google-auth-library documentation
  1. Classes
  2. IdTokenClient

File

src/auth/idtokenclient.ts

Extends

OAuth2Client

Index

Properties
Methods

Constructor

constructor(options: IdTokenOptions)
Defined in src/auth/idtokenclient.ts:35

Google ID Token client

Retrieve access token from the metadata server. See: https://developers.google.com/compute/docs/authentication

Parameters :
Name Type Optional
options IdTokenOptions No

Properties

idTokenProvider
Type : IdTokenProvider
Defined in src/auth/idtokenclient.ts:35
targetAudience
Type : string
Defined in src/auth/idtokenclient.ts:34
Optional _clientId
Type : string
Inherited from OAuth2Client
Defined in OAuth2Client:417
Optional _clientSecret
Type : string
Inherited from OAuth2Client
Defined in OAuth2Client:420
Optional apiKey
Type : string
Inherited from OAuth2Client
Defined in OAuth2Client:422
eagerRefreshThresholdMillis
Type : number
Inherited from OAuth2Client
Defined in OAuth2Client:426
forceRefreshOnFailure
Type : boolean
Inherited from OAuth2Client
Defined in OAuth2Client:428
Optional projectId
Type : string
Inherited from OAuth2Client
Defined in OAuth2Client:424

Methods

generateAuthUrl
generateAuthUrl(opts: GenerateAuthUrlOpts)
Inherited from OAuth2Client
Defined in OAuth2Client:522

Generates URL for consent page landing.

Parameters :
Name Type Optional Default value Description
opts GenerateAuthUrlOpts No {}

Options.
Returns : string

URL to consent page.
generateCodeVerifier
generateCodeVerifier()
Inherited from OAuth2Client
Defined in OAuth2Client:543
Returns : void
Async generateCodeVerifierAsync
generateCodeVerifierAsync()
Inherited from OAuth2Client
Defined in OAuth2Client:559

Convenience method to automatically generate a code_verifier, and its resulting SHA256. If used, this must be paired with a S256 code_challenge_method.

For a full example see: https://github.com/googleapis/google-auth-library-nodejs/blob/master/samples/oauth2-codeVerifier.js

Returns : Promise<CodeVerifierResults>
getAccessToken
getAccessToken(callback?: GetAccessTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:734
Parameters :
Name Type Optional
callback GetAccessTokenCallback Yes
Returns : Promise | void
getAccessToken
getAccessToken(callback: GetAccessTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:733
Parameters :
Name Type Optional
callback GetAccessTokenCallback No
Returns : void
getAccessToken
getAccessToken()
Inherited from OAuth2Client
Defined in OAuth2Client:732

Get a non-expired access token, after refreshing if necessary

Returns : Promise<GetAccessTokenResponse>
getFederatedSignonCerts
getFederatedSignonCerts(callback?: GetFederatedSignonCertsCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:1049
Parameters :
Name Type Optional
callback GetFederatedSignonCertsCallback Yes
Returns : Promise | void
getFederatedSignonCerts
getFederatedSignonCerts(callback: GetFederatedSignonCertsCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:1048
Parameters :
Name Type Optional
callback GetFederatedSignonCertsCallback No
Returns : void
getFederatedSignonCerts
getFederatedSignonCerts()
Inherited from OAuth2Client
Defined in OAuth2Client:1047

Gets federated sign-on certificates to use for verifying identity tokens. Returns certs as array structure, where keys are key ids, and values are certificates in either PEM or JWK format.

Returns : Promise<FederatedSignonCertsResponse>
Async getFederatedSignonCertsAsync
getFederatedSignonCertsAsync()
Inherited from OAuth2Client
Defined in OAuth2Client:1062
Returns : Promise<FederatedSignonCertsResponse>
getIapPublicKeys
getIapPublicKeys(callback?: GetIapPublicKeysCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:1134
Parameters :
Name Type Optional
callback GetIapPublicKeysCallback Yes
Returns : Promise | void
getIapPublicKeys
getIapPublicKeys(callback: GetIapPublicKeysCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:1133
Parameters :
Name Type Optional
callback GetIapPublicKeysCallback No
Returns : void
getIapPublicKeys
getIapPublicKeys()
Inherited from OAuth2Client
Defined in OAuth2Client:1132

Gets federated sign-on certificates to use for verifying identity tokens. Returns certs as array structure, where keys are key ids, and values are certificates in either PEM or JWK format.

