iaptoolkit 0.3.0a2__tar.gz → 0.3.2__tar.gz

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/PKG-INFO

@@ -1,22 +1,18 @@
 Metadata-Version: 2.1
 Name: iaptoolkit
-Version: 0.3.0a2
+Version: 0.3.2
 Summary: Library of common utils for interacting with Identity-Aware Proxies
-Home-page: https://github.com/RAVoigt/iaptoolkit
-License: MIT
 Author: Rob Voigt
 Author-email: code@ravoigt.com
 Requires-Python: >=3.11,<4.0
-Classifier: License :: OSI Approved :: MIT License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: google-auth (>=2.29.0,<3.0.0)
-Requires-Dist: kvcommon (>=0.1.4,<0.2.0)
-Requires-Dist: pytest (>=7.4.4,<8.0.0)
+Requires-Dist: kvcommon[k8s] (>=0.2.3,<0.3.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: toml (>=0.10.2,<0.11.0)
-Project-URL: Repository, https://github.com/RAVoigt/iaptoolkit
 Description-Content-Type: text/markdown
 
 # IAP Toolkit
@@ -38,9 +34,9 @@ https://pypi.org/project/iaptoolkit/
 ```python
 import requests
 
-from iaptoolkit import IAPToolkit_OIDC
+from iaptoolkit import IAPToolkit
 
-iaptk_oidc = IAPToolkit_OIDC(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
+iaptk = IAPToolkit(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
 allowed_domains = ["example.com", ]
 
 

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/README.md

@@ -17,9 +17,9 @@ https://pypi.org/project/iaptoolkit/
 ```python
 import requests
 
-from iaptoolkit import IAPToolkit_OIDC
+from iaptoolkit import IAPToolkit
 
-iaptk_oidc = IAPToolkit_OIDC(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
+iaptk = IAPToolkit(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
 allowed_domains = ["example.com", ]
 
 

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/pyproject.toml

@@ -1,12 +1,9 @@
 [tool.poetry]
 name = "iaptoolkit"
-version = "0.3.0a2"
+version = "0.3.2"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
 authors = ["Rob Voigt <code@ravoigt.com>"]
 readme = "README.md"
-license = "MIT"
-repository = "https://github.com/RAVoigt/iaptoolkit"
-homepage = "https://github.com/RAVoigt/iaptoolkit"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]
@@ -19,7 +16,7 @@ Repository = "https://github.com/RAVoigt/iaptoolkit"
 # ================================
 # Tools etc.
 [tool.black]
-line-length = 100
+line-length = 120
 target-version = ['py311']
 include = '\.pyi?$'
 
@@ -29,9 +26,8 @@ include = '\.pyi?$'
 python = "^3.11"
 google-auth = "^2.29.0"
 requests = "^2.31.0"
-pytest = "^7.4.4"
 toml = "^0.10.2"
-kvcommon = "^0.1.4"
+kvcommon = {extras = ["k8s"], version = "^0.2.3"}
 
 [tool.poetry.dev-dependencies]
 black = "*"
@@ -43,7 +39,3 @@ pytest = "*"
 pytest-cov = "*"
 pytest-socket = "*"
 pyfakefs = "^5.3.2"
-
-# [tool.poetry.extras]
-# flask = ["flask"]
-# k8s = ["kubernetes"]

