Search in sources :

Example 1 with SignJwtRequest

use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project workbench by all-of-us.

the class DelegatedUserCredentials method refreshAccessToken.

@Override
public AccessToken refreshAccessToken() throws IOException {
    // The first step is to call the IamCredentials API to generate a signed JWT with the
    // appropriate claims. This call is authorized with application default credentials (ADCs). The
    // ADC service account may be different from `serviceAccountEmail` if the ADC account has the
    // roles/iam.serviceAccountTokenCreator role on the `serviceAccountEmail` account.
    SignJwtRequest jwtRequest = SignJwtRequest.newBuilder().setName(String.format(SERVICE_ACCOUNT_NAME_FORMAT, serviceAccountEmail)).setPayload(JSON_FACTORY.toString(createJwtPayload())).build();
    String jwt = credentialsClient.signJwt(jwtRequest).getSignedJwt();
    // With the signed JWT in hand, we call Google's OAuth2 token server to exchange the JWT for
    // an access token.
    TokenRequest tokenRequest = new TokenRequest(httpTransport, JSON_FACTORY, new GenericUrl(GoogleOAuthConstants.TOKEN_SERVER_URL), JWT_BEARER_GRANT_TYPE);
    tokenRequest.put("assertion", jwt);
    TokenResponse tokenResponse = tokenRequest.execute();
    return new AccessToken(tokenResponse.getAccessToken(), Date.from(Instant.now(clock).plusSeconds(tokenResponse.getExpiresInSeconds())));
}
Also used : TokenResponse(com.google.api.client.auth.oauth2.TokenResponse) AccessToken(com.google.auth.oauth2.AccessToken) TokenRequest(com.google.api.client.auth.oauth2.TokenRequest) SignJwtRequest(com.google.cloud.iam.credentials.v1.SignJwtRequest) GenericUrl(com.google.api.client.http.GenericUrl)

Example 2 with SignJwtRequest

use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project workbench by all-of-us.

the class DelegatedUserCredentialsTest method testRefreshFlow.

@Test
public void testRefreshFlow() throws IOException {
    // Mock out the IAM Credentials API client to create a self-signed JsonWebSignature instead of
    // calling Google's API.
    when(mockIamCredentialsClient.signJwt(any(SignJwtRequest.class))).then(invocation -> {
        SignJwtRequest request = invocation.getArgument(0);
        JsonWebToken.Payload payload = DelegatedUserCredentials.JSON_FACTORY.fromInputStream(new ByteArrayInputStream(request.getPayload().getBytes()), JsonWebToken.Payload.class);
        return SignJwtResponse.newBuilder().setSignedJwt(createSelfSignedJwt(payload)).build();
    });
    // Register the expected service account & access token with the mock token server transport.
    mockTokenServerTransport.addServiceAccount(SERVICE_ACCOUNT_EMAIL, MOCK_ACCESS_TOKEN);
    // Kick off the refresh flow.
    delegatedCredentials.refresh();
    // Verify the call to IAM Credentials API.
    ArgumentCaptor<SignJwtRequest> captor = ArgumentCaptor.forClass(SignJwtRequest.class);
    verify(mockIamCredentialsClient).signJwt(captor.capture());
    assertThat(captor.getValue().getName()).isEqualTo("projects/-/serviceAccounts/" + SERVICE_ACCOUNT_EMAIL);
    // The mockTokenServerTransport class runs some lightweight verification of its own (i.e.,
    // ensuring the signed JWT can be parsed and that the service account is known). Beyond that,
    // we mainly care that the access token is returned and has a correct expiration.
    assertThat(delegatedCredentials.getAccessToken().getTokenValue()).isEqualTo(MOCK_ACCESS_TOKEN);
    assertThat(delegatedCredentials.getAccessToken().getExpirationTime().toInstant().getEpochSecond()).isEqualTo(Instant.now(fakeClock).getEpochSecond() + 3600);
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) SignJwtRequest(com.google.cloud.iam.credentials.v1.SignJwtRequest) JsonWebToken(com.google.api.client.json.webtoken.JsonWebToken) Test(org.junit.jupiter.api.Test)

Example 3 with SignJwtRequest

use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project gapic-generator-java by googleapis.

the class SyncSignJwt method syncSignJwt.

public static void syncSignJwt() throws Exception {
    // It may require modifications to work in your environment.
    try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
        SignJwtRequest request = SignJwtRequest.newBuilder().setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString()).addAllDelegates(new ArrayList<String>()).setPayload("payload-786701938").build();
        SignJwtResponse response = iamCredentialsClient.signJwt(request);
    }
}
Also used : SignJwtResponse(com.google.cloud.iam.credentials.v1.SignJwtResponse) IamCredentialsClient(com.google.cloud.iam.credentials.v1.IamCredentialsClient) SignJwtRequest(com.google.cloud.iam.credentials.v1.SignJwtRequest)

Example 4 with SignJwtRequest

use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project gapic-generator-java by googleapis.

the class AsyncSignJwt method asyncSignJwt.

public static void asyncSignJwt() throws Exception {
    // It may require modifications to work in your environment.
    try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
        SignJwtRequest request = SignJwtRequest.newBuilder().setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString()).addAllDelegates(new ArrayList<String>()).setPayload("payload-786701938").build();
        ApiFuture<SignJwtResponse> future = iamCredentialsClient.signJwtCallable().futureCall(request);
        // Do something.
        SignJwtResponse response = future.get();
    }
}
Also used : SignJwtResponse(com.google.cloud.iam.credentials.v1.SignJwtResponse) IamCredentialsClient(com.google.cloud.iam.credentials.v1.IamCredentialsClient) SignJwtRequest(com.google.cloud.iam.credentials.v1.SignJwtRequest)

Aggregations

SignJwtRequest (com.google.cloud.iam.credentials.v1.SignJwtRequest)4 IamCredentialsClient (com.google.cloud.iam.credentials.v1.IamCredentialsClient)2 SignJwtResponse (com.google.cloud.iam.credentials.v1.SignJwtResponse)2 TokenRequest (com.google.api.client.auth.oauth2.TokenRequest)1 TokenResponse (com.google.api.client.auth.oauth2.TokenResponse)1 GenericUrl (com.google.api.client.http.GenericUrl)1 JsonWebToken (com.google.api.client.json.webtoken.JsonWebToken)1 AccessToken (com.google.auth.oauth2.AccessToken)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 Test (org.junit.jupiter.api.Test)1