Returns : Promise<IapPublicKeysResponse>
Async getIapPublicKeysAsync
getIapPublicKeysAsync()
Inherited from OAuth2Client
Defined in OAuth2Client:1147
Returns : Promise<IapPublicKeysResponse>
Async getRequestHeaders
getRequestHeaders(url?: string)
Inherited from OAuth2Client
Defined in OAuth2Client:774

The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

In OAuth2Client, the result has the form: { Authorization: 'Bearer ' }

Parameters :
Name Type Optional Description
url string Yes

The optional url being authorized
Returns : Promise<Headers>
Static getRevokeTokenUrl
getRevokeTokenUrl(token: string)
Inherited from OAuth2Client
Defined in OAuth2Client:829

Generates an URL to revoke the given token.

Parameters :
Name Type Optional Description
token string No

The existing token to be revoked.
Returns : string
getToken
getToken(codeOrOptions: string | GetTokenOptions, callback?: GetTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:592
Parameters :
Name Type Optional
codeOrOptions string | GetTokenOptions No
callback GetTokenCallback Yes
Returns : Promise | void
getToken
getToken(code: string, callback: GetTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:590
Parameters :
Name Type Optional
code string No
callback GetTokenCallback No
Returns : void
getToken
getToken(options: GetTokenOptions)
Inherited from OAuth2Client
Defined in OAuth2Client:589
Parameters :
Name Type Optional
options GetTokenOptions No
Returns : Promise<GetTokenResponse>
getToken
getToken(options: GetTokenOptions, callback: GetTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:591
Parameters :
Name Type Optional
options GetTokenOptions No
callback GetTokenCallback No
Returns : void
getToken
getToken(code: string)
Inherited from OAuth2Client
Defined in OAuth2Client:588

Gets the access token for the given code.

Parameters :
Name Type Optional Description
code string No

The authorization code.
Returns : Promise<GetTokenResponse>
Async getTokenInfo
getTokenInfo(accessToken: string)
Inherited from OAuth2Client
Defined in OAuth2Client:1020

Obtains information about the provisioned access token. Especially useful if you want to check the scopes that were provisioned to a given token.

Parameters :
Name Type Optional Description
accessToken string No

Required. The Access Token for which you want to get user info.
Returns : Promise<TokenInfo>
refreshAccessToken
refreshAccessToken(callback: RefreshAccessTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:705
Parameters :
Name Type Optional
callback RefreshAccessTokenCallback No
Returns : void
refreshAccessToken
refreshAccessToken()
Inherited from OAuth2Client
Defined in OAuth2Client:704

Retrieves the access token using refresh token

Returns : Promise<RefreshAccessTokenResponse>
refreshAccessToken
refreshAccessToken(callback?: RefreshAccessTokenCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:706
Parameters :
Name Type Optional
callback RefreshAccessTokenCallback Yes
Returns : Promise | void
request
request(opts: GaxiosOptions, callback?: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:899
Type parameters :
  • T
Parameters :
Name Type Optional
opts GaxiosOptions No
callback BodyResponseCallback<T> Yes
Returns : GaxiosPromise | void
request
request(opts: GaxiosOptions, callback: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:898
Type parameters :
  • T
Parameters :
Name Type Optional
opts GaxiosOptions No
callback BodyResponseCallback<T> No
Returns : void
request
request(opts: GaxiosOptions)
Inherited from OAuth2Client
Defined in OAuth2Client:897
Type parameters :
  • T

Provides a request implementation with OAuth 2.0 flow. If credentials have a refresh_token, in cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.

Parameters :
Name Type Optional Description
opts GaxiosOptions No

Request options.
Returns : GaxiosPromise<T>

Request object
revokeCredentials
revokeCredentials()
Inherited from OAuth2Client
Defined in OAuth2Client:865

Revokes access token and clears the credentials object

Returns : GaxiosPromise<RevokeCredentialsResult>
revokeCredentials
revokeCredentials(callback: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:866
Parameters :
Name Type Optional
callback BodyResponseCallback<RevokeCredentialsResult> No
Returns : void
revokeCredentials
revokeCredentials(callback?: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:869
Parameters :
Name Type Optional
callback BodyResponseCallback<RevokeCredentialsResult> Yes
Returns : GaxiosPromise | void
revokeToken
revokeToken(token: string, callback?: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:844
Parameters :
Name Type Optional
token string No
callback BodyResponseCallback<RevokeCredentialsResult> Yes
Returns : GaxiosPromise | void
revokeToken
revokeToken(token: string, callback: BodyResponseCallback)
Inherited from OAuth2Client
Defined in OAuth2Client:840
Parameters :
Name Type Optional
token string No
callback BodyResponseCallback<RevokeCredentialsResult> No
Returns : void
revokeToken
revokeToken(token: string)
Inherited from OAuth2Client
Defined in OAuth2Client:839

Revokes the access given to token.