iaptoolkit-0.3.2/src/iaptoolkit/__init__.py

@@ -0,0 +1,247 @@
+from __future__ import annotations
+
+import logging
+
+logging.getLogger(__name__).addHandler(logging.NullHandler())
+
+import typing as t
+from urllib.parse import ParseResult
+from urllib.parse import urlparse
+
+from kvcommon import logger
+
+from iaptoolkit import headers
+from iaptoolkit.exceptions import ServiceAccountTokenException
+from iaptoolkit.tokens.service_account import ServiceAccount
+from iaptoolkit.tokens.structs import ResultAddTokenHeader
+
+from iaptoolkit.tokens.structs import TokenRefreshStruct
+from iaptoolkit.tokens.structs import TokenStruct
+from iaptoolkit.utils.urls import is_url_safe_for_token
+
+LOG = logger.get_logger("iaptk")
+
+
+class IAPToolkit:
+    """
+    Class to encapsulate client-specific vars and forward them to static functions
+    """
+
+    _GOOGLE_IAP_CLIENT_ID: str
+
+    def __init__(
+        self,
+        google_iap_client_id: str,
+    ) -> None:
+        self._GOOGLE_IAP_CLIENT_ID = google_iap_client_id
+
+    @staticmethod
+    def sanitize_request_headers(request_headers: dict) -> dict:
+        return headers.sanitize_request_headers(request_headers)
+
+    def get_token_oidc(self, bypass_cached: bool = False) -> TokenStruct:
+        try:
+            return ServiceAccount.get_token(iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached)
+        except ServiceAccountTokenException as ex:
+            LOG.debug(ex)
+            raise
+
+    def get_token_oidc_str(self, bypass_cached: bool = False) -> str:
+        struct = self.get_token_oidc(bypass_cached=bypass_cached)
+        return struct.id_token
+
+    def get_token_oauth2(self, bypass_cached: bool = False) -> TokenRefreshStruct:
+        # TODO
+        raise NotImplementedError()
+
+    def get_token_oauth2_str(self, bypass_cached: bool = False) -> str:
+        struct = self.get_token_oauth2(bypass_cached=bypass_cached)
+        return struct.id_token
+
+    def get_token_and_add_to_headers(
+        self,
+        request_headers: dict,
+        use_oauth2: bool = False,
+        use_auth_header: bool = False,
+        bypass_cached: bool = False,
+    ) -> bool:
+        """
+        Retrieves an auth token and inserts it into the supplied request_headers dict.
+        request_headers is modified in-place
+
+        Params:
+            request_headers: dict of headers to insert into
+            use_oauth2: Use OAuth2.0 credentials and respective token, else use OIDC (default)
+                As a general guideline, OIDC is the assumed default approach for ServiceAccounts.
+            use_auth_header: If true, use the 'Authorization' header instead of 'Proxy-Authorization'
+
+        Returns:
+            True if token retrieved from cache, False if fresh from API
+
+
+        """
+        id_token = None
+        from_cache = False
+        if use_oauth2:
+            token_refresh_struct: TokenRefreshStruct = self.get_token_oauth2(bypass_cached=bypass_cached)
+            id_token = token_refresh_struct.id_token
+            from_cache = token_refresh_struct.from_cache
+        else:
+            token_struct: TokenStruct = self.get_token_oidc(bypass_cached=bypass_cached)
+            id_token = token_struct.id_token
+            from_cache = token_struct.from_cache
+
+        headers.add_token_to_request_headers(
+            request_headers=request_headers,
+            id_token=id_token,
+            use_auth_header=use_auth_header,
+        )
+
+        return from_cache
+
+    @staticmethod
+    def is_url_safe_for_token(
+        url: str | ParseResult,
+        valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
+    ):
+        if not isinstance(url, ParseResult):
+            url = urlparse(url)
+
+        return is_url_safe_for_token(url_parts=url, allowed_domains=valid_domains)
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_oauth2: bool = False,
+        use_auth_header: bool = False,
+        bypass_cached: bool = False,
+    ) -> ResultAddTokenHeader:
+        """
+        Checks that the supplied URL is valid (i.e.; in valid_domains) and if so, retrieves a
+        token and adds it to request_headers.
+
