[WIP] Add Google OpenID Tokens

[jjaraalm]

Adds support for Google OpenID tokens in addition to Azure. Requires HSDS support (not implemented yet).

Usage

OpenID configuration is set either via environment variables or via the api_key argument. To use Google OpenID you would use the following:

api_key = {
    'openid_provider': 'google',
    'client_secret': client_secret,
    'scopes': scopes
}

h5pyd.File('domain', api_key=api_key)

where client_secret is either the path to a client_secret.json file provided by Google or a dict with the equivalent contents. scopes should be set to an array of access scopes that must (at a minimum) contain openid.

If openid_provider is not set on api_key, or it is set to azure, then Azure Active Directory is used to maintain backwards compatibility.

Changes

• All tokens are cached in a single file, ~/.hstokencfg instead of a single file per app_id. If this is undesirable, it can be changed back.
• Token renewal is handled seamlessly, if possible, for both Azure and Google.

[jjaraalm]

@jreadey can you test on Azure to make sure there are no issues? I do not have access.

[jreadey]

@jjaraalm - I ran into some bugs testing with AD. I put one fix here: https://github.com/HDFGroup/h5pyd/tree/jjaraalm-google_oauth.

Another problem is that the token that gets returned by AD is not json serializable (it includes a timestamp object). I'll look into this.

[jjaraalm]

@jreadey, sure. It looks like AAD also has a 30 day trial, so I'll take a look at it tonight.

On Tue, Apr 7, 2020 at 3:13 AM John Readey notifications@github.com wrote:

@jjaraalm https://github.com/jjaraalm - I ran into some bugs testing with AD. Could you look into these? I can send you my AD config settings via email.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/HDFGroup/h5pyd/pull/81#issuecomment-610217894, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABZYPUD6IL5BAQH6JHPN5BDRLLHDDANCNFSM4L2TWLKQ .

[jreadey]

@jjaraalm - ok thanks.

[jjaraalm]

This works for me getting/renewing azure tokens. If you still have errors, let me know. If I get some time I might add tests, although they couldn't be automatic.

[jreadey]

This is working for me with AD (and the supporting HSDS update).

[jreadey]

@jjaraalm - can you look at the Travis failures? I'm able to do a "pip install google-auth-oauthlib" from a clean Python install, so not sure what the problem could be.

[jjaraalm]

Sure, I can take a look. It looks like travis logs are down right now, at least for me. I'll check back later tonight.