def from_idtoken()

in ad-joining/register-computer/gcp/auth.py [0:0]

• 14 lines of code
• 7 McCabe index (conditional complexity)

    def from_idtoken(idtoken, audience, require_google_claim=True):
        try:
            # Validate that the token...
            # - comes from Google (iss)
            # - is authentic (signature check)
            # - is valid (iat, exp)
            # - is intended for us (aud)
            token_info = google.oauth2.id_token.verify_oauth2_token(
                idtoken,
                google.auth.transport.requests.Request(),
                audience)
        except ValueError as e:
            raise InvalidTokenException(e)

        if token_info["iss"] not in ["accounts.google.com", "https://accounts.google.com"]:
            raise InvalidIssuerException("Wrong issuer: '%s'" % token_info["iss"])

        if require_google_claim:
            # Expect a "full" token issued for a VM instance as documented here:
            # https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
            if not "google" in token_info:
                raise IncompleteTokenException("Missing extended claims in token")

        return AuthenticationInfo(token_info)