+        i.e.; A convenience wrapper with logging for is_url_safe_for_token() and get_token_and_add_to_headers()
+
+        Params:
+            url: URL string or urllib.ParseResult to check for validity
+            request_headers: Dict of headers to insert into
+            valid_domains: List of domains to validate URL against
+            use_oauth2: Passed to get_token_and_add_to_headers() to determine if OAuth2.0 is used or OIDC (default)
+        """
+
+        if self.is_url_safe_for_token(url=url, valid_domains=valid_domains):
+            token_is_fresh = self.get_token_and_add_to_headers(
+                request_headers=request_headers,
+                use_oauth2=use_oauth2,
+                use_auth_header=use_auth_header,
+                bypass_cached=bypass_cached,
+            )
+            return ResultAddTokenHeader(token_added=True, token_is_fresh=token_is_fresh)
+        else:
+            LOG.warning(
+                "URL is not approved: %s - Token will not be added to headers. Valid domains are: %s",
+                url,
+                valid_domains,
+            )
+            return ResultAddTokenHeader(token_added=False, token_is_fresh=False)
+
+
+class IAPToolkit_OIDC(IAPToolkit):
+    """
+    Convenience subclass of IAPToolkit for scenarios where OIDC will always be used, never OAuth2
+    """
+
+    def get_token_oauth2(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OAuth2 methods on OIDC-only instance of IAPToolkit.")
+
+    def get_token_oauth2_str(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OAuth2 methods on OIDC-only instance of IAPToolkit.")
+
+    def get_token_and_add_to_headers(
+        self,
+        request_headers: dict,
+        use_auth_header: bool = False,
+        use_oauth2: bool = False,
+        bypass_cached: bool = False,
+    ) -> bool:
+        return super().get_token_and_add_to_headers(
+            request_headers=request_headers,
+            use_oauth2=use_oauth2,
+            use_auth_header=use_auth_header,
+            bypass_cached=bypass_cached,
+        )
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_auth_header: bool = False,
+        bypass_cached: bool = False,
+    ) -> ResultAddTokenHeader:
+        return super().check_url_and_add_token_header(
+            url,
+            request_headers=request_headers,
+            valid_domains=valid_domains,
+            use_oauth2=False,
+            use_auth_header=use_auth_header,
+            bypass_cached=bypass_cached,
+        )
+
+
+class IAPToolkit_OAuth2(IAPToolkit):
+    """
+    Convenience subclass of IAPToolkit for scenarios where OAuth2 will always be used, never OIDC
+    """
+
+    _GOOGLE_CLIENT_ID: str
+    _GOOGLE_CLIENT_SECRET: str
+
+    def __init__(
+        self,
+        google_iap_client_id: str,
+        google_client_id: str,
+        google_client_secret: str,
+    ) -> None:
+        super().__init__(google_iap_client_id=google_iap_client_id)
+        self._GOOGLE_CLIENT_ID = google_client_id
+        self._GOOGLE_CLIENT_SECRET = google_client_secret
+
+    def get_token_oidc(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OIDC methods on OAuth2-only instance of IAPToolkit.")
+
+    def get_token_oidc_str(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OIDC methods on OAuth2-only instance of IAPToolkit.")
+
+    def get_token_and_add_to_headers(
+        self,
+        request_headers: dict,
+        use_auth_header: bool = False,
+        use_oauth2: bool = True,
+        bypass_cached: bool = False,
+    ) -> bool:
+        return super().get_token_and_add_to_headers(
+            request_headers=request_headers,
+            use_oauth2=use_oauth2,
+            use_auth_header=use_auth_header,
+            bypass_cached=bypass_cached,
+        )
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_auth_header: bool = False,
+        bypass_cached: bool = False,
+    ) -> ResultAddTokenHeader:
+        return super().check_url_and_add_token_header(
+            url=url,
+            request_headers=request_headers,
+            valid_domains=valid_domains,
+            use_oauth2=True,
+            use_auth_header=use_auth_header,
+            bypass_cached=bypass_cached,
+        )

