Remove oauth2client usage in endpoints samples (#1002)

GoogleCloudPlatform · Jun 26, 2017 · f21866f · f21866f
1 parent 10bf2af
commit f21866f
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 36 deletions.
diff --git a/endpoints/getting-started/clients/google-id-token-client.py b/endpoints/getting-started/clients/google-id-token-client.py
@@ -19,25 +19,24 @@
 
 import argparse
 
-import oauth2client.client
-import oauth2client.file
-import oauth2client.tools
+import google_auth_oauthlib.flow
 import requests
 from six.moves import urllib
 
 
 def get_id_token(client_secrets_file, extra_args):
-    storage = oauth2client.file.Storage('credentials.dat')
-    credentials = storage.get()
+    """Obtains credentials from the user using OAuth 2.0 and then returns the
+    ID token from those credentials."""
 
-    if not credentials or credentials.invalid:
-        flow = oauth2client.client.flow_from_clientsecrets(
-            client_secrets_file, scope='email')
-        credentials = oauth2client.tools.run_flow(
-            flow, storage, flags=extra_args)
+    flow = google_auth_oauthlib.flow.InstalledAppFlow.from_client_secrets_file(
+        client_secrets_file, scopes=['openid', 'email', 'profile'])
 
-    # The ID token is used by Cloud Endpoints, not the access token.
-    id_token = credentials.token_response['id_token']
+    # Run the OAuth 2.0 flow to obtain credentials from the user.
+    flow.run_local_server()
+
+    # The credentials have both an access token and an ID token. Cloud
+    # Endpoints uses the ID Token.
+    id_token = flow.oauth2session.token['id_token']
 
     return id_token
 
@@ -67,8 +66,7 @@ def main(host, api_key, client_secrets_file, extra_args):
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(
         description=__doc__,
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        parents=[oauth2client.tools.argparser])
+        formatter_class=argparse.RawDescriptionHelpFormatter)
     parser.add_argument(
         'host', help='Your API host, e.g. https://your-project.appspot.com.')
     parser.add_argument(

diff --git a/endpoints/getting-started/clients/google-jwt-client.py b/endpoints/getting-started/clients/google-jwt-client.py
@@ -20,22 +20,30 @@
 import argparse
 import time
 
-import oauth2client.crypt
-from oauth2client.service_account import ServiceAccountCredentials
+import google.auth.crypt
+import google.auth.jwt
 import requests
 from six.moves import urllib
 
 
 def generate_jwt(service_account_file):
     """Generates a signed JSON Web Token using a Google API Service Account."""
-    credentials = ServiceAccountCredentials.from_json_keyfile_name(
+
+    # Note: this sample shows how to manually create the JWT for the purposes
+    # of showing how the authentication works, but you can use
+    # google.auth.jwt.Credentials to automatically create the JWT.
+    #   http://google-auth.readthedocs.io/en/latest/reference
+    #   /google.auth.jwt.html#google.auth.jwt.Credentials
+
+    signer = google.auth.crypt.RSASigner.from_service_account_file(
         service_account_file)
 
     now = int(time.time())
+    expires = now + 3600  # One hour in seconds
 
     payload = {
         'iat': now,
-        'exp': now + credentials.MAX_TOKEN_LIFETIME_SECS,
+        'exp': expires,
         # aud must match 'audience' in the security configuration in your
         # swagger spec. It can be any string.
         'aud': 'echo.endpoints.sample.google.com',
@@ -47,10 +55,9 @@ def generate_jwt(service_account_file):
         'email': 'user@example.com'
     }
 
-    signed_jwt = oauth2client.crypt.make_signed_jwt(
-        credentials._signer, payload, key_id=credentials._private_key_id)
+    jwt = google.auth.jwt.encode(signer, payload)
 
-    return signed_jwt
+    return jwt
 
 
 def make_request(host, api_key, signed_jwt):

diff --git a/endpoints/getting-started/clients/service_to_service_gae_default/main.py b/endpoints/getting-started/clients/service_to_service_gae_default/main.py
@@ -49,12 +49,12 @@ def generate_jwt():
         "email": DEFAULT_SERVICE_ACCOUNT
     })
 
