Use an OAuth 2.0 access token for Domain-Wide Delegation (#388)

Fixes #387
google-github-actions · Feb 5, 2024 · b4f4057 · b4f4057
1 parent 39c96a3
commit b4f4057
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 10 deletions.
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/src/client/iamcredentials.ts b/src/client/iamcredentials.ts
@@ -139,7 +139,7 @@ export class IAMCredentialsClient extends Client {
       method: `POST`,
       path: pth,
       headers: headers,
-      body: body,
+      body: body.toString(),
     });
 
     try {
@@ -149,8 +149,8 @@ export class IAMCredentialsClient extends Client {
       if (statusCode < 200 || statusCode > 299) {
         throw new Error(`Failed to call ${pth}: HTTP ${statusCode}: ${respBody || '[no body]'}`);
       }
-      const parsed = JSON.parse(respBody) as { accessToken: string };
-      return parsed.accessToken;
+      const parsed = JSON.parse(respBody) as { access_token: string };
+      return parsed.access_token;
     } catch (err) {
       const msg = errorMessage(err);
       throw new Error(

diff --git a/src/client/workload_identity_federation.ts b/src/client/workload_identity_federation.ts
@@ -80,7 +80,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
     const logger = this._logger.withNamespace(`getToken`);
 
     const now = new Date().getTime();
-    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt > 60_000) {
+    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt < 30_000) {
       logger.debug(`Using cached token`, {
         now: now,
         cachedAt: this.#cachedAt,
@@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
     const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;
 
     const headers = {
-      Authorization: `Bearer ${this.getToken()}`,
+      Authorization: `Bearer ${await this.getToken()}`,
     };
 
     const body = {

diff --git a/src/main.ts b/src/main.ts
@@ -253,11 +253,14 @@ export async function run(logger: Logger) {
           );
         }
 
+        let accessToken: string;
+
         // If a subject was provided, use the traditional OAuth 2.0 flow to
         // perform Domain-Wide Delegation. Otherwise, use the modern IAM
         // Credentials endpoints.
-        let accessToken;
         if (accessTokenSubject) {
+          logger.debug(`Using Domain-Wide Delegation flow`);
+
           if (accessTokenLifetime > 3600) {
             logger.info(
               `An access token subject was specified, triggering Domain-Wide ` +
@@ -273,10 +276,10 @@ export async function run(logger: Logger) {
             accessTokenLifetime,
           );
           const signedJWT = await client.signJWT(unsignedJWT);
-
           accessToken =
             await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
         } else {
+          logger.debug(`Using normal access token flow`);
           accessToken = await iamCredentialsClient.generateAccessToken({
             serviceAccount,
             delegates,