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/src/iaptoolkit/exceptions.py

@@ -14,10 +14,6 @@ class IAPBadResponse(IAPToolkitBaseException):
     pass
 
 
-class InvalidDomain(IAPToolkitBaseException):
-    pass
-
-
 class TokenException(IAPToolkitBaseException):
     pass
 
@@ -26,13 +22,8 @@ class TokenStorageException(TokenException):
     pass
 
 
-class GoogleTokenException(TokenException):
-    """
-    Wrapper for exceptions from Google's auth lib
-    """
-    def __init__(
-        self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError] | None
-    ):
+class ServiceAccountTokenException(TokenException):
+    def __init__(self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError] | None):
         self.google_exception = google_exception
         credentials_env_var_value = os.environ.get(GOOGLE_CREDENTIALS_FILE_PATH)
         metadata_server_attempted = not credentials_env_var_value
@@ -49,24 +40,14 @@ class GoogleTokenException(TokenException):
     def retryable(self):
         return self.google_exception and self.google_exception._retryable
 
-# SA / OIDC
-
-class ServiceAccountTokenException(GoogleTokenException):
-    pass
-
-
-class ServiceAccountTokenFailedRefresh(ServiceAccountTokenException):
-    pass
-
 
 class ServiceAccountNoDefaultCredentials(ServiceAccountTokenException):
     pass
 
-# OAuth2 / User
 
-class OAuth2RefreshFromAuthCodeFailed(TokenException):
+class ServiceAccountTokenFailedRefresh(ServiceAccountTokenException):
     pass
 
 
-class OAuth2IDTokenFromRefreshFailed(TokenException):
+class InvalidDomain(IAPToolkitBaseException):
     pass

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/src/iaptoolkit/headers.py

@@ -23,9 +23,7 @@ def _sanitize_request_header(headers_dict: dict, header_key: str):
 def sanitize_request_headers(headers: dict) -> dict:
     """
     Sanitizes a headers dict to remove sensitive strings for logging purposes.
-
-    Returns:
-        A COPY of the dict with sensitive k/v pairs replaced. Does NOT modify in-place/by-reference.
+    Returns A COPY of the dict with sensitive k/v pairs replaced. Does NOT modify in-place/by-reference.
     """
     log_safe_headers = headers.copy()
 
@@ -36,9 +34,7 @@ def sanitize_request_headers(headers: dict) -> dict:
     return log_safe_headers
 
 
-def add_token_to_request_headers(
-    request_headers: dict, id_token: str, use_auth_header: bool = False
-) -> dict:
+def add_token_to_request_headers(request_headers: dict, id_token: str, use_auth_header: bool = False) -> dict:
     """
     Adds Bearer token to headers dict. Modifies dict in-place.
     Returns True if added token is a fresh one, or False if token is from cache

iaptoolkit-0.3.2/src/iaptoolkit/tokens/__init__.py

@@ -0,0 +1,24 @@
+from kvcommon import logger
+
+from iaptoolkit.exceptions import ServiceAccountTokenException
+from iaptoolkit.exceptions import TokenStorageException
+from iaptoolkit.exceptions import TokenException
+
+from .structs import TokenStruct
+from .structs import TokenRefreshStruct
+
+# from .structs import TokenStructOAuth2  # TODO: OAuth2
+# from .oauth2 import get_token_for_oauth2  # TODO: OAuth2
+# from .service_account import ServiceAccount
+from .service_account import GoogleServiceAccount
+
+LOG = logger.get_logger("iaptk")
+
+
+__all__ = [
+    "TokenStruct",
+    "TokenRefreshStruct",
+    # "TokenStructOAuth2",  # TODO: OAuth2
+    "TokenException",
+    "TokenStorageException",
+]

