line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Mojo::JWT::Google; |
2
|
1
|
|
|
1
|
|
236216
|
use utf8; |
|
1
|
|
|
|
|
7
|
|
|
1
|
|
|
|
|
6
|
|
3
|
1
|
|
|
1
|
|
560
|
use Mojo::Base qw(Mojo::JWT); |
|
1
|
|
|
|
|
164395
|
|
|
1
|
|
|
|
|
8
|
|
4
|
1
|
|
|
1
|
|
28681
|
use Mojo::File qw(path); |
|
1
|
|
|
|
|
33971
|
|
|
1
|
|
|
|
|
71
|
|
5
|
1
|
|
|
1
|
|
8
|
use Mojo::JSON qw(decode_json); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
42
|
|
6
|
1
|
|
|
1
|
|
6
|
use Carp; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
801
|
|
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
our $VERSION = '0.14'; |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
has client_email => undef; |
11
|
|
|
|
|
|
|
has expires_in => 3600; |
12
|
|
|
|
|
|
|
has issue_at => undef; |
13
|
|
|
|
|
|
|
has scopes => sub { [] }; |
14
|
|
|
|
|
|
|
has target => q(https://www.googleapis.com/oauth2/v4/token); |
15
|
|
|
|
|
|
|
has user_as => undef; |
16
|
|
|
|
|
|
|
has audience => undef; |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
sub new { |
19
|
8
|
|
|
8
|
1
|
12389
|
my ($class, %options) = @_; |
20
|
8
|
|
|
|
|
48
|
my $self = $class->SUPER::new(%options); |
21
|
8
|
100
|
|
|
|
130
|
return $self if not defined $self->{from_json}; |
22
|
|
|
|
|
|
|
|
23
|
2
|
|
|
|
|
7
|
my $result = $self->from_json($self->{from_json}); |
24
|
|
|
|
|
|
|
|
25
|
1
|
|
|
|
|
5
|
return $self; |
26
|
|
|
|
|
|
|
} |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
sub claims { |
29
|
7
|
|
|
7
|
1
|
6213
|
my ($self, $value) = @_; |
30
|
7
|
100
|
|
|
|
22
|
if (defined $value) { |
31
|
1
|
|
|
|
|
4
|
$self->{claims} = $value; |
32
|
1
|
|
|
|
|
3
|
return $self; |
33
|
|
|
|
|
|
|
} |
34
|
6
|
|
|
|
|
14
|
my $claims = $self->_construct_claims; |
35
|
6
|
100
|
|
|
|
16
|
unless (exists $claims->{exp}) { |
36
|
3
|
|
|
|
|
25
|
$claims->{exp} = $self->now + $self->expires_in ; |
37
|
|
|
|
|
|
|
} |
38
|
6
|
|
|
|
|
57
|
return $claims; |
39
|
|
|
|
|
|
|
} |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
sub _construct_claims { |
42
|
6
|
|
|
6
|
|
12
|
my $self = shift; |
43
|
6
|
|
|
|
|
11
|
my $result = {}; |
44
|
6
|
|
|
|
|
26
|
$result->{iss} = $self->client_email; |
45
|
6
|
|
|
|
|
47
|
$result->{aud} = $self->target; |
46
|
6
|
100
|
|
|
|
34
|
$result->{sub} = $self->user_as if defined $self->user_as; |
47
|
6
|
|
|
|
|
33
|
my @scopes = @{ $self->scopes }; |
|
6
|
|
|
|
|
15
|
|
48
|
|
|
|
|
|
|
|
49
|
6
|
50
|
66
|
|
|
47
|
croak "Can't use both scopes and audience in the same token" if @scopes && $self->audience; |
50
|
6
|
100
|
|
|
|
39
|
$result->{scope} = join ' ', @scopes if @scopes; |
51
|
6
|
50
|
|
|
|
14
|
$result->{target_audience} = $self->audience if defined $self->audience; |
52
|
|
|
|
|
|
|
|
53
|
6
|
100
|
|
|
|
47
|
if ( not defined $self->issue_at ) { |
54
|
3
|
|
|
|
|
16
|
$self->set_iat(1); |
55
|
|
|
|
|
|
|
} |
56
|
|
|
|
|
|
|
else { |
57
|
3
|
|
|
|
|
25
|
$self->set_iat(0); |
58
|
3
|
|
|
|
|
24
|
$result->{iat} = $self->issue_at; |
59
|
3
|
|
|
|
|
15
|
$result->{exp} = $self->issue_at + $self->expires_in; |
60
|
|
|
|
|
|
|
} |
61
|
6
|
|
|
|
|
48
|
return $result; |
62
|
|
|
|
|
|
|
} |
63
|
|
|
|
|
|
|
|
64
|
|
|
|
|
|
|
sub from_json { |
65
|
6
|
|
|
6
|
1
|
2729
|
my ($self, $value) = @_; |
66
|
6
|
100
|
|
|
|
149
|
croak 'You did not pass a filename to from_json' if not defined $value; |
67
|
5
|
100
|
|
|
|
619
|
croak 'Cannot find file passed to from_json' if not -f $value; |
68
|
3
|
|
|
|
|
23
|
my $json = decode_json( path($value)->slurp ); |
69
|
3
|
100
|
|
|
|
2017
|
croak 'private key was not found in file passed to from_json' unless $json->{private_key}; |
70
|
2
|
100
|
|
|
|
106
|
croak 'from_json only works with service accounts' if $json->{type} ne 'service_account'; |
71
|
1
|
|
|
|
|
15
|
$self->algorithm('RS256'); |
72
|
1
|
|
|
|
|
26
|
