Use an OAuth 2.0 access token for Domain-Wide Delegation (#388)

Fixes https://github.com/google-github-actions/auth/issues/387
2024-02-05 11:27:46 -05:00 · 2024-02-05 11:27:46 -05:00 · b4f4057a10
commit b4f4057a10
parent 39c96a3f1d
4 changed files with 13 additions and 10 deletions
--- a/dist/main/index.js
+++ b/dist/main/index.js
--- a/src/client/iamcredentials.ts
+++ b/src/client/iamcredentials.ts
@ -139,7 +139,7 @@ export class IAMCredentialsClient extends Client {
      method: `POST`,
      path: pth,
      headers: headers,
-      body: body,
+      body: body.toString(),
    });

    try {
@ -149,8 +149,8 @@ export class IAMCredentialsClient extends Client {
      if (statusCode < 200 || statusCode > 299) {
        throw new Error(`Failed to call ${pth}: HTTP ${statusCode}: ${respBody || '[no body]'}`);
      }
-      const parsed = JSON.parse(respBody) as { accessToken: string };
-      return parsed.accessToken;
+      const parsed = JSON.parse(respBody) as { access_token: string };
+      return parsed.access_token;
    } catch (err) {
      const msg = errorMessage(err);
      throw new Error(
--- a/src/client/workload_identity_federation.ts
+++ b/src/client/workload_identity_federation.ts
@ -80,7 +80,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
    const logger = this._logger.withNamespace(`getToken`);

    const now = new Date().getTime();
-    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt > 60_000) {
+    if (this.#cachedToken && this.#cachedAt && now - this.#cachedAt < 30_000) {
      logger.debug(`Using cached token`, {
        now: now,
        cachedAt: this.#cachedAt,
@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
    const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;

    const headers = {
-      Authorization: `Bearer ${this.getToken()}`,
+      Authorization: `Bearer ${await this.getToken()}`,
    };

    const body = {
--- a/src/main.ts
+++ b/src/main.ts
@ -253,11 +253,14 @@ export async function run(logger: Logger) {
          );
        }

+        let accessToken: string;
+
        // If a subject was provided, use the traditional OAuth 2.0 flow to
        // perform Domain-Wide Delegation. Otherwise, use the modern IAM
        // Credentials endpoints.
-        let accessToken;
        if (accessTokenSubject) {
+          logger.debug(`Using Domain-Wide Delegation flow`);
+
          if (accessTokenLifetime > 3600) {
            logger.info(
              `An access token subject was specified, triggering Domain-Wide ` +
@ -273,10 +276,10 @@ export async function run(logger: Logger) {
            accessTokenLifetime,
          );
          const signedJWT = await client.signJWT(unsignedJWT);
-
          accessToken =
            await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
        } else {
+          logger.debug(`Using normal access token flow`);
          accessToken = await iamCredentialsClient.generateAccessToken({
            serviceAccount,
            delegates,