feat: Implement token revocation in STS client and add revoke() metho…#1849
Merged
nbayati merged 11 commits intogoogleapis:mainfrom Nov 11, 2025
Merged
Conversation
…d to ExternalAccountAuthorizedUser credentials * Add support for OAuth 2.0 token revocation to the STS client, aligning with the specification in RFC7009. * A new revoke_token method is introduced, which makes a POST request to a revocation endpoint. The underlying request handler has also been updated to correctly process successful but empty HTTP responses, as specified by the standard for revocation. * Building on the STS client's new capabilities, this change exposes a public revoke() method on the ExternalAccountAuthorizedUser credentials class. * This method encapsulates the logic for revoking the refresh token by calling the underlying STS client's revoke_token function. It simplifies the process for client applications, like gcloud, to revoke these specific credentials without needing to interact directly with the STS client. * Unit tests are included to verify successful revocation and to ensure appropriate errors are raised if required fields (like revoke_url) are missing.
nbayati
reviewed
Oct 31, 2025
…:kdeniz-git/google-auth-library-python into implement-token-revocation-in-sts-client
nbayati
added
the
kokoro:force-run
nbayati
previously approved these changes
Nov 5, 2025
yoshi-kokoro
removed
the
kokoro:force-run
nbayati
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
…:kdeniz-git/google-auth-library-python into implement-token-revocation-in-sts-client
kdeniz-git
dismissed stale reviews from daniel-sanche and nbayati
via
18cb99b
nbayati
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
nbayati
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
nbayati
added
the
kokoro:force-run
nbayati
approved these changes
Nov 11, 2025
yoshi-kokoro
removed
the
kokoro:force-run
daniel-sanche
approved these changes
Nov 11, 2025
| {"grant_type": "refresh_token", "refresh_token": refresh_token}, | ||
| ) | ||
|
|
||
| def revoke_token(self, request, token, token_type_hint, revoke_url): |
Contributor
There was a problem hiding this comment.
nit: It seems like token_type_hint could be optional. It might be good to mention that in the docstrings, and in the signature
vchudnov-g
added a commit
that referenced
this pull request
Dec 15, 2025
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v0.7.0 Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest <details><summary>google-auth: 2.44.0</summary> ## [2.44.0](v2.43.0...v2.44.0) (2025-12-12) ### Features * MDS connections use mTLS (#1856) ([0387bb9](0387bb95)) * support Python 3.14 (#1822) ([0f7097e](0f7097e7)) * add ecdsa p-384 support (#1872) ([39c381a](39c381a5)) * Add shlex to correctly parse executable commands with spaces (#1855) ([cf6fc3c](cf6fc3cc)) * Implement token revocation in STS client and add revoke() metho… (#1849) ([d563898](d5638986)) ### Bug Fixes * Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration (#1880) ([78de790](78de7907)) * Delegate workload cert and key default lookup to helper function (#1877) ([b0993c7](b0993c7e)) * Use public refresh method for source credentials in ImpersonatedCredentials (#1884) ([e0c3296](e0c3296f)) </details>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…d to ExternalAccountAuthorizedUser credentials
Add support for OAuth 2.0 token revocation to the STS client, aligning with the specification in RFC7009.
A new revoke_token method is introduced, which makes a POST request to a revocation endpoint. The underlying request handler has also been updated to correctly process successful but empty HTTP responses, as specified by the standard for revocation.
Building on the STS client's new capabilities, this change exposes a public revoke() method on the ExternalAccountAuthorizedUser credentials class.
This method encapsulates the logic for revoking the refresh token by calling the underlying STS client's revoke_token function. It simplifies the process for client applications, like gcloud, to revoke these specific credentials without needing to interact directly with the STS client.
Unit tests are included to verify successful revocation and to ensure appropriate errors are raised if required fields (like revoke_url) are missing.