$self->secret($json->{private_key}); |
73
|
1
|
|
|
|
|
9
|
$self->client_email($json->{client_email}); |
74
|
1
|
|
|
|
|
8
|
return 1 |
75
|
|
|
|
|
|
|
} |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
sub as_form_data { |
78
|
0
|
|
|
0
|
0
|
|
my ($self) = @_; |
79
|
|
|
|
|
|
|
return { |
80
|
0
|
|
|
|
|
|
grant_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer', |
81
|
|
|
|
|
|
|
assertion => $self->encode |
82
|
|
|
|
|
|
|
} |
83
|
|
|
|
|
|
|
} |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
1; |
86
|
|
|
|
|
|
|
|
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
=head1 NAME |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
Mojo::JWT::Google - Service Account tokens |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
=head1 VERSION |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
version 0.14 |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
=head1 SYNOPSIS |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
my $gjwt = Mojo::JWT::Google->new(secret => 's3cr3t', |
99
|
|
|
|
|
|
|
scopes => [ '/my/scope/a', '/my/scope/b' ], |
100
|
|
|
|
|
|
|
client_email => 'riche@cpan.org')->encode; |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
# authenticating for apis as a service account |
103
|
|
|
|
|
|
|
my $gjwt = Mojo::JWT::Google->new( |
104
|
|
|
|
|
|
|
from_json => '/my/secret/project-b98ale897.json', |
105
|
|
|
|
|
|
|
scopes => 'https://www.googleapis.com/auth/gmail.send', |
106
|
|
|
|
|
|
|
user_as => 'some-email@your-org.com'); # if you have domain-wide delegation |
107
|
|
|
|
|
|
|
my $ua = Mojo::UserAgent->new; |
108
|
|
|
|
|
|
|
my $tx = $ua->post('https://www.googleapis.com/oauth2/v4/token', form => $gjwt->as_form_data); |
109
|
|
|
|
|
|
|
$tx->res->json('/access_token') # will contain your access token |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
# authenticating to use the Identity Aware Proxy |
112
|
|
|
|
|
|
|
my $gjwt = Mojo::JWT::Google->new( |
113
|
|
|
|
|
|
|
from_json => '/my/secret/project-b98ale897.json', |
114
|
|
|
|
|
|
|
audience => 'the-client-id-from-your-IAP'); |
115
|
|
|
|
|
|
|
my $ua = Mojo::UserAgent->new; |
116
|
|
|
|
|
|
|
my $tx = $ua->post('https://www.googleapis.com/oauth2/v4/token', form => $gjwt->as_form_data); |
117
|
|
|
|
|
|
|
$tx->res->json('/id_token') # will contain your id token |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
=head1 DESCRIPTION |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
Like L, you can instantiate this class by using the same syntax, |
122
|
|
|
|
|
|
|
except that this class constructs the claims for you. |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
my $jwt = Mojo::JWT::Google->new(secret => 's3cr3t')->encode; |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
And add any attribute defined in this class. The JWT is fairly useless unless |
127
|
|
|
|
|
|
|
you define your scopes. |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
my $gjwt = Mojo::JWT::Google->new(secret => 's3cr3t', |
130
|
|
|
|
|
|
|
scopes => [ '/my/scope/a', '/my/scope/b' ], |
131
|
|
|
|
|
|
|
client_email => 'riche@cpan.org')->encode; |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
You can also get your information automatically from the .json you received |
134
|
|
|
|
|
|
|
from Google. Your secret key is in that file, so it's best to keep it safe |
135
|
|
|
|
|
|
|
somewhere. This will ease some busy work in configuring the object -- with |
136
|
|
|
|
|
|
|
virtually the only things to do is determine the scopes and the user_as if you |
137
|
|
|
|
|
|
|
need to impersonate. |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
my $gjwt = Mojo::JWT::Google |
140
|
|
|
|
|
|
|
->new( from_json => '/my/secret.json', |
141
|
|
|
|
|
|
|
scopes => [ '/my/scope/a', '/my/scope/b' ])->encode; |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
To authenticate, send a post request to https://www.googleapis.com/oauth2/v4/token, |
