Intermediate changes

commit_hash:053fd97561e2c88a136be1814e3340831ebd8c49
author: robot-piglet <[email protected]> 2025-01-09 12:03:20 +0300
committer: robot-piglet <[email protected]> 2025-01-09 12:15:35 +0300
commit: 22152213a5c128f39919ace8973c35dcd27006c9 (patch)
tree: ca53d34968e2506220bce9e4f7236530981a6e98 /contrib/python
parent: 5c8600386e6385fe569ed75001f660bdbce0d5ef (diff)
6 files changed, 58 insertions, 13 deletions
diff --git a/contrib/python/google-auth/py3/.dist-info/METADATA b/contrib/python/google-auth/py3/.dist-info/METADATA
index 500fd7bdbca..f1724bbf73f 100644
--- a/contrib/python/google-auth/py3/.dist-info/METADATA
+++ b/contrib/python/google-auth/py3/.dist-info/METADATA
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: google-auth
-Version: 2.36.0
+Version: 2.37.0
 Summary: Google Authentication Library
 Home-page: https://github.com/googleapis/google-auth-library-python
 Author: Google Cloud Platform
@@ -33,6 +33,9 @@ Requires-Dist: requests<3.0.0.dev0,>=2.20.0; extra == "aiohttp"
 Provides-Extra: enterprise_cert
 Requires-Dist: cryptography; extra == "enterprise-cert"
 Requires-Dist: pyopenssl; extra == "enterprise-cert"
+Provides-Extra: pyjwt
+Requires-Dist: pyjwt>=2.0; extra == "pyjwt"
+Requires-Dist: cryptography>=38.0.3; extra == "pyjwt"
 Provides-Extra: pyopenssl
 Requires-Dist: pyopenssl>=20.0.0; extra == "pyopenssl"
 Requires-Dist: cryptography>=38.0.3; extra == "pyopenssl"
diff --git a/contrib/python/google-auth/py3/google/auth/version.py b/contrib/python/google-auth/py3/google/auth/version.py
index 15dc3747074..06ec7e7fb79 100644
--- a/contrib/python/google-auth/py3/google/auth/version.py
+++ b/contrib/python/google-auth/py3/google/auth/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.36.0"
+__version__ = "2.37.0"
diff --git a/contrib/python/google-auth/py3/google/oauth2/id_token.py b/contrib/python/google-auth/py3/google/oauth2/id_token.py
index e5dda508da2..b68ab6b303a 100644
--- a/contrib/python/google-auth/py3/google/oauth2/id_token.py
+++ b/contrib/python/google-auth/py3/google/oauth2/id_token.py
@@ -82,7 +82,8 @@ def _fetch_certs(request, certs_url):
     """Fetches certificates.
 
     Google-style cerificate endpoints return JSON in the format of
-    ``{'key id': 'x509 certificate'}``.
+    ``{'key id': 'x509 certificate'}`` or a certificate array according
+    to the JWK spec (see https://tools.ietf.org/html/rfc7517).
 
     Args:
         request (google.auth.transport.Request): The object used to make
@@ -90,8 +91,8 @@ def _fetch_certs(request, certs_url):
         certs_url (str): The certificate endpoint URL.
 
     Returns:
-        Mapping[str, str]: A mapping of public key ID to x.509 certificate
-            data.
+        Mapping[str, str] | Mapping[str, list]: A mapping of public keys
+        in x.509 or JWK spec.
     """
     response = request(certs_url, method="GET")
 
@@ -120,7 +121,8 @@ def verify_token(
             intended for. If None then the audience is not verified.
         certs_url (str): The URL that specifies the certificates to use to
             verify the token. This URL should return JSON in the format of
-            ``{'key id': 'x509 certificate'}``.
+            ``{'key id': 'x509 certificate'}`` or a certificate array according to
+            the JWK spec (see https://tools.ietf.org/html/rfc7517).
         clock_skew_in_seconds (int): The clock skew used for `iat` and `exp`
             validation.
 
