Update id_token on refresh

googleapis · Nov 18, 2015 · c53636e · c53636e
1 parent ab3e535
commit c53636e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/oauth2client/client.py b/oauth2client/client.py
@@ -883,6 +883,10 @@ def _do_refresh_request(self, http_request):
                     seconds=int(d['expires_in'])) + datetime.datetime.utcnow()
             else:
                 self.token_expiry = None
+            if 'id_token' in d:
+                self.id_token = _extract_id_token(d['id_token'])
+            else:
+                self.id_token = None
             # On temporary refresh errors, the user does not actually have to
             # re-authorize, so we unflag here.
             self.invalid = False

diff --git a/tests/test_client.py b/tests/test_client.py
@@ -886,6 +886,27 @@ def test_retrieve_scopes(self):
             self.credentials.retrieve_scopes,
             http)
 
+    def test_refresh_updates_id_token(self):
+        for status_code in REFRESH_STATUS_CODES:
+            body = {'foo': 'bar'}
+            body_json = json.dumps(body).encode('ascii')
+            payload = base64.urlsafe_b64encode(body_json).strip(b'=')
+            jwt = b'stuff.' + payload + b'.signature'
+
+            token_response = (b'{'
+                              b'  "access_token":"1/3w",'
+                              b'  "expires_in":3600,'
+                              b'  "id_token": "' + jwt + b'"'
+                              b'}')
+            http = HttpMockSequence([
+                ({'status': status_code}, b''),
+                ({'status': '200'}, token_response),
+                ({'status': '200'}, 'echo_request_headers'),
+            ])
+            http = self.credentials.authorize(http)
+            resp, content = http.request('http://example.com')
+            self.assertEqual(self.credentials.id_token, body)
+
 
 class AccessTokenCredentialsTests(unittest.TestCase):