145
|
|
|
|
|
|
|
your Mojo::JWT::Google's as_form_data method. |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
$ua->post('https://www.googleapis.com/oauth2/v4/token', form => $gjwt->as_form_data); |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
=cut |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
=head1 ATTRIBUTES |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
L inherits all attributes from L and defines the |
154
|
|
|
|
|
|
|
following new ones. |
155
|
|
|
|
|
|
|
|
156
|
|
|
|
|
|
|
=head2 claims |
157
|
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
Overrides the parent class and constructs a hashref representing Google's |
159
|
|
|
|
|
|
|
required attribution. |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
=head2 client_email |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
Get or set the Client ID email address. |
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
=head2 expires_in |
167
|
|
|
|
|
|
|
|
168
|
|
|
|
|
|
|
Defines the threshold for when the token expires. Defaults to 3600. |
169
|
|
|
|
|
|
|
|
170
|
|
|
|
|
|
|
=head2 issue_at |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
Defines the time of issuance in epoch seconds. If not defined, the claims issue |
173
|
|
|
|
|
|
|
at date defaults to the time when it is being encoded. |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
=head2 scopes |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
Get or set the Google scopes. If impersonating, these scopes must be set up by |
178
|
|
|
|
|
|
|
your Google Business Administrator. |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
=head2 target |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
Get or set the target. At the time of writing, there is only one valid target: |
183
|
|
|
|
|
|
|
https://www.googleapis.com/oauth2/v4/token. This is the default value; if you |
184
|
|
|
|
|
|
|
have no need to customize this, then just fetch the default. |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
=head2 user_as |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
Set the Google user to impersonate. Your Google Business Administrator must |
190
|
|
|
|
|
|
|
have already set up your Client ID as a trusted app in order to use this |
191
|
|
|
|
|
|
|
successfully. |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
=cut |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
=head1 METHODS |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
Inherits all methods from L and defines the following new ones. |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=head2 from_json |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
Loads the JSON file from Google with the client ID information in it and sets |
202
|
|
|
|
|
|
|
the respective attributes. |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
Dies on failure: file not found or value not defined |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
$gjwt->from_json('/my/google/app/project/sa/json/file'); |
207
|
|
|
|
|
|
|
|
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
=head1 SEE ALSO |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
L |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=head1 SOURCE REPOSITORY |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
L |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
=head1 AUTHOR |
218
|
|
|
|
|
|
|
|
219
|
|
|
|
|
|
|
Richard Elberger, |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=head1 CONTRIBUTORS |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
Scott Wiersdorf, |
224
|
|
|
|
|
|
|
Avishai Goldman, |
225
|
|
|
|
|
|
|
|
226
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
Copyright (C) 2015 by Richard Elberger |
229
|
|
|
|
|
|
|
|
230
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify it |
231
|
|
|
|
|
|
|
under the same terms as Perl itself. |