iaptoolkit-0.3.2/src/iaptoolkit/tokens/service_account.py

@@ -0,0 +1,179 @@
+import datetime
+import typing as t
+
+from google.auth.compute_engine import IDTokenCredentials as GoogleIDTokenCredentials
+from google.auth.exceptions import DefaultCredentialsError as GoogleDefaultCredentialsError
+from google.auth.exceptions import RefreshError as GoogleRefreshError
+from google.auth.transport.requests import Request as GoogleRequest
+from google.oauth2 import id_token as google_id_token_lib
+
+from kvcommon import logger
+
+# TODO: Don't hardcode the association between OIDC/SA and dict-datastore
+from iaptoolkit.tokens.token_datastore import datastore
+from iaptoolkit.exceptions import ServiceAccountTokenException
+from iaptoolkit.exceptions import ServiceAccountTokenFailedRefresh
+from iaptoolkit.exceptions import ServiceAccountNoDefaultCredentials
+from iaptoolkit.exceptions import TokenException
+from iaptoolkit.exceptions import TokenStorageException
+
+from .structs import TokenStruct
+from .structs import TokenRefreshStruct
+
+
+LOG = logger.get_logger("iaptk")
+MAX_RECURSE = 3
+
+
+class ServiceAccount(object):
+    """Base class for interacting with service accounts and OIDC tokens for IAP"""
+
+    # TODO: This is a static namespace for SA functions. Turn it into a per-iap-client-id client
+    # TODO: Move Google-specific logic to GoogleServiceAccount
+
+    @staticmethod
+    def _store_token(iap_client_id: str, id_token: str, token_expiry: datetime.datetime):
+        try:
+            datastore.store_service_account_token(iap_client_id, id_token, token_expiry)
+        except Exception as ex:  # Err on the side of not letting token-caching break requests.
+            raise TokenStorageException(f"Exception when trying to store token. exception={ex}")
+
+    @staticmethod
+    def get_stored_token(iap_client_id: str) -> t.Optional[TokenStruct]:
+        try:
+            token_dict = datastore.get_stored_service_account_token(iap_client_id)
+            if not token_dict or not token_dict.get("id_token", None) or not token_dict.get("token_expiry", None):
+                LOG.debug("No stored service account token for current iap_client_id")
+                return
+
+            id_token_from_dict: str = token_dict.get("id_token", "")
+            token_expiry_from_dict: str = token_dict.get("token_expiry", "")
+
+            token_expiry = ""
+            try:
+                token_expiry = datetime.datetime.fromisoformat(token_expiry_from_dict)
+            except (ValueError, TypeError) as ex:
+                LOG.debug("Invalid token expiry for stored token - Could not parse from ISO format to datetime.")
+                return
+
+            token_struct = TokenStruct(id_token=id_token_from_dict, expiry=token_expiry, from_cache=True)
+            if not token_struct.valid:
+                LOG.debug("Stored service account token for current iap_client_id is INVALID")
+                return
+            if token_struct.expired:
+                LOG.debug("Stored service account token for current iap_client_id has EXPIRED")
+                return
+
+            return token_struct
+
+        except Exception as ex:
+            # Err on the side of not letting token-caching break requests, hence blanket except
+            raise TokenStorageException(f"Exception when trying to retrieve stored token. exception={ex}")
+
+    @staticmethod
+    def _get_fresh_credentials(iap_client_id: str) -> GoogleIDTokenCredentials:
+
+        try:
+            request = GoogleRequest()
+            credentials: GoogleIDTokenCredentials = google_id_token_lib.fetch_id_token_credentials(
+                iap_client_id, request
+            )  # type: ignore
+            credentials.refresh(request)
+
+        except GoogleDefaultCredentialsError as ex:
+            # The exceptions that google's libs raise in this case are somewhat vague; wrap them.
+            raise ServiceAccountNoDefaultCredentials(
+                message="Failed to get ServiceAccount token: Lacking default credentials.",
+                google_exception=ex,
+            )
+        except GoogleRefreshError as ex:
+            # Likely attempting to get a token for a service account in an environment that
+            # doesn't have one attached.
+            raise ServiceAccountTokenFailedRefresh(
+                message="Failed to get ServiceAccount token: Refreshing token failed.",
+                google_exception=ex,
+            )
+        return credentials
+
+    @staticmethod
+    def _get_fresh_token(iap_client_id: str) -> TokenStruct:
+        google_credentials = ServiceAccount._get_fresh_credentials(iap_client_id)
+        id_token: str = str(google_credentials.token)
+        if not id_token:
+            raise TokenException("Invalid [empty] token retrieved for Service Account.")
+
+        # Google lib uses deprecated 'utcfromtimestamp' func as of v2.29.x
+        # e.g.: datetime.datetime.utcfromtimestamp(payload["exp"])
+        # This creates a TZ-naive datetime in UTC from a POSIX timestamp.
+        # Python datetimes assume local TZ, and we want to explicitly only work in UTC here.
+        token_expiry = google_credentials.expiry.replace(tzinfo=datetime.timezone.utc)
+
+        return TokenStruct(id_token=id_token, expiry=token_expiry, from_cache=False)
+
+    @staticmethod
+    def get_token(iap_client_id: str, bypass_cached: bool = False, attempts: int = 0) -> TokenStruct:
+        """Retrieves an OIDC token for the current environment either from environment variable or from
+        metadata service.
+
+        1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
+        to the path of a valid service account JSON file, then ID token is
+        acquired using this service account credentials.
+        2. If the application is running in Compute Engine, App Engine or Cloud Run,
+        then the ID token is obtained from the metadata server.
+
+        Args:
+            iap_client_id: The client ID used by IAP. Can be thought of as JWT audience.
+
+        Returns:
+            An OIDC token for use in connecting through IAP.
+
+        Raises:
+            :class:`ServiceAccountTokenException` if a token could not be retrieved due to either
+            missing credentials from env-var/JSON or inability to talk to metadata server.
+        """
+
+        use_cache = not bypass_cached
+
+        try:
+            token_struct: TokenStruct | None = None
+
+            if use_cache:
+                token_struct = ServiceAccount.get_stored_token(iap_client_id)
+
+            if not token_struct:
+                token_struct = ServiceAccount._get_fresh_token(iap_client_id)
+                if use_cache:
+                    ServiceAccount._store_token(iap_client_id, token_struct.id_token, token_struct.expiry)
+
+            return token_struct
+
+        except ServiceAccountTokenException as ex:
+            attempts += 1
+            if attempts > MAX_RECURSE or not ex.retryable:
+                raise
+            return ServiceAccount.get_token(iap_client_id, bypass_cached=False, attempts=attempts)
+
+        except TokenStorageException as ex:
+            if attempts > 1:
+                raise
+            attempts += 1
+            # Try again without involving the cache
+            return ServiceAccount.get_token(iap_client_id, bypass_cached=True, attempts=attempts)
+
+
+class GoogleServiceAccount(ServiceAccount):
+    """For interacting with Google service accounts and OIDC tokens for Google IAP"""
+
+    def __init__(self, iap_client_id: str) -> None:
+        if not iap_client_id or not isinstance(iap_client_id, str):
+            raise ServiceAccountTokenException("Invalid iap_client_id for GoogleServiceAccount", google_exception=None)
+        self._iap_client_id = iap_client_id
+        super().__init__()
+
+    def get_stored_token(self) -> t.Optional[TokenStruct]:
+        return ServiceAccount.get_stored_token(self._iap_client_id)
+
+    def get_token(self, bypass_cached: bool = False, attempts: int = 0) -> TokenStruct:
+        return ServiceAccount.get_token(
+            iap_client_id=self._iap_client_id, bypass_cached=bypass_cached, attempts=attempts
+        )

