Merge pull request #337 from danring/update_id_token_on_refresh

Avoid OAuth2Credentials id_token going out of sync after a token refresh.

oauth2client/client.py

@@ -883,6 +883,10 @@ class OAuth2Credentials(Credentials):
                     seconds=int(d['expires_in'])) + datetime.datetime.utcnow()
             else:
                 self.token_expiry = None
+            if 'id_token' in d:
+                self.id_token = _extract_id_token(d['id_token'])
+            else:
+                self.id_token = None
             # On temporary refresh errors, the user does not actually have to
             # re-authorize, so we unflag here.
             self.invalid = False

tests/test_client.py

@@ -886,6 +886,27 @@ class BasicCredentialsTests(unittest.TestCase):
             self.credentials.retrieve_scopes,
             http)
 
+    def test_refresh_updates_id_token(self):
+        for status_code in REFRESH_STATUS_CODES:
+            body = {'foo': 'bar'}
+            body_json = json.dumps(body).encode('ascii')
+            payload = base64.urlsafe_b64encode(body_json).strip(b'=')
+            jwt = b'stuff.' + payload + b'.signature'
+
+            token_response = (b'{'
+                              b'  "access_token":"1/3w",'
+                              b'  "expires_in":3600,'
+                              b'  "id_token": "' + jwt + b'"'
+                              b'}')
+            http = HttpMockSequence([
+                ({'status': status_code}, b''),
+                ({'status': '200'}, token_response),
+                ({'status': '200'}, 'echo_request_headers'),
+            ])
+            http = self.credentials.authorize(http)
+            resp, content = http.request('http://example.com')
+            self.assertEqual(self.credentials.id_token, body)
+
 
 class AccessTokenCredentialsTests(unittest.TestCase):