feat: implements the OAuth token exchange spec based on rfc8693 #1026
Conversation
google-cla
bot
added
the
cla: yes
Codecov Report
@@ Coverage Diff @@
## byoid #1026 +/- ##
========================================
Coverage ? 92.32%
========================================
Files ? 23
Lines ? 4550
Branches ? 524
========================================
Hits ? 4201
Misses ? 349
Partials ? 0 Continue to review full report at Codecov.
|
| * https://tools.ietf.org/html/rfc8693#section-2.1 | ||
| */ | ||
| export interface StsCredentialsOptions { | ||
| grantType: string; |
There was a problem hiding this comment.
I don't know if the spec lays these out clearly, but I like to pull whatever text they have (if of appropriate value and length) to include in comments above the interface properties. Like:
/**
* REQUIRED. The value "urn:ietf:params:oauth:grant-type:token-exchange" indicates that a token exchange is being performed.
*/
grantType: string;
src/auth/stscredentials.ts
Outdated
| actor_token_type?: string; | ||
| client_id?: string; | ||
| client_secret?: string; | ||
| [key: string]: string | undefined; |
There was a problem hiding this comment.
That is less than ideal :/ It effectively means any string key is value here with a string value. Is this really an open property bag?
There was a problem hiding this comment.
Ok. Currently there is only one non-standard field here. I manually added it.
| opts | ||
| ); | ||
| // Successful response. | ||
| const stsSuccessfulResponse = response.data; |
There was a problem hiding this comment.
I'm curious - why return the response object along with the data?
There was a problem hiding this comment.
Mostly following the existing pattern established here and elsewhere in that file.
| } catch (error) { | ||
| // Translate error to OAuthError. | ||
| if (error.response) { | ||
| throw getErrorFromOAuthErrorResponse( |
There was a problem hiding this comment.
Just to double check - does this method create a new Error, or modify the message on the existing? I want to be about not creating a new error, because we want to preserve the original stack trace.
There was a problem hiding this comment.
It was creating a new error and not preserving the original error data. I have extended this to preserve the original error data (including stack) but to modify the error message.
Extends `getErrorFromOAuthErrorResponse` to preserve the original error properties.
|
@bojeil-google if you rebase with |
feat: implements the OAuth token exchange spec based on rfc8693 (#1026) feat: defines ExternalAccountClient abstract class for external_account credentials (#1030) feat: adds service account impersonation to `ExternalAccountClient` (#1041) feat: defines `IdentityPoolClient` used for K8s and Azure workloads (#1042) feat: implements AWS signature version 4 for signing requests (#1047) feat: defines `ExternalAccountClient` used to instantiate external account clients (#1050) feat!: integrates external_accounts with `GoogleAuth` and ADC (#1052) feat: adds text/json credential_source support to IdentityPoolClients (#1059) feat: get AWS region from environment variable (#1067) Co-authored-by: Wilfred van der Deijl <wilfred@vanderdeijl.com> Co-authored-by: Benjamin E. Coe <bencoe@google.com>
Implements an internal utility for exchanging OAuth tokens using the rfc/8693 spec.