{iaptoolkit-0.3.0a2 → iaptoolkit-0.3.2}/src/iaptoolkit/tokens/structs.py

@@ -8,11 +8,18 @@ from kvcommon import logger
 LOG = logger.get_logger("iaptk")
 
 
+def validate_token(token: str | None) -> bool:
+    if not isinstance(token, str) or token.strip() == "":
+        return False
+
+    return True
+
+
 @dataclass(kw_only=True)
 class TokenStruct:
     id_token: str
     expiry: datetime.datetime
-    token_is_new: bool = True
+    from_cache: bool = False
 
     @property
     def expired(self):
@@ -31,22 +38,31 @@ class TokenStruct:
             LOG.error("Exception when checking token expiry. exception=%s", ex)
             return True
 
+    @property
+    def valid(self):
+        return validate_token(self.id_token)
+
 
 @dataclass(kw_only=True)
 class TokenRefreshStruct:
-    """
-    """
     id_token: str
-    token_is_new: bool = True
+    from_cache: bool = False
 
+    @property
+    def valid(self):
+        return validate_token(self.id_token)
 
 @dataclass(kw_only=True)
-class TokenStructOAuth2:
+class TokenStructOAuth2(TokenStruct):
     refresh_token: str
-    token_is_new: bool = False
+    from_cache: bool = False
+
+    @property
+    def valid(self):
+        return validate_token(self.refresh_token)
 
 
 @dataclass(kw_only=True)
 class ResultAddTokenHeader:
     token_added: bool
-    token_is_new: bool
+    token_is_fresh: bool