Skip to content

Commit

Permalink
Use an OAuth 2.0 access token for Domain-Wide Delegation
Browse files Browse the repository at this point in the history
  • Loading branch information
sethvargo committed Feb 2, 2024
1 parent 39c96a3 commit 081560d
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
2 changes: 1 addition & 1 deletion dist/main/index.js

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions src/client/workload_identity_federation.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
const logger = this._logger.withNamespace(`getToken`);

const now = new Date().getTime();
if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt > 60_000) {
if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt < 30_000) {
logger.debug(`Using cached token`, {
now: now,
cachedAt: this.#cachedAt,
Expand Down Expand Up @@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;

const headers = {
Authorization: `Bearer ${this.getToken()}`,
Authorization: `Bearer ${await this.getToken()}`,
};

const body = {
Expand Down
7 changes: 5 additions & 2 deletions src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,14 @@ export async function run(logger: Logger) {
);
}

let accessToken: string;

// If a subject was provided, use the traditional OAuth 2.0 flow to
// perform Domain-Wide Delegation. Otherwise, use the modern IAM
// Credentials endpoints.
let accessToken;
if (accessTokenSubject) {
logger.debug(`Using Domain-Wide Delegation flow`);

if (accessTokenLifetime > 3600) {
logger.info(
`An access token subject was specified, triggering Domain-Wide ` +
Expand All @@ -273,10 +276,10 @@ export async function run(logger: Logger) {
accessTokenLifetime,
);
const signedJWT = await client.signJWT(unsignedJWT);

accessToken =
await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
} else {
logger.debug(`Using normal access token flow`);
accessToken = await iamCredentialsClient.generateAccessToken({
serviceAccount,
delegates,
Expand Down

0 comments on commit 081560d

Please sign in to comment.