization_uri"    => authorization_uri&.to_s,
    "token_credential_uri" => token_credential_uri&.to_s,
    "client_id"            => client_id,
    "client_secret"        => client_secret,
    "scope"                => scope,
    "target_audience"      => target_audience,
    "state"                => state,
    "code"                 => code,
    "redirect_uri"         => redirect_uri&.to_s,
    "username"             => username,
    "password"             => password,
    "issuer"               => issuer,
    "audience"             => audience,
    "person"               => person,
    "expiry"               => expiry,
    "expires_at"           => expires_at&.to_i,
    "signing_key"          => signing_key,
    "refresh_token"        => refresh_token,
    "access_token"         => access_token,
    "id_token"             => id_token,
    "extension_parameters" => extension_parameters,
    "granted_scopes"       => granted_scopes
  )
end

#to_jwt(options = {}) ⇒ Object

# File 'lib/signet/oauth_2/client.rb', line 926

def to_jwt options = {}
  options = deep_hash_normalize options

  now = Time.new
  skew = options[:skew] || 60
  assertion = {
    "iss" => issuer,
    "aud" => audience,
    "exp" => (now + expiry).to_i,
    "iat" => (now - skew).to_i
  }
  assertion["scope"] = scope.join " " unless scope.nil?
  assertion["target_audience"] = target_audience unless target_audience.nil?
  assertion["prn"] = person unless person.nil?
  assertion["sub"] = sub unless sub.nil?
  JWT.encode assertion, signing_key, signing_algorithm
end

#token_credential_uri ⇒ Addressable::URI

Returns the token credential URI for this client.

Returns:

• (Addressable::URI) —

  The token credential URI.

# File 'lib/signet/oauth_2/client.rb', line 315

def token_credential_uri
  @token_credential_uri
end

#token_credential_uri=(new_token_credential_uri) ⇒ Object

Sets the token credential URI for this client.

Parameters:

• new_token_credential_uri (Addressable::URI, Hash, String, #to_str) —

  The token credential URI.

# File 'lib/signet/oauth_2/client.rb', line 324

def token_credential_uri= new_token_credential_uri
  @token_credential_uri = coerce_uri new_token_credential_uri
end

#update!(options = {}) ⇒ Object

Updates an OAuth 2.0 client.

Examples:

client.update!(
  :code => 'i1WsRn1uB1',
  :access_token => 'FJQbwq9',
  :expires_in => 3600
)

Parameters:

• options (Hash) (defaults to: {}) —

  The configuration parameters for the client.

  • :authorization_uri - The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
  • :token_credential_uri - The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
  • :client_id - A unique identifier issued to the client to identify itself to the authorization server.
  • :client_secret - A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
  • :scope - The scope of the access request, expressed either as an Array or as a space-delimited String.
  • :target_audience - The final target audience for ID tokens fetched by this client, as a String.
  • :state - An arbitrary string designed to allow the client to maintain state.
  • :code - The authorization code received from the authorization server.
  • :redirect_uri - The redirection URI used in the initial request.
  • :username - The resource owner's username.
  • :password - The resource owner's password.
  • :issuer - Issuer ID when using assertion profile
  • :audience - Target audience for assertions
  • :person - Target user for assertions
  • :expiry - Number of seconds assertions are valid for
  • :signing_key - Signing key when using assertion profile
  • :refresh_token - The refresh token associated with the access token to be refreshed.
  • :access_token - The current access token for this client.
  • :access_type - The current access type parameter for #authorization_uri.
  • :id_token - The current ID token for this client.
  • :extension_parameters - When using an extension grant type, this is the set of parameters used by that extension.
  • :granted_scopes - All scopes granted by authorization server.

See Also:

• #initialize
• #update_token!

# File 'lib/signet/oauth_2/client.rb', line 185

def update! options = {}
  # Normalize all keys to symbols to allow indifferent access.
  options = deep_hash_normalize options

  self.authorization_uri = options[:authorization_uri] if options.key? :authorization_uri
  self.token_credential_uri = options[:token_credential_uri] if options.key? :token_credential_uri
  self.client_id = options[:client_id] if options.key? :client_id
  self.client_secret = options[:client_secret] if options.key? :client_secret
  self.scope = options[:scope] if options.key? :scope
  self.target_audience = options[:target_audience] if options.key? :target_audience
  self.state = options[:state] if options.key? :state
  self.code = options[:code] if options.key? :code
  self.redirect_uri = options[:redirect_uri] if options.key? :redirect_uri
  self.username = options[:username] if options.key? :username
  self.password = options[:password] if options.key? :password
  self.issuer = options[:issuer] if options.key? :issuer
  self.person = options[:person] if options.key? :person
  self.sub = options[:sub] if options.key? :sub
  self.expiry = options[:expiry] || 60
  self.audience = options[:audience] if options.key? :audience
  self.signing_key = options[:signing_key] if options.key? :signing_key
  self.extension_parameters = options[:extension_parameters] || {}
  self.additional_parameters = options[:additional_parameters] || {}
  self.access_type = options.fetch :access_type, :offline
  update_token! options
  self
end

#update_token!(options = {}) ⇒ Object

Updates an OAuth 2.0 client.

Examples:

client.update!(
  :refresh_token => 'n4E9O119d',
  :access_token => 'FJQbwq9',
  :expires_in => 3600
)

Parameters:

• options (Hash) (defaults to: {}) —

  The configuration parameters related to the token.

  • :refresh_token - The refresh token associated with the access token to be refreshed.
  • :access_token - The current access token for this client.
  • :id_token - The current ID token for this client.
  • :expires_in - The time in seconds until access token expiration.
  • :expires_at - The time as an integer number of seconds since the Epoch
  • :issued_at - The timestamp that the token was issued at.

See Also:

• #initialize
• #update!

# File 'lib/signet/oauth_2/client.rb', line 241

def update_token! options = {}
  # Normalize all keys to symbols to allow indifferent access internally
  options = deep_hash_normalize options

  self.expires_in = options[:expires] if options.key? :expires
  self.expires_in = options[:expires_in] if options.key? :expires_in
  self.expires_at = options[:expires_at] if options.key? :expires_at

  # By default, the token is issued at `Time.now` when `expires_in` is
  # set, but this can be used to supply a more precise time.
  self.issued_at = options[:issued_at] if options.key? :issued_at

  # Special case where we want expires_at to be relative to issued_at
  if options.key?(:issued_at) && options.key?(:expires_in)
    set_relative_expires_at options[:issued_at], options[:expires_in]
  end

  self.access_token = options[:access_token] if options.key? :access_token
  self.refresh_token = options[:refresh_token] if options.key? :refresh_token
  self.id_token = options[:id_token] if options.key? :id_token
  self.granted_scopes = options[:granted_scopes] if options.key? :granted_scopes
  self
end

#username ⇒ String

Returns the username associated with this client. Used only by the resource owner password credential access grant type.

Returns:

• (String) —

  The username.

# File 'lib/signet/oauth_2/client.rb', line 504

def username
  @username
end

#username=(new_username) ⇒ Object

Sets the username associated with this client. Used only by the resource owner password credential access grant type.

Parameters:

• new_username (String) —

  The username.

# File 'lib/signet/oauth_2/client.rb', line 514

def username= new_username
  @username = new_username
end