Skip to content

Commit

Permalink
fix: Always sign with scopes on Non-Default Universes (#1752)
Browse files Browse the repository at this point in the history
  • Loading branch information
d-goog authored Feb 6, 2024
1 parent 3ba07f5 commit f3d3a03
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 10 deletions.
9 changes: 7 additions & 2 deletions src/auth/jwtclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -163,12 +163,17 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
scopes = this.defaultScopes;
}

const useScopes =
this.useJWTAccessWithScope ||
this.universeDomain !== DEFAULT_UNIVERSE;

const headers = await this.access.getRequestHeaders(
url ?? undefined,
this.additionalClaims,
// Scopes take precedent over audience for signing,
// so we only provide them if useJWTAccessWithScope is on
this.useJWTAccessWithScope ? scopes : undefined
// so we only provide them if `useJWTAccessWithScope` is on or
// if we are in a non-default universe
useScopes ? scopes : undefined
);

return {headers: this.addSharedMetadataHeaders(headers)};
Expand Down
16 changes: 8 additions & 8 deletions test/test.jwt.ts
Original file line number Diff line number Diff line change
Expand Up @@ -896,7 +896,7 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = true, default scope = false, audience = falsy, useJWTAccessWithScope = true', async () => {
it('signs JWT with scopes if: user scope = true, default scope = false, audience = falsy, useJWTAccessWithScope = true', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -918,7 +918,7 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = false, default scope = true, audience = falsy, useJWTAccessWithScope = true', async () => {
it('signs JWT with scopes if: user scope = false, default scope = true, audience = falsy, useJWTAccessWithScope = true', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -939,7 +939,7 @@ describe('jwt', () => {
]);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = falsy, useJWTAccessWithScope = true', async () => {
it('signs JWT with scopes if: user scope = true, default scope = true, audience = falsy, useJWTAccessWithScope = true', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -962,7 +962,7 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = true, default scope = false, audience = truthy, useJWTAccessWithScope = true', async () => {
it('signs JWT with scopes if: user scope = true, default scope = false, audience = truthy, useJWTAccessWithScope = true', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -984,7 +984,7 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true', async () => {
it('signs JWT with scopes if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -1007,7 +1007,7 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, universeDomain = not default universe', async () => {
it('signs JWT with scopes if: user scope = true, default scope = true, audience = truthy, universeDomain = not default universe', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand All @@ -1025,11 +1025,11 @@ describe('jwt', () => {
stubGetRequestHeaders,
'https//beepboop.googleapis.com',
undefined,
undefined
['scope1', 'scope2']
);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true, universeDomain = not default universe', async () => {
it('signs JWT with scopes if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true, universeDomain = not default universe', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
Expand Down

0 comments on commit f3d3a03

Please sign in to comment.