Skip to content

Commit

Permalink
Use an OAuth 2.0 access token for Domain-Wide Delegation (#388)
Browse files Browse the repository at this point in the history
Fixes #387
  • Loading branch information
sethvargo authored Feb 5, 2024
1 parent 39c96a3 commit b4f4057
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 10 deletions.
6 changes: 3 additions & 3 deletions dist/main/index.js

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions src/client/iamcredentials.ts
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ export class IAMCredentialsClient extends Client {
method: `POST`,
path: pth,
headers: headers,
body: body,
body: body.toString(),
});

try {
Expand All @@ -149,8 +149,8 @@ export class IAMCredentialsClient extends Client {
if (statusCode < 200 || statusCode > 299) {
throw new Error(`Failed to call ${pth}: HTTP ${statusCode}: ${respBody || '[no body]'}`);
}
const parsed = JSON.parse(respBody) as { accessToken: string };
return parsed.accessToken;
const parsed = JSON.parse(respBody) as { access_token: string };
return parsed.access_token;
} catch (err) {
const msg = errorMessage(err);
throw new Error(
Expand Down
4 changes: 2 additions & 2 deletions src/client/workload_identity_federation.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
const logger = this._logger.withNamespace(`getToken`);

const now = new Date().getTime();
if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt > 60_000) {
if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt < 30_000) {
logger.debug(`Using cached token`, {
now: now,
cachedAt: this.#cachedAt,
Expand Down Expand Up @@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;

const headers = {
Authorization: `Bearer ${this.getToken()}`,
Authorization: `Bearer ${await this.getToken()}`,
};

const body = {
Expand Down
7 changes: 5 additions & 2 deletions src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,14 @@ export async function run(logger: Logger) {
);
}

let accessToken: string;

// If a subject was provided, use the traditional OAuth 2.0 flow to
// perform Domain-Wide Delegation. Otherwise, use the modern IAM
// Credentials endpoints.
let accessToken;
if (accessTokenSubject) {
logger.debug(`Using Domain-Wide Delegation flow`);

if (accessTokenLifetime > 3600) {
logger.info(
`An access token subject was specified, triggering Domain-Wide ` +
Expand All @@ -273,10 +276,10 @@ export async function run(logger: Logger) {
accessTokenLifetime,
);
const signedJWT = await client.signJWT(unsignedJWT);

accessToken =
await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
} else {
logger.debug(`Using normal access token flow`);
accessToken = await iamCredentialsClient.generateAccessToken({
serviceAccount,
delegates,
Expand Down

0 comments on commit b4f4057

Please sign in to comment.