feat: allow scopes for self signed jwt (#689)

* feat: self signed jwt support

* update

* address comments

* allow to use uri as audience

* address comments

oauth2_http/java/com/google/auth/oauth2/JwtClaims.java

@@ -106,7 +106,9 @@ public JwtClaims merge(JwtClaims other) {
    * @return true if all required fields have been set; false otherwise
    */
   public boolean isComplete() {
-    return getAudience() != null && getIssuer() != null && getSubject() != null;
+    boolean hasScopes =
+        getAdditionalClaims().containsKey("scope") && !getAdditionalClaims().get("scope").isEmpty();
+    return (getAudience() != null || hasScopes) && getIssuer() != null && getSubject() != null;
   }
 
   @AutoValue.Builder

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -77,6 +77,7 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
@@ -109,9 +110,9 @@ public class ServiceAccountCredentials extends GoogleCredentials
   private final Collection<String> defaultScopes;
   private final String quotaProjectId;
   private final int lifetime;
+  private final boolean useJwtAccessWithScope;
 
   private transient HttpTransportFactory transportFactory;
-  private transient ServiceAccountJwtAccessCredentials jwtCredentials = null;
 
   /**
    * Constructor with minimum identifying information and custom HTTP transport.
@@ -133,6 +134,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
    *     most 43200 (12 hours). If the token is used for calling a Google API, then the value should
    *     be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used
    *     when creating the credentials.
+   * @param useJwtAccessWithScope whether self signed JWT with scopes should be always used.
    */
   ServiceAccountCredentials(
       String clientId,
@@ -146,7 +148,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
       String serviceAccountUser,
       String projectId,
       String quotaProjectId,
-      int lifetime) {
+      int lifetime,
+      boolean useJwtAccessWithScope) {
     this.clientId = clientId;
     this.clientEmail = Preconditions.checkNotNull(clientEmail);
     this.privateKey = Preconditions.checkNotNull(privateKey);
@@ -167,18 +170,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
     this.lifetime = lifetime;
-
-    // Use self signed JWT if scopes is not set, see https://google.aip.dev/auth/4111.
-    if (this.scopes.isEmpty()) {
-      jwtCredentials =
-          new ServiceAccountJwtAccessCredentials.Builder()
-              .setClientEmail(clientEmail)
-              .setClientId(clientId)
-              .setPrivateKey(privateKey)
-              .setPrivateKeyId(privateKeyId)
-              .setQuotaProjectId(quotaProjectId)
-              .build();
-    }
+    this.useJwtAccessWithScope = useJwtAccessWithScope;
   }
 
   /**
@@ -492,7 +484,8 @@ static ServiceAccountCredentials fromPkcs8(
         serviceAccountUser,
         projectId,
         quotaProject,
-        DEFAULT_LIFETIME_IN_SECONDS);
+        DEFAULT_LIFETIME_IN_SECONDS,
+        false);
   }
 
   /** Helper to convert from a PKCS#8 String to an RSA private key */
@@ -698,7 +691,8 @@ public GoogleCredentials createScoped(
         serviceAccountUser,
         projectId,
         quotaProjectId,
-        lifetime);
+        lifetime,
+        useJwtAccessWithScope);
   }
 
   /**
@@ -714,6 +708,16 @@ public ServiceAccountCredentials createWithCustomLifetime(int lifetime) {
     return this.toBuilder().setLifetime(lifetime).build();
   }
 
+  /**
+   * Clones the service account with a new useJwtAccessWithScope value.
+   *
+   * @param useJwtAccessWithScope whether self signed JWT with scopes should be used
+   * @return the cloned service account credentials with the given useJwtAccessWithScope
+   */
+  public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean useJwtAccessWithScope) {
+    return this.toBuilder().setUseJwtAccessWithScope(useJwtAccessWithScope).build();
+  }
+
   @Override
   public GoogleCredentials createDelegated(String