Skip to content
Permalink
Browse files
feat: Returning an issuer claim on request errors (#656)
* logging issuer claim for service account on errors

Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
  • Loading branch information
TimurSadykov and arithmetic1728 committed May 17, 2021
1 parent 9633e45 commit 95d70ae0f5f4c985455f913ddef14ebe75500656
@@ -609,7 +609,10 @@ public boolean isRequired(HttpResponse response) {
response = request.execute();
} catch (IOException e) {
throw new IOException(
String.format("Error getting access token for service account: %s", e.getMessage()), e);
String.format(
"Error getting access token for service account: %s, iss: %s",
e.getMessage(), getIssuer()),
e);
}

GenericData responseData = response.parseAs(GenericData.class);
@@ -648,7 +651,16 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
request.setParser(new JsonObjectParser(jsonFactory));
HttpResponse response = request.execute();
HttpResponse response;
try {
response = request.execute();
} catch (IOException e) {
throw new IOException(
String.format(
"Error getting id token for service account: %s, iss: %s",
e.getMessage(), getIssuer()),
e);
}

GenericData responseData = response.parseAs(GenericData.class);
String rawToken = OAuth2Utils.validateString(responseData, "id_token", PARSE_ERROR_PREFIX);
@@ -755,6 +767,10 @@ public final URI getTokenServerUri() {
return tokenServerUri;
}

private String getIssuer() {
return this.clientEmail;
}

@VisibleForTesting
int getLifetime() {
return lifetime;
@@ -787,7 +803,7 @@ public byte[] sign(byte[] toSign) {
@Override
public JwtCredentials jwtWithClaims(JwtClaims newClaims) {
JwtClaims.Builder claimsBuilder =
JwtClaims.newBuilder().setIssuer(clientEmail).setSubject(clientEmail);
JwtClaims.newBuilder().setIssuer(getIssuer()).setSubject(clientEmail);
return JwtCredentials.newBuilder()
.setPrivateKey(privateKey)
.setPrivateKeyId(privateKeyId)
@@ -862,7 +878,7 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
header.setKeyId(privateKeyId);

JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.setIssuer(clientEmail);
payload.setIssuer(getIssuer());
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
payload.setSubject(serviceAccountUser);
@@ -898,7 +914,7 @@ String createAssertionForIdToken(
header.setKeyId(privateKeyId);

JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.setIssuer(clientEmail);
payload.setIssuer(getIssuer());
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
payload.setSubject(serviceAccountUser);
@@ -1189,6 +1189,37 @@ public void fromStream_noClientEmail_throws() throws IOException {
testFromStreamException(serviceAccountStream, "client_email");
}

@Test
public void getIdTokenWithAudience_badEmailError_issClaimTraced() throws IOException {
MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
MockTokenServerTransport transport = transportFactory.transport;
transport.setError(new IOException("Invalid grant: Account not found"));
ServiceAccountCredentials credentials =
ServiceAccountCredentials.fromPkcs8(
CLIENT_ID,
CLIENT_EMAIL,
PRIVATE_KEY_PKCS8,
PRIVATE_KEY_ID,
SCOPES,
transportFactory,
null);

String targetAudience = "https://bar";
IdTokenCredentials tokenCredential =
IdTokenCredentials.newBuilder()
.setIdTokenProvider(credentials)
.setTargetAudience(targetAudience)
.build();

String expectedErrorMessage = String.format("iss: %s", CLIENT_EMAIL);

try {
tokenCredential.refresh();
} catch (IOException expected) {
assertTrue(expected.getMessage().contains(expectedErrorMessage));
}
}

@Test
public void fromStream_noPrivateKey_throws() throws IOException {
InputStream serviceAccountStream =

0 comments on commit 95d70ae

Please sign in to comment.