use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project workbench by all-of-us.
the class DelegatedUserCredentials method refreshAccessToken.
@Override
public AccessToken refreshAccessToken() throws IOException {
// The first step is to call the IamCredentials API to generate a signed JWT with the
// appropriate claims. This call is authorized with application default credentials (ADCs). The
// ADC service account may be different from `serviceAccountEmail` if the ADC account has the
// roles/iam.serviceAccountTokenCreator role on the `serviceAccountEmail` account.
SignJwtRequest jwtRequest = SignJwtRequest.newBuilder().setName(String.format(SERVICE_ACCOUNT_NAME_FORMAT, serviceAccountEmail)).setPayload(JSON_FACTORY.toString(createJwtPayload())).build();
String jwt = credentialsClient.signJwt(jwtRequest).getSignedJwt();
// With the signed JWT in hand, we call Google's OAuth2 token server to exchange the JWT for
// an access token.
TokenRequest tokenRequest = new TokenRequest(httpTransport, JSON_FACTORY, new GenericUrl(GoogleOAuthConstants.TOKEN_SERVER_URL), JWT_BEARER_GRANT_TYPE);
tokenRequest.put("assertion", jwt);
TokenResponse tokenResponse = tokenRequest.execute();
return new AccessToken(tokenResponse.getAccessToken(), Date.from(Instant.now(clock).plusSeconds(tokenResponse.getExpiresInSeconds())));
}
use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project workbench by all-of-us.
the class DelegatedUserCredentialsTest method testRefreshFlow.
@Test
public void testRefreshFlow() throws IOException {
// Mock out the IAM Credentials API client to create a self-signed JsonWebSignature instead of
// calling Google's API.
when(mockIamCredentialsClient.signJwt(any(SignJwtRequest.class))).then(invocation -> {
SignJwtRequest request = invocation.getArgument(0);
JsonWebToken.Payload payload = DelegatedUserCredentials.JSON_FACTORY.fromInputStream(new ByteArrayInputStream(request.getPayload().getBytes()), JsonWebToken.Payload.class);
return SignJwtResponse.newBuilder().setSignedJwt(createSelfSignedJwt(payload)).build();
});
// Register the expected service account & access token with the mock token server transport.
mockTokenServerTransport.addServiceAccount(SERVICE_ACCOUNT_EMAIL, MOCK_ACCESS_TOKEN);
// Kick off the refresh flow.
delegatedCredentials.refresh();
// Verify the call to IAM Credentials API.
ArgumentCaptor<SignJwtRequest> captor = ArgumentCaptor.forClass(SignJwtRequest.class);
verify(mockIamCredentialsClient).signJwt(captor.capture());
assertThat(captor.getValue().getName()).isEqualTo("projects/-/serviceAccounts/" + SERVICE_ACCOUNT_EMAIL);
// The mockTokenServerTransport class runs some lightweight verification of its own (i.e.,
// ensuring the signed JWT can be parsed and that the service account is known). Beyond that,
// we mainly care that the access token is returned and has a correct expiration.
assertThat(delegatedCredentials.getAccessToken().getTokenValue()).isEqualTo(MOCK_ACCESS_TOKEN);
assertThat(delegatedCredentials.getAccessToken().getExpirationTime().toInstant().getEpochSecond()).isEqualTo(Instant.now(fakeClock).getEpochSecond() + 3600);
}
use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project gapic-generator-java by googleapis.
the class SyncSignJwt method syncSignJwt.
public static void syncSignJwt() throws Exception {
// It may require modifications to work in your environment.
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
SignJwtRequest request = SignJwtRequest.newBuilder().setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString()).addAllDelegates(new ArrayList<String>()).setPayload("payload-786701938").build();
SignJwtResponse response = iamCredentialsClient.signJwt(request);
}
}
use of com.google.cloud.iam.credentials.v1.SignJwtRequest in project gapic-generator-java by googleapis.
the class AsyncSignJwt method asyncSignJwt.
public static void asyncSignJwt() throws Exception {
// It may require modifications to work in your environment.
try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
SignJwtRequest request = SignJwtRequest.newBuilder().setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString()).addAllDelegates(new ArrayList<String>()).setPayload("payload-786701938").build();
ApiFuture<SignJwtResponse> future = iamCredentialsClient.signJwtCallable().futureCall(request);
// Do something.
SignJwtResponse response = future.get();
}
}
Aggregations