diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java index 27d67f809..201fdf593 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java @@ -1018,7 +1018,8 @@ public Map> getRequestMetadata(URI uri) throws IOException // If scopes are provided but we cannot use self signed JWT, then use scopes to get access // token. - if (!createScopedRequired() && !useJwtAccessWithScope) { + if ((!createScopedRequired() && !useJwtAccessWithScope) + || (serviceAccountUser != null && serviceAccountUser.length() > 0)) { return super.getRequestMetadata(uri); } diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java index 803d4fc8f..1e0be6b3f 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java @@ -1355,7 +1355,6 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException { .setPrivateKey(privateKey) .setPrivateKeyId(PRIVATE_KEY_ID) .setScopes(SCOPES) - .setServiceAccountUser(USER) .setProjectId(PROJECT_ID) .setHttpTransportFactory(new MockTokenServerTransportFactory()) .setUseJwtAccessWithScope(true) @@ -1366,7 +1365,11 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException { } @Test - public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException { + public void refreshAccessToken_withDomainDelegation_selfSignedJWT_disabled() throws IOException { + final String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2"; + final String accessToken2 = "2/MkSJoj1xsli0AccessToken_NKPY2"; + MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory(); + MockTokenServerTransport transport = transportFactory.transport; PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8); GoogleCredentials credentials = ServiceAccountCredentials.newBuilder() @@ -1374,8 +1377,39 @@ public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException { .setClientEmail(CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(PRIVATE_KEY_ID) + .setScopes(SCOPES) .setServiceAccountUser(USER) .setProjectId(PROJECT_ID) + .setHttpTransportFactory(transportFactory) + .setUseJwtAccessWithScope(true) + .build(); + + transport.addServiceAccount(CLIENT_EMAIL, accessToken1); + Map> metadata = credentials.getRequestMetadata(CALL_URI); + TestUtils.assertContainsBearerToken(metadata, accessToken1); + + try { + verifyJwtAccess(metadata, "dummy.scope"); + fail("jwt access should fail with ServiceAccountUser"); + } catch (Exception ex) { + // expected + } + + transport.addServiceAccount(CLIENT_EMAIL, accessToken2); + credentials.refresh(); + TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken2); + } + + @Test + public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException { + PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8); + GoogleCredentials credentials = + ServiceAccountCredentials.newBuilder() + .setClientId(CLIENT_ID) + .setClientEmail(CLIENT_EMAIL) + .setPrivateKey(privateKey) + .setPrivateKeyId(PRIVATE_KEY_ID) + .setProjectId(PROJECT_ID) .setHttpTransportFactory(new MockTokenServerTransportFactory()) .build(); @@ -1393,7 +1427,6 @@ public void getRequestMetadata_selfSignedJWT_withDefaultScopes() throws IOExcept .setPrivateKey(privateKey) .setPrivateKeyId(PRIVATE_KEY_ID) .setScopes(null, SCOPES) - .setServiceAccountUser(USER) .setProjectId(PROJECT_ID) .setHttpTransportFactory(new MockTokenServerTransportFactory()) .setUseJwtAccessWithScope(true) @@ -1412,7 +1445,6 @@ public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException { .setClientEmail(CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(PRIVATE_KEY_ID) - .setServiceAccountUser(USER) .setProjectId(PROJECT_ID) .setQuotaProjectId("my-quota-project-id") .setHttpTransportFactory(new MockTokenServerTransportFactory()) diff --git a/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java b/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java index 7255be4c3..e779828ff 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java @@ -242,8 +242,6 @@ public void verifyRs256TokenWithLegacyCertificateUrlFormat() @Test public void verifyServiceAccountRs256Token() throws TokenVerifier.VerificationException, IOException { - HttpTransportFactory httpTransportFactory = - mockTransport(SERVICE_ACCOUNT_CERT_URL, readResourceAsString("service_account_keys.json")); TokenVerifier tokenVerifier = TokenVerifier.newBuilder() .setClock(FIXED_CLOCK)