In fetch_id_token(), return token's expiry along with the token

[KevinGDialpad]

Hello,

I have opened a ticket with support, and it was suggested that I open a feature request here.

I’ve been trying to implement App Entity using OIDC tokens. It works, but I don't have a good way to handle token expiry.

The sending app calls fetch_id_token(). In order to avoid making that call for every outbound HTTP request, I cache the token. The question is: how long should it be cached?

I see that the library currently issues tokens that are valid for an hour, but that may not be true in future versions. So it would be great to access the expiry date along with the token.

Specifically, at

google-auth-library-python/google/oauth2/id_token.py

Line 237 in b79b554

return credentials.token

a Credentials object is available, but only credentials.token is returned.

Would it be a good idea to return the full object instead, or a dictionary like

{
  'token': '...',
  'expiry': ...
}

?

I have thought of two workarounds, but neither is satisfying.

The first one would be to call verify_oauth2_token() immediately after fetch_id_token(), and get the expiry date from there. This is not great because getting a new token now takes twice as long.

The second solution would be for the recipient of the request to notify the sender that the token has expired. The sender would then bust its cache and get a new token. This is inefficient because it takes an HTTP round-trip to realize that the token has expired, so it shouldn't be the default way of handling things.

Cheers,

Kevin

[busunkim96]

@arithmetic1728 @silvolu

[arithmetic1728]

Will add a new function to return the credential object instead of just the token.