@@ -129,12 +131,28 @@ def verify_token(
     """
     certs = _fetch_certs(request, certs_url)
 
-    return jwt.decode(
-        id_token,
-        certs=certs,
-        audience=audience,
-        clock_skew_in_seconds=clock_skew_in_seconds,
-    )
+    if "keys" in certs:
+        try:
+            import jwt as jwt_lib  # type: ignore
+        except ImportError as caught_exc:  # pragma: NO COVER
+            raise ImportError(
+                "The pyjwt library is not installed, please install the pyjwt package to use the jwk certs format."
+            ) from caught_exc
+        jwks_client = jwt_lib.PyJWKClient(certs_url)
+        signing_key = jwks_client.get_signing_key_from_jwt(id_token)
+        return jwt_lib.decode(
+            id_token,
+            signing_key.key,
+            algorithms=[signing_key.algorithm_name],
+            audience=audience,
+        )
+    else:
+        return jwt.decode(
+            id_token,
+            certs=certs,
+            audience=audience,
+            clock_skew_in_seconds=clock_skew_in_seconds,
+        )
 
 
 def verify_oauth2_token(id_token, request, audience=None, clock_skew_in_seconds=0):
diff --git a/contrib/python/google-auth/py3/tests/oauth2/test_id_token.py b/contrib/python/google-auth/py3/tests/oauth2/test_id_token.py
index 8657bdfb7eb..65189df128c 100644
--- a/contrib/python/google-auth/py3/tests/oauth2/test_id_token.py
+++ b/contrib/python/google-auth/py3/tests/oauth2/test_id_token.py
@@ -79,6 +79,29 @@ def test_verify_token(_fetch_certs, decode):
     )
 
 
+[email protected]("google.oauth2.id_token._fetch_certs", autospec=True)
+[email protected]("jwt.PyJWKClient", autospec=True)
+[email protected]("jwt.decode", autospec=True)
+def test_verify_token_jwk(decode, py_jwk, _fetch_certs):
+    certs_url = "abc123"
+    data = {"keys": [{"alg": "RS256"}]}
+    _fetch_certs.return_value = data
+    result = id_token.verify_token(
+        mock.sentinel.token, mock.sentinel.request, certs_url=certs_url
+    )
+    assert result == decode.return_value
+    py_jwk.assert_called_once_with(certs_url)
+    signing_key = py_jwk.return_value.get_signing_key_from_jwt
+    _fetch_certs.assert_called_once_with(mock.sentinel.request, certs_url)
+    signing_key.assert_called_once_with(mock.sentinel.token)
+    decode.assert_called_once_with(
+        mock.sentinel.token,
+        signing_key.return_value.key,
+        algorithms=[signing_key.return_value.algorithm_name],
+        audience=None,
+    )
+
+
 @mock.patch("google.auth.jwt.decode", autospec=True)
 @mock.patch("google.oauth2.id_token._fetch_certs", autospec=True)
 def test_verify_token_args(_fetch_certs, decode):
diff --git a/contrib/python/google-auth/py3/tests/ya.make b/contrib/python/google-auth/py3/tests/ya.make
index 23e821bb9ae..75985e24d78 100644
--- a/contrib/python/google-auth/py3/tests/ya.make
+++ b/contrib/python/google-auth/py3/tests/ya.make
@@ -11,6 +11,7 @@ PEERDIR(
     contrib/python/freezegun
     contrib/python/aioresponses
     contrib/python/pytest-asyncio
+    contrib/python/PyJWT
 )
 
 DATA(
diff --git a/contrib/python/google-auth/py3/ya.make b/contrib/python/google-auth/py3/ya.make
index a518b373651..0b08f76a8e0 100644
--- a/contrib/python/google-auth/py3/ya.make
+++ b/contrib/python/google-auth/py3/ya.make
@@ -2,7 +2,7 @@
 
 PY3_LIBRARY()
 
-VERSION(2.36.0)
+VERSION(2.37.0)
 
 LICENSE(Apache-2.0)
author	robot-piglet <[email protected]>	2025-01-09 12:03:20 +0300
committer	robot-piglet <[email protected]>	2025-01-09 12:15:35 +0300
commit	22152213a5c128f39919ace8973c35dcd27006c9 (patch)
tree	ca53d34968e2506220bce9e4f7236530981a6e98 /contrib/python
parent	5c8600386e6385fe569ed75001f660bdbce0d5ef (diff)