allow to use uri as audience

Author: arithmetic1728

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -110,7 +110,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
   private final Collection<String> defaultScopes;
   private final String quotaProjectId;
   private final int lifetime;
-  private final boolean useJWTAccessWithScope;
+  private final boolean useJwtAccessWithScope;
 
   private transient HttpTransportFactory transportFactory;
 
@@ -134,7 +134,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
    *     most 43200 (12 hours). If the token is used for calling a Google API, then the value should
    *     be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used
    *     when creating the credentials.
-   * @param useJWTAccessWithScope whether self signed JWT with scopes should be always used.
+   * @param useJwtAccessWithScope whether self signed JWT with scopes should be always used.
    */
   ServiceAccountCredentials(
       String clientId,
@@ -149,7 +149,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
       String projectId,
       String quotaProjectId,
       int lifetime,
-      boolean useJWTAccessWithScope) {
+      boolean useJwtAccessWithScope) {
     this.clientId = clientId;
     this.clientEmail = Preconditions.checkNotNull(clientEmail);
     this.privateKey = Preconditions.checkNotNull(privateKey);
@@ -170,7 +170,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
     this.lifetime = lifetime;
-    this.useJWTAccessWithScope = useJWTAccessWithScope;
+    this.useJwtAccessWithScope = useJwtAccessWithScope;
   }
 
   /**
@@ -692,7 +692,7 @@ public GoogleCredentials createScoped(
         projectId,
         quotaProjectId,
         lifetime,
-        useJWTAccessWithScope);
+        useJwtAccessWithScope);
   }
 
   /**
@@ -709,13 +709,13 @@ public ServiceAccountCredentials createWithCustomLifetime(int lifetime) {
   }
 
   /**
-   * Clones the service account with a new useJWTAccessWithScope value.
+   * Clones the service account with a new useJwtAccessWithScope value.
    *
-   * @param useJWTAccessWithScope whether self signed JWT with scopes should be used
-   * @return the cloned service account credentials with the given useJWTAccessWithScope
+   * @param useJwtAccessWithScope whether self signed JWT with scopes should be used
+   * @return the cloned service account credentials with the given useJwtAccessWithScope
    */
-  public ServiceAccountCredentials createWithUseJWTAccessWithScope(boolean useJWTAccessWithScope) {
-    return this.toBuilder().setUseJWTAccessWithScope(useJWTAccessWithScope).build();
+  public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope) {
+    return this.toBuilder().setUseJwtAccessWithScope(useJwtAccessWithScope).build();
   }
 
   @Override
@@ -733,7 +733,7 @@ public GoogleCredentials createDelegated(String user) {
         projectId,
         quotaProjectId,
         lifetime,
-        useJWTAccessWithScope);
+        useJwtAccessWithScope);
   }
 
   public final String getClientId() {
@@ -781,8 +781,8 @@ int getLifetime() {
     return lifetime;
   }
 
-  public boolean getUseJWTAccessWithScope() {
-    return useJWTAccessWithScope;
+  public boolean getUseJwtAccessWithScope() {
+    return useJwtAccessWithScope;
   }
 
   @Override
@@ -843,7 +843,7 @@ public int hashCode() {
         defaultScopes,
         quotaProjectId,
         lifetime,
-        useJWTAccessWithScope);
+        useJwtAccessWithScope);
   }
 
   @Override
@@ -859,7 +859,7 @@ public String toString() {
         .add("serviceAccountUser", serviceAccountUser)
         .add("quotaProjectId", quotaProjectId)
         .add("lifetime", lifetime)
-        .add("useJWTAccessWithScope", useJWTAccessWithScope)
+        .add("useJwtAccessWithScope", useJwtAccessWithScope)
         .toString();
   }
 
@@ -879,7 +879,7 @@ public boolean equals(Object obj) {
         && Objects.equals(this.defaultScopes, other.defaultScopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId)
         && Objects.equals(this.lifetime, other.lifetime)
-        && Objects.equals(this.useJWTAccessWithScope, other.useJWTAccessWithScope);
+        && Objects.equals(this.useJwtAccessWithScope, other.useJwtAccessWithScope);
   }
 
   String createAssertion(JsonFactory jsonFactory, long currentTime, String audience)
@@ -949,19 +949,41 @@ String createAssertionForIdToken(
     }
   }
 
+  /**
+   * Self signed JWT uses uri as audience, which should have the "https://{host}/" format. For
+   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
+   * function returns "https://compute.googleapis.com/".
+   */
+  @VisibleForTesting
+  static URI getUriForSelfSignedJWT(URI uri) {
+    if (uri == null || uri.getScheme() == null || uri.getHost() == null) {
+      return uri;
+    }
+    try {
+      return new URI(uri.getScheme(), uri.getHost(), "/", null);
+    } catch (URISyntaxException unused) {
+      return uri;
+    }
+  }
+
   @VisibleForTesting
   JwtCredentials createSelfSignedJwtCredentials(final URI uri) {
     // Create a JwtCredentials for self signed JWT. See https://google.aip.dev/auth/4111.
     JwtClaims.Builder claimsBuilder =
         JwtClaims.newBuilder().setIssuer(clientEmail).setSubject(clientEmail);
-    if (!scopes.isEmpty()) {
-      claimsBuilder.setAdditionalClaims(
-          Collections.singletonMap("scope", Joiner.on(' ').join(scopes)));
-    } else if (uri != null) {
-      claimsBuilder.setAudience(uri.toString());
+
+    if (uri == null) {
+      // If uri is null, use scopes.
+      String scopeClaim = "";
+      if (!scopes.isEmpty()) {
+        scopeClaim = Joiner.on(' ').join(scopes);
+      } else {
+        scopeClaim = Joiner.on(' ').join(defaultScopes);
+      }
+      claimsBuilder.setAdditionalClaims(Collections.singletonMap("scope", scopeClaim));
     } else {
-      claimsBuilder.setAdditionalClaims(
-          Collections.singletonMap("scope", Joiner.on(' ').join(defaultScopes)));
+      // otherwise, use audience with the uri.
+      claimsBuilder.setAudience(getUriForSelfSignedJWT(uri).toString());
     }
     return JwtCredentials.newBuilder()
         .setPrivateKey(privateKey)
@@ -974,8 +996,10 @@ JwtCredentials createSelfSignedJwtCredentials(final URI uri) {
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
-    if (useJWTAccessWithScope) {
+    if (useJwtAccessWithScope) {
       // This will call getRequestMetadata(URI uri), which handles self signed JWT logic.
+      // Self signed JWT doesn't use network, so here we do a blocking call to improve
+      // efficiency. executor will be ignored since it is intended for async operation.
       blockingGetToCallback(uri, callback);
     } else {
       super.getRequestMetadata(uri, executor, callback);
@@ -985,22 +1009,31 @@ public void getRequestMetadata(
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
-    if (createScopedRequired()) {
-      if (!useJWTAccessWithScope) {
-        throw new IOException(
-            "Scopes are not configured for service account. Specify the scopes"
-                + " by calling createScoped or passing scopes to constructor.");
-      } else if (uri == null) {
-        throw new IOException("Scopes and uri are not configured for service account.");
-      }
+    if (createScopedRequired() && uri == null) {
+      throw new IOException(
+          "Scopes and uri are not configured for service account. Specify the scopes"
+              + " by calling createScoped or passing scopes to constructor or"
+              + " providing uri to getRequestMetadata.");
     }
-    if (useJWTAccessWithScope) {
-      JwtCredentials jwtCredentials = createSelfSignedJwtCredentials(uri);
-      Map<String, List<String>> requestMetadata = jwtCredentials.getRequestMetadata(uri);
-      return addQuotaProjectIdToRequestMetadata(quotaProjectId, requestMetadata);
-    } else {
+
+    // If scopes are provided but we cannot use self signed JWT, then use scopes in the normal oauth
+    // way.
+    if (!createScopedRequired() && !useJwtAccessWithScope) {
       return super.getRequestMetadata(uri);
     }
+
+    // If scopes are provided and self signed JWT can be used, use self signed JWT with scopes.
+    // Otherwise, use self signed JWT with uri as the audience.
+    JwtCredentials jwtCredentials;
+    if (!createScopedRequired() && useJwtAccessWithScope) {
+      // Create JWT credentials with the scopes.
+      jwtCredentials = createSelfSignedJwtCredentials(null);
+    } else {
+      // Create JWT credentials with the uri as audience.
+      jwtCredentials = createSelfSignedJwtCredentials(uri);
+    }
+    Map<String, List<String>> requestMetadata = jwtCredentials.getRequestMetadata(null);
+    return addQuotaProjectIdToRequestMetadata(quotaProjectId, requestMetadata);
   }
 
   @SuppressWarnings("unused")
@@ -1037,7 +1070,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
-    private boolean useJWTAccessWithScope = false;
+    private boolean useJwtAccessWithScope = false;
 
     protected Builder() {}
 
@@ -1054,7 +1087,7 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.projectId = credentials.projectId;
       this.quotaProjectId = credentials.quotaProjectId;
       this.lifetime = credentials.lifetime;
-      this.useJWTAccessWithScope = credentials.useJWTAccessWithScope;
+      this.useJwtAccessWithScope = credentials.useJwtAccessWithScope;
     }
 
     public Builder setClientId(String clientId) {
@@ -1119,8 +1152,8 @@ public Builder setLifetime(int lifetime) {
       return this;
     }
 
-    public Builder setUseJWTAccessWithScope(boolean useJWTAccessWithScope) {
-      this.useJWTAccessWithScope = useJWTAccessWithScope;
+    public Builder setUseJwtAccessWithScope(boolean useJwtAccessWithScope) {
+      this.useJwtAccessWithScope = useJwtAccessWithScope;
       return this;
     }
 
@@ -1172,8 +1205,8 @@ public int getLifetime() {
       return lifetime;
     }
 
-    public boolean getUseJWTAccessWithScope() {
-      return useJWTAccessWithScope;
+    public boolean getUseJwtAccessWithScope() {
+      return useJwtAccessWithScope;
     }
 
     public ServiceAccountCredentials build() {
@@ -1190,7 +1223,7 @@ public ServiceAccountCredentials build() {
           projectId,
           quotaProjectId,
           lifetime,
-          useJWTAccessWithScope);
+          useJwtAccessWithScope);
     }
   }
 }

oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java

@@ -106,7 +106,7 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
   private static final String PROJECT_ID = "project-id";
   private static final Collection<String> EMPTY_SCOPES = Collections.emptyList();
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
-  private static final String JWT_AUDIENCE = "http://googleapis.com/testapi/v1/foo";
+  private static final String JWT_AUDIENCE = "http://googleapis.com/";
   private static final HttpTransportFactory DUMMY_TRANSPORT_FACTORY =
       new MockTokenServerTransportFactory();
   public static final String DEFAULT_ID_TOKEN =
@@ -419,12 +419,12 @@ public void createdScoped_enablesAccessTokens() throws IOException {
             null);
 
     try {
-      credentials.getRequestMetadata(CALL_URI);
+      credentials.getRequestMetadata(null);
       fail("Should not be able to get token without scopes");
     } catch (IOException e) {
       assertTrue(
           "expected to fail with exception",
-          e.getMessage().contains("Scopes are not configured for service account"));
+          e.getMessage().contains("Scopes and uri are not configured for service account"));
     }
 
     GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);
@@ -1069,7 +1069,7 @@ public void toString_containsFields() throws IOException {
         String.format(
             "ServiceAccountCredentials{clientId=%s, clientEmail=%s, privateKeyId=%s, "
                 + "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, defaultScopes=%s, serviceAccountUser=%s, "
-                + "quotaProjectId=%s, lifetime=3600, useJWTAccessWithScope=false}",
+                + "quotaProjectId=%s, lifetime=3600, useJwtAccessWithScope=false}",
             CLIENT_ID,
             CLIENT_EMAIL,
             PRIVATE_KEY_ID,
@@ -1231,6 +1231,29 @@ public void fromStream_noPrivateKeyId_throws() throws IOException {
     testFromStreamException(serviceAccountStream, "private_key_id");
   }
 
+  @Test
+  public void getUriForSelfSignedJWT() {
+    assertNull(ServiceAccountCredentials.getUriForSelfSignedJWT(null));
+
+    URI uri = URI.create("https://compute.googleapis.com/compute/v1/projects/");
+    URI expected = URI.create("https://compute.googleapis.com/");
+    assertEquals(expected, ServiceAccountCredentials.getUriForSelfSignedJWT(uri));
+  }
+
+  @Test
+  public void getUriForSelfSignedJWT_noHost() {
+    URI uri = URI.create("file:foo");
+    URI expected = URI.create("file:foo");
+    assertEquals(expected, ServiceAccountCredentials.getUriForSelfSignedJWT(uri));
+  }
+
+  @Test
+  public void getUriForSelfSignedJWT_forStaticAudience_returnsURI() {
+    URI uri = URI.create("compute.googleapis.com");
+    URI expected = URI.create("compute.googleapis.com");
+    assertEquals(expected, ServiceAccountCredentials.getUriForSelfSignedJWT(uri));
+  }
+
   @Test
   public void getRequestMetadataSetsQuotaProjectId() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
@@ -1335,7 +1358,7 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
             .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
-            .setUseJWTAccessWithScope(true)
+            .setUseJwtAccessWithScope(true)
             .build();
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
@@ -1351,11 +1374,9 @@ public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
             .setClientEmail(CLIENT_EMAIL)
             .setPrivateKey(privateKey)
             .setPrivateKeyId(PRIVATE_KEY_ID)
-            .setScopes(null, SCOPES)
             .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
-            .setUseJWTAccessWithScope(true)
             .build();
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
@@ -1375,7 +1396,7 @@ public void getRequestMetadata_selfSignedJWT_withDefaultScopes() throws IOExcept
             .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
-            .setUseJWTAccessWithScope(true)
+            .setUseJwtAccessWithScope(true)
             .build();
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(null);
@@ -1395,7 +1416,8 @@ public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
             .setProjectId(PROJECT_ID)
             .setQuotaProjectId("my-quota-project-id")
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
-            .setUseJWTAccessWithScope(true)
+            .setUseJwtAccessWithScope(true)
+            .setScopes(SCOPES)
             .build();
 
     final AtomicBoolean success = new AtomicBoolean(false);
@@ -1406,7 +1428,7 @@ public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
           @Override
           public void onSuccess(Map<String, List<String>> metadata) {
             try {
-              verifyJwtAccess(metadata, null);
+              verifyJwtAccess(metadata, "dummy.scope");
             } catch (IOException e) {
               fail("Should not throw a failure");
             }

oauth2_http/javatests/com/google/auth/oauth2/functional/FTServiceAccountCredentialsTest.java

@@ -57,13 +57,13 @@ public final class FTServiceAccountCredentialsTest {
   private final String cloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform";
 
   private final String cloudTasksUrl =
-      "https://cloudtasks.googleapis.com/v2/projects/gcloud-devel/locations";
+      "https://cloudtasks.googleapis.com/v2/projects/sijunliu-nondca-test/locations";
   private final String storageUrl =
-      "https://storage.googleapis.com/storage/v1/b?project=gcloud-devel";
+      "https://storage.googleapis.com/storage/v1/b?project=sijunliu-nondca-test";
   private final String bigQueryUrl =
-      "https://bigquery.googleapis.com/bigquery/v2/projects/gcloud-devel/datasets";
+      "https://bigquery.googleapis.com/bigquery/v2/projects/sijunliu-nondca-test/datasets";
   private final String computeUrl =
-      "https://compute.googleapis.com/compute/v1/projects/gcloud-devel/zones/us-central1-a/instances";
+      "https://compute.googleapis.com/compute/v1/projects/sijunliu-nondca-test/zones/us-central1-a/instances";
 
   @Test
   public void NoScopeNoAudienceComputeTest() throws Exception {