Improve documentation around ID Tokens (#224)

commit: 4255b104764ff336a846eccfb2ab17d13f7bb7f0 [log] [tgz]
author: Arlan Jaska <ajaska@berkeley.edu> Thu Feb 08 15:51:26 2018 -0800
committer: Jon Wayne Parrott <jonwayne@google.com> Thu Feb 08 15:51:26 2018 -0800
tree: c6c26854b4960c6e93a3c47ac50ed186b8096760
parent: 1cd83905ea7a3447747dc8d581672d8543e26303 [diff]
diff --git a/docs/index.rst b/docs/index.rst
index 1b5f5d6..af2c804 100644
--- a/docs/index.rst
+++ b/docs/index.rst

@@ -14,6 +14,7 @@
 
 - Support for Google :func:`Application Default Credentials <google.auth.default>`.
 - Support for signing and verifying :mod:`JWTs <google.auth.jwt>`.
+- Support for verifying and decoding :mod:`ID Tokens <google.oauth2.id_token>`.
 - Support for Google :mod:`Service Account credentials <google.oauth2.service_account>`.
 - Support for :mod:`Google Compute Engine credentials <google.auth.compute_engine>`.
 - Support for :mod:`Google App Engine standard credentials <google.auth.app_engine>`.

diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
index fa96fc0..208ab62 100644
--- a/google/oauth2/id_token.py
+++ b/google/oauth2/id_token.py

@@ -12,7 +12,51 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Google ID Token helpers."""
+"""Google ID Token helpers.
+
+Provides support for verifying `OpenID Connect ID Tokens`_, especially ones
+generated by Google infrastructure.
+
+To parse and verify an ID Token issued by Google's OAuth 2.0 authorization
+server use :func:`verify_oauth2_token`. To verify an ID Token issued by
+Firebase, use :func:`verify_firebase_token`.
+
+A general purpose ID Token verifier is available as :func:`verify_token`.
+
+Example::
+
+    from google.oauth2 import id_token
+    from google.auth.transport import requests
+
+    request = requests.Request()
+
+    id_info = id_token.verify_oauth2_token(
+        token, request, 'my-client-id.example.com')
+
+    if id_info['iss'] != 'https://accounts.google.com':
+        raise ValueError('Wrong issuer.')
+
+    userid = id_info['sub']
+
+By default, this will re-fetch certificates for each verification. Because
+Google's public keys are only changed infrequently (on the order of once per
+day), you may wish to take advantage of caching to reduce latency and the
+potential for network errors. This can be accomplished using an external
+library like `CacheControl`_ to create a cache-aware
+:class:`google.auth.transport.Request`::
+
+    import cachecontrol
+    import google.auth.transport.requests
+    import requests
+
+    session = requests.session()
+    cached_session = cachecontrol.CacheControl(session)
+    request = google.auth.transport.requests.Request(session=cached_session)
+
+.. _OpenID Connect ID Token:
+    http://openid.net/specs/openid-connect-core-1_0.html#IDToken
+.. _CacheControl: https://cachecontrol.readthedocs.io
+"""
 
 import json
commit	4255b104764ff336a846eccfb2ab17d13f7bb7f0	[log] [tgz]
author	Arlan Jaska <ajaska@berkeley.edu>	Thu Feb 08 15:51:26 2018 -0800
committer	Jon Wayne Parrott <jonwayne@google.com>	Thu Feb 08 15:51:26 2018 -0800
tree	c6c26854b4960c6e93a3c47ac50ed186b8096760
parent	1cd83905ea7a3447747dc8d581672d8543e26303 [diff]