google-cloud-node/core/packages/google-auth-library-nodejs/src/auth/idtokenclient.ts at 3cb25a0dd4de0680cd0910e6e59bea2ce0c39e49 · googleapis/google-cloud-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

import {Credentials} from './credentials';
import {
  OAuth2Client,
  OAuth2ClientOptions,
  RequestMetadataResponse,
} from './oauth2client';

export interface IdTokenOptions extends OAuth2ClientOptions {
  /**
   * The client to make the request to fetch an ID token.
   */
  idTokenProvider: IdTokenProvider;
  /**
   * The audience to use when requesting an ID token.
   */
  targetAudience: string;
}

export interface IdTokenProvider {
  fetchIdToken: (targetAudience: string) => Promise<string>;
}

export class IdTokenClient extends OAuth2Client {
  targetAudience: string;
  idTokenProvider: IdTokenProvider;

  /**
   * Google ID Token client
   *
   * Retrieve ID token from the metadata server.
   * See: https://cloud.google.com/docs/authentication/get-id-token#metadata-server
   */
  constructor(options: IdTokenOptions) {
    super(options);
    this.targetAudience = options.targetAudience;
    this.idTokenProvider = options.idTokenProvider;
  }

  protected async getRequestMetadataAsync(): Promise<RequestMetadataResponse> {
    if (
      !this.credentials.id_token ||
      !this.credentials.expiry_date ||
      this.isExpired()
    ) {
      const idToken = await this.idTokenProvider.fetchIdToken(
        this.targetAudience,
      );
      this.credentials = {
        id_token: idToken,
        expiry_date: this.getIdTokenExpiryDate(idToken),
      } as Credentials;
    }

    const headers = new Headers({
      authorization: 'Bearer ' + this.credentials.id_token,
    });
    return {
      headers,
      // Since ID-tokens are outside RAB scope, isIDToken is used as a flag
      // to avoid RAB lookup.
      isIDToken: true,
    };
  }

  private getIdTokenExpiryDate(idToken: string): number | void {
    const payloadB64 = idToken.split('.')[1];
    if (payloadB64) {
      const payload = JSON.parse(
        Buffer.from(payloadB64, 'base64').toString('ascii'),
      );
      return payload.exp * 1000;
    }
  }
}