-    headerAndPayload = '{}.{}'.format(
+    header_and_payload = '{}.{}'.format(
         base64.urlsafe_b64encode(header_json),
         base64.urlsafe_b64encode(payload_json))
-    (key_name, signature) = app_identity.sign_blob(headerAndPayload)
+    (key_name, signature) = app_identity.sign_blob(header_and_payload)
     signed_jwt = '{}.{}'.format(
-        headerAndPayload,
+        header_and_payload,
         base64.urlsafe_b64encode(signature))
 
     return signed_jwt

diff --git a/endpoints/getting-started/clients/service_to_service_google_id_token/main.py b/endpoints/getting-started/clients/service_to_service_google_id_token/main.py
@@ -50,12 +50,12 @@ def generate_jwt():
         "aud": "https://www.googleapis.com/oauth2/v4/token"
     })
 
-    headerAndPayload = '{}.{}'.format(
+    header_and_payload = '{}.{}'.format(
         base64.urlsafe_b64encode(header_json),
         base64.urlsafe_b64encode(payload_json))
-    (key_name, signature) = app_identity.sign_blob(headerAndPayload)
+    (key_name, signature) = app_identity.sign_blob(header_and_payload)
     signed_jwt = '{}.{}'.format(
-        headerAndPayload,
+        header_and_payload,
         base64.urlsafe_b64encode(signature))
 
     return signed_jwt

diff --git a/endpoints/getting-started/clients/service_to_service_non_default/main.py b/endpoints/getting-started/clients/service_to_service_non_default/main.py
@@ -20,9 +20,8 @@
 import json
 import time
 
+import google.auth.app_engine
 import googleapiclient.discovery
-import httplib2
-from oauth2client.contrib.appengine import AppAssertionCredentials
 import webapp2
 
 SERVICE_ACCOUNT_EMAIL = "YOUR-SERVICE-ACCOUNT-EMAIL"
@@ -33,11 +32,10 @@
 
 def generate_jwt():
     """Generates a signed JSON Web Token using a service account."""
-    credentials = AppAssertionCredentials(
-        'https://www.googleapis.com/auth/iam')
-    http_auth = credentials.authorize(httplib2.Http())
+    credentials = google.auth.app_engine.Credentials(
+        scopes=['https://www.googleapis.com/auth/iam'])
     service = googleapiclient.discovery.build(
-        serviceName='iam', version='v1', http=http_auth)
+        serviceName='iam', version='v1', credentials=credentials)
 
     now = int(time.time())
 
@@ -58,16 +56,16 @@ def generate_jwt():
         "email": SERVICE_ACCOUNT_EMAIL
     })
 
-    headerAndPayload = '{}.{}'.format(
+    header_and_payload = '{}.{}'.format(
         base64.urlsafe_b64encode(header_json),
         base64.urlsafe_b64encode(payload_json))
     slist = service.projects().serviceAccounts().signBlob(
         name=SERVICE_ACCOUNT,
-        body={'bytesToSign': base64.b64encode(headerAndPayload)})
+        body={'bytesToSign': base64.b64encode(header_and_payload)})
     res = slist.execute()
     signature = base64.urlsafe_b64encode(
         base64.decodestring(res['signature']))
-    signed_jwt = '{}.{}'.format(headerAndPayload, signature)
+    signed_jwt = '{}.{}'.format(header_and_payload, signature)
 
     return signed_jwt
 

diff --git a/endpoints/getting-started/clients/service_to_service_non_default/requirements.txt b/endpoints/getting-started/clients/service_to_service_non_default/requirements.txt
@@ -0,0 +1,3 @@
+google-api-python-client==1.6.2
+google-auth==1.0.1
+google-auth-httplib2==0.0.2
diff --git a/endpoints/getting-started/requirements.txt b/endpoints/getting-started/requirements.txt
@@ -4,3 +4,5 @@ gunicorn==19.7.1
 six==1.10.0
 pyyaml==3.12
 requests==2.18.1
+google-auth==1.0.0
+google-auth-oauthlib==0.1.0