Parameters :
Name Type Optional Description
token string No

The existing token to be revoked.
Returns : GaxiosPromise<RevokeCredentialsResult>
verifyIdToken
verifyIdToken(options: VerifyIdTokenOptions, callback?: (err?: Error | null,login?: LoginTicket) => void)
Inherited from OAuth2Client
Defined in OAuth2Client:975
Parameters :
Name Type Optional
options VerifyIdTokenOptions No
callback function Yes
Returns : void | Promise
verifyIdToken
verifyIdToken(options: VerifyIdTokenOptions, callback: (err: Error | null,login: LoginTicket) => void)
Inherited from OAuth2Client
Defined in OAuth2Client:971
Parameters :
Name Type Optional
options VerifyIdTokenOptions No
callback function No
Returns : void
verifyIdToken
verifyIdToken(options: VerifyIdTokenOptions)
Inherited from OAuth2Client
Defined in OAuth2Client:970

Verify id token is token by checking the certs and audience

Parameters :
Name Type Optional Description
options VerifyIdTokenOptions No

that contains all options.
Returns : Promise<LoginTicket>
verifySignedJwtWithCerts
verifySignedJwtWithCerts()
Inherited from OAuth2Client
Defined in OAuth2Client:1161
Returns : void
Async verifySignedJwtWithCertsAsync
verifySignedJwtWithCertsAsync(jwt: string, certs: Certificates | PublicKeys, requiredAudience?: string | string[], issuers?: string[], maxExpiry?: number)
Inherited from OAuth2Client
Defined in OAuth2Client:1179

Verify the id token is signed with the correct certificate and is from the correct audience.

Parameters :
Name Type Optional Description
jwt string No

The jwt to verify (The ID Token in this case).
certs Certificates | PublicKeys No

The array of certs to test the jwt against.
requiredAudience string | string[] Yes

The audience to test the jwt against.
issuers string[] Yes

The allowed issuers of the jwt (Optional).
maxExpiry number Yes

The max expiry the certificate can be (Optional).
Returns : {}

Returns a promise resolving to LoginTicket on verification.

 
import {Credentials} from './credentials';
import {Headers, OAuth2Client, RequestMetadataResponse} from './oauth2client';

export interface IdTokenOptions {
  /**
   * The client to make the request to fetch an ID token.
   */
  idTokenProvider: IdTokenProvider;
  /**
   * The audience to use when requesting an ID token.
   */
  targetAudience: string;
}

export interface IdTokenProvider {
  fetchIdToken: (targetAudience: string) => Promise<string>;
}

export class IdTokenClient extends OAuth2Client {
  targetAudience: string;
  idTokenProvider: IdTokenProvider;

  /**
   * Google ID Token client
   *
   * Retrieve access token from the metadata server.
   * See: https://developers.google.com/compute/docs/authentication
   */
  constructor(options: IdTokenOptions) {
    super();
    this.targetAudience = options.targetAudience;
    this.idTokenProvider = options.idTokenProvider;
  }

  protected async getRequestMetadataAsync(
    // eslint-disable-next-line @typescript-eslint/no-unused-vars
    url?: string | null
  ): Promise<RequestMetadataResponse> {
    if (
      !this.credentials.id_token ||
      (this.credentials.expiry_date || 0) < Date.now()
    ) {
      const idToken = await this.idTokenProvider.fetchIdToken(
        this.targetAudience
      );
      this.credentials = {
        id_token: idToken,
        expiry_date: this.getIdTokenExpiryDate(idToken),
      } as Credentials;
    }

    const headers: Headers = {
      Authorization: 'Bearer ' + this.credentials.id_token,
    };
    return {headers};
  }

  private getIdTokenExpiryDate(idToken: string): number | void {
    const payloadB64 = idToken.split('.')[1];
    if (payloadB64) {
      const payload = JSON.parse(
        Buffer.from(payloadB64, 'base64').toString('ascii')
      );
      return payload.exp * 1000;
    }
  }
}

result-matching ""

    No results matching ""