From 33bfe7a788a524324cd9b0a54acc8917f6b75556 Mon Sep 17 00:00:00 2001 From: Timur Sadykov Date: Tue, 18 Jan 2022 13:36:29 -0800 Subject: [PATCH] feat: setting the audience to always point to google token endpoint (#833) * feat: setting the audience to always point to google token endpoint --- .gitignore | 6 +++- .../oauth2/ServiceAccountCredentials.java | 13 +++---- .../oauth2/ServiceAccountCredentialsTest.java | 36 ++----------------- 3 files changed, 12 insertions(+), 43 deletions(-) diff --git a/.gitignore b/.gitignore index fe226042f..75c0e0cc1 100644 --- a/.gitignore +++ b/.gitignore @@ -5,10 +5,14 @@ target/ .classpath .project .settings +.factorypath # Intellij *.iml .idea/ # VS Code -.vscode/ \ No newline at end of file +.vscode/ + +# MacOS +.DS_Store \ No newline at end of file diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java index 201fdf593..1588c1613 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java @@ -567,7 +567,7 @@ public boolean createScopedRequired() { public AccessToken refreshAccessToken() throws IOException { JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTime = clock.currentTimeMillis(); - String assertion = createAssertion(jsonFactory, currentTime, tokenServerUri.toString()); + String assertion = createAssertion(jsonFactory, currentTime); GenericData tokenRequest = new GenericData(); tokenRequest.set("grant_type", GRANT_TYPE); @@ -882,8 +882,7 @@ public boolean equals(Object obj) { && Objects.equals(this.useJwtAccessWithScope, other.useJwtAccessWithScope); } - String createAssertion(JsonFactory jsonFactory, long currentTime, String audience) - throws IOException { + String createAssertion(JsonFactory jsonFactory, long currentTime) throws IOException { JsonWebSignature.Header header = new JsonWebSignature.Header(); header.setAlgorithm("RS256"); header.setType("JWT"); @@ -900,13 +899,9 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc payload.put("scope", Joiner.on(' ').join(scopes)); } - if (audience == null) { - payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString()); - } else { - payload.setAudience(audience); - } - + payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString()); String assertion; + try { assertion = JsonWebSignature.signUsingRsaSha256(privateKey, jsonFactory, header, payload); } catch (GeneralSecurityException e) { diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java index 476bfbd5a..b25157a23 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java @@ -242,7 +242,7 @@ void createAssertion_correct() throws IOException { JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); - String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null); + String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis); JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); JsonWebToken.Payload payload = signature.getPayload(); @@ -272,7 +272,7 @@ void createAssertion_defaultScopes_correct() throws IOException { JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); - String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null); + String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis); JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); JsonWebToken.Payload payload = signature.getPayload(); @@ -290,7 +290,7 @@ void createAssertion_custom_lifetime() throws IOException { JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); - String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null); + String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis); JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); JsonWebToken.Payload payload = signature.getPayload(); @@ -372,36 +372,6 @@ void createAssertionForIdToken_incorrect() throws IOException { assertEquals(USER, payload.getSubject()); } - @Test - void createAssertion_withTokenUri_correct() throws IOException { - PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8); - List scopes = Arrays.asList("scope1", "scope2"); - ServiceAccountCredentials credentials = - ServiceAccountCredentials.newBuilder() - .setClientId(CLIENT_ID) - .setClientEmail(CLIENT_EMAIL) - .setPrivateKey(privateKey) - .setPrivateKeyId(PRIVATE_KEY_ID) - .setScopes(scopes) - .setServiceAccountUser(USER) - .setProjectId(PROJECT_ID) - .build(); - - JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; - long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); - String assertion = - credentials.createAssertion(jsonFactory, currentTimeMillis, "https://foo.com/bar"); - - JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); - JsonWebToken.Payload payload = signature.getPayload(); - assertEquals(CLIENT_EMAIL, payload.getIssuer()); - assertEquals("https://foo.com/bar", payload.getAudience()); - assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds()); - assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds()); - assertEquals(USER, payload.getSubject()); - assertEquals(String.join(" ", scopes), payload.get("scope")); - } - @Test void createdScoped_enablesAccessTokens() throws IOException { MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();