Skip to content

Commit

Permalink
fix(internal): set scopes for new auth flow (#2525)
Browse files Browse the repository at this point in the history
Also updated a test that relied on impl specific types before.
Testing the TokenSource methods instead of NewClient as NewClient
defers impl to NewTokenSource anyways.

Fixes: #2523
Fixes: #2522
  • Loading branch information
codyoss authored Apr 17, 2024
1 parent f49960d commit 0f0a2f0
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 26 deletions.
33 changes: 8 additions & 25 deletions idtoken/integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"strings"
"testing"

"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/idtoken"
"google.golang.org/api/option"
Expand Down Expand Up @@ -49,28 +48,7 @@ func TestNewTokenSource(t *testing.T) {
}
}

func TestNewClient_WithCredentialFile(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
client, err := idtoken.NewClient(context.Background(), aud, option.WithCredentialsFile(os.Getenv(envCredentialFile)))
if err != nil {
t.Fatalf("unable to create Client: %v", err)
}
tok, err := client.Transport.(*oauth2.Transport).Source.Token()
if err != nil {
t.Fatalf("unable to retrieve Token: %v", err)
}
validTok, err := idtoken.Validate(context.Background(), tok.AccessToken, aud)
if err != nil {
t.Fatalf("token validation failed: %v", err)
}
if validTok.Audience != aud {
t.Fatalf("got %q, want %q", validTok.Audience, aud)
}
}

func TestNewClient_WithCredentialJSON(t *testing.T) {
func TestNewTokenSource_WithCredentialJSON(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
Expand All @@ -79,14 +57,19 @@ func TestNewClient_WithCredentialJSON(t *testing.T) {
if err != nil {
t.Fatalf("unable to find default creds: %v", err)
}
client, err := idtoken.NewClient(ctx, aud, option.WithCredentialsJSON(creds.JSON))
ts, err := idtoken.NewTokenSource(ctx, aud, option.WithCredentialsJSON(creds.JSON))
if err != nil {
t.Fatalf("unable to create Client: %v", err)
}
tok, err := client.Transport.(*oauth2.Transport).Source.Token()
tok, err := ts.Token()
if err != nil {
t.Fatalf("unable to retrieve Token: %v", err)
}
req := &http.Request{Header: make(http.Header)}
tok.SetAuthHeader(req)
if !strings.HasPrefix(req.Header.Get("Authorization"), "Bearer ") {
t.Fatalf("token should sign requests with Bearer Authorization header")
}
validTok, err := idtoken.Validate(context.Background(), tok.AccessToken, aud)
if err != nil {
t.Fatalf("token validation failed: %v", err)
Expand Down
6 changes: 5 additions & 1 deletion internal/creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,16 @@ func credsNewAuth(ctx context.Context, settings *DialSettings) (*google.Credenti
useSelfSignedJWT = true
}

if len(settings.Scopes) > 0 {
scopes = make([]string, len(settings.Scopes))
copy(scopes, settings.Scopes)
}
if len(settings.Audiences) > 0 {
aud = settings.Audiences[0]
}
// Only default scopes if user did not also set an audience.
if len(settings.Scopes) == 0 && aud == "" && len(settings.DefaultScopes) > 0 {
scopes = make([]string, len(scopes))
scopes = make([]string, len(settings.DefaultScopes))
copy(scopes, settings.DefaultScopes)
}
if len(scopes) == 0 && aud == "" {
Expand Down

0 comments on commit 0f0a2f0

Please sign in to comment.