google: Add support for CredentialsParams, Client ID json, and JWT Subject
*Add support for Google Developers Console client_credentials.json as a TokenSource.
*Add support for JWT Subject (for domain-wide delegation when using service account as credentials source.)
*Add support for non-default AuthURL and TokenURL for authorized user credentials source.
To support this change, two new exported functions FindDefaultCredentialsWithParams and CredentialsFromJSONWithParams are introduced.
Change-Id: Ib467822e2c14e02f8ae68586665c439960cfbd5c
GitHub-Last-Rev: eb92ab4a212ad9ca72837d6e89e3c5f7e106a51c
GitHub-Pull-Request: golang/oauth2#490
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/311589
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
diff --git a/google/default.go b/google/default.go
index ae39131..880dd7b 100644
--- a/google/default.go
+++ b/google/default.go
@@ -16,6 +16,7 @@
"cloud.google.com/go/compute/metadata"
"golang.org/x/oauth2"
+ "golang.org/x/oauth2/authhandler"
)
// Credentials holds Google credentials, including "Application Default Credentials".
@@ -41,6 +42,32 @@
// Deprecated: use Credentials instead.
type DefaultCredentials = Credentials
+// CredentialsParams holds user supplied parameters that are used together
+// with a credentials file for building a Credentials object.
+type CredentialsParams struct {
+ // Scopes is the list OAuth scopes. Required.
+ // Example: https://www.googleapis.com/auth/cloud-platform
+ Scopes []string
+
+ // Subject is the user email used for domain wide delegation (see
+ // https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).
+ // Optional.
+ Subject string
+
+ // AuthHandler is the AuthorizationHandler used for 3-legged OAuth flow. Optional.
+ AuthHandler authhandler.AuthorizationHandler
+
+ // State is a unique string used with AuthHandler. Optional.
+ State string
+}
+
+func (params CredentialsParams) deepCopy() CredentialsParams {
+ paramsCopy := params
+ paramsCopy.Scopes = make([]string, len(params.Scopes))
+ copy(paramsCopy.Scopes, params.Scopes)
+ return paramsCopy
+}
+
// DefaultClient returns an HTTP Client that uses the
// DefaultTokenSource to obtain authentication credentials.
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
@@ -62,7 +89,7 @@
return creds.TokenSource, nil
}
-// FindDefaultCredentials searches for "Application Default Credentials".
+// FindDefaultCredentialsWithParams searches for "Application Default Credentials".
//
// It looks for credentials in the following places,
// preferring the first location found:
@@ -81,11 +108,14 @@
// 4. On Google Compute Engine, Google App Engine standard second generation runtimes
// (>= Go 1.11), and Google App Engine flexible environment, it fetches
// credentials from the metadata server.
-func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
+func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsParams) (*Credentials, error) {
+ // Make defensive copy of the slices in params.
+ params = params.deepCopy()
+
// First, try the environment variable.
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" {
- creds, err := readCredentialsFile(ctx, filename, scopes)
+ creds, err := readCredentialsFile(ctx, filename, params)
if err != nil {
return nil, fmt.Errorf("google: error getting credentials using %v environment variable: %v", envVar, err)
}
@@ -94,7 +124,7 @@
// Second, try a well-known file.
filename := wellKnownFile()
- if creds, err := readCredentialsFile(ctx, filename, scopes); err == nil {
+ if creds, err := readCredentialsFile(ctx, filename, params); err == nil {
return creds, nil
} else if !os.IsNotExist(err) {
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
@@ -106,7 +136,7 @@
if appengineTokenFunc != nil {
return &DefaultCredentials{
ProjectID: appengineAppIDFunc(ctx),
- TokenSource: AppEngineTokenSource(ctx, scopes...),
+ TokenSource: AppEngineTokenSource(ctx, params.Scopes...),
}, nil
}
@@ -116,7 +146,7 @@
id, _ := metadata.ProjectID()
return &DefaultCredentials{
ProjectID: id,
- TokenSource: ComputeTokenSource("", scopes...),
+ TokenSource: ComputeTokenSource("", params.Scopes...),
}, nil
}
@@ -125,18 +155,38 @@
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
}
-// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can
-// represent either a Google Developers Console client_credentials.json file (as in
-// ConfigFromJSON), a Google Developers service account key file (as in
-// JWTConfigFromJSON) or the JSON configuration file for workload identity federation
-// in non-Google cloud platforms (see
-// https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).
-func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
+// FindDefaultCredentials invokes FindDefaultCredentialsWithParams with the specified scopes.
+func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
+ var params CredentialsParams
+ params.Scopes = scopes
+ return FindDefaultCredentialsWithParams(ctx, params)
+}
+
+// CredentialsFromJSONWithParams obtains Google credentials from a JSON value. The JSON can
+// represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON),
+// a Google Developers service account key file, a gcloud user credentials file (a.k.a. refresh
+// token JSON), or the JSON configuration file for workload identity federation in non-Google cloud
+// platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).
+func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error) {
+ // Make defensive copy of the slices in params.
+ params = params.deepCopy()
+
+ // First, attempt to parse jsonData as a Google Developers Console client_credentials.json.
+ config, _ := ConfigFromJSON(jsonData, params.Scopes...)
+ if config != nil {
+ return &Credentials{
+ ProjectID: "",
+ TokenSource: authhandler.TokenSource(ctx, config, params.State, params.AuthHandler),
+ JSON: jsonData,
+ }, nil
+ }
+
+ // Otherwise, parse jsonData as one of the other supported credentials files.
var f credentialsFile
if err := json.Unmarshal(jsonData, &f); err != nil {
return nil, err
}
- ts, err := f.tokenSource(ctx, append([]string(nil), scopes...))
+ ts, err := f.tokenSource(ctx, params)
if err != nil {
return nil, err
}
@@ -147,6 +197,13 @@
}, nil
}
+// CredentialsFromJSON invokes CredentialsFromJSONWithParams with the specified scopes.
+func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
+ var params CredentialsParams
+ params.Scopes = scopes
+ return CredentialsFromJSONWithParams(ctx, jsonData, params)
+}
+
func wellKnownFile() string {
const f = "application_default_credentials.json"
if runtime.GOOS == "windows" {
@@ -155,10 +212,10 @@
return filepath.Join(guessUnixHomeDir(), ".config", "gcloud", f)
}
-func readCredentialsFile(ctx context.Context, filename string, scopes []string) (*DefaultCredentials, error) {
+func readCredentialsFile(ctx context.Context, filename string, params CredentialsParams) (*DefaultCredentials, error) {
b, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
- return CredentialsFromJSON(ctx, b, scopes...)
+ return CredentialsFromJSONWithParams(ctx, b, params)
}
diff --git a/google/google.go b/google/google.go
index 2c8f1bd..2b631f5 100644
--- a/google/google.go
+++ b/google/google.go
@@ -19,7 +19,7 @@
"golang.org/x/oauth2/jwt"
)
-// Endpoint is Google's OAuth 2.0 endpoint.
+// Endpoint is Google's OAuth 2.0 default endpoint.
var Endpoint = oauth2.Endpoint{
AuthURL: "https://accounts.google.com/o/oauth2/auth",
TokenURL: "https://oauth2.googleapis.com/token",
@@ -87,7 +87,7 @@
return nil, fmt.Errorf("google: read JWT from JSON credentials: 'type' field is %q (expected %q)", f.Type, serviceAccountKey)
}
scope = append([]string(nil), scope...) // copy
- return f.jwtConfig(scope), nil
+ return f.jwtConfig(scope, ""), nil
}
// JSON key file types.
@@ -99,12 +99,13 @@
// credentialsFile is the unmarshalled representation of a credentials file.
type credentialsFile struct {
- Type string `json:"type"` // serviceAccountKey or userCredentialsKey
+ Type string `json:"type"`
// Service Account fields
ClientEmail string `json:"client_email"`
PrivateKeyID string `json:"private_key_id"`
PrivateKey string `json:"private_key"`
+ AuthURL string `json:"auth_uri"`
TokenURL string `json:"token_uri"`
ProjectID string `json:"project_id"`
@@ -124,13 +125,14 @@
QuotaProjectID string `json:"quota_project_id"`
}
-func (f *credentialsFile) jwtConfig(scopes []string) *jwt.Config {
+func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
cfg := &jwt.Config{
Email: f.ClientEmail,
PrivateKey: []byte(f.PrivateKey),
PrivateKeyID: f.PrivateKeyID,
Scopes: scopes,
TokenURL: f.TokenURL,
+ Subject: subject, // This is the user email to impersonate
}
if cfg.TokenURL == "" {
cfg.TokenURL = JWTTokenURL
@@ -138,17 +140,27 @@
return cfg
}
-func (f *credentialsFile) tokenSource(ctx context.Context, scopes []string) (oauth2.TokenSource, error) {
+func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsParams) (oauth2.TokenSource, error) {
switch f.Type {
case serviceAccountKey:
- cfg := f.jwtConfig(scopes)
+ cfg := f.jwtConfig(params.Scopes, params.Subject)
return cfg.TokenSource(ctx), nil
case userCredentialsKey:
cfg := &oauth2.Config{
ClientID: f.ClientID,
ClientSecret: f.ClientSecret,
- Scopes: scopes,
- Endpoint: Endpoint,
+ Scopes: params.Scopes,
+ Endpoint: oauth2.Endpoint{
+ AuthURL: f.AuthURL,
+ TokenURL: f.TokenURL,
+ AuthStyle: oauth2.AuthStyleInParams,
+ },
+ }
+ if cfg.Endpoint.AuthURL == "" {
+ cfg.Endpoint.AuthURL = Endpoint.AuthURL
+ }
+ if cfg.Endpoint.TokenURL == "" {
+ cfg.Endpoint.TokenURL = Endpoint.TokenURL
}
tok := &oauth2.Token{RefreshToken: f.RefreshToken}
return cfg.TokenSource(ctx, tok), nil
@@ -163,7 +175,7 @@
ClientID: f.ClientID,
CredentialSource: f.CredentialSource,
QuotaProjectID: f.QuotaProjectID,
- Scopes: scopes,
+ Scopes: params.Scopes,
}
return cfg.TokenSource(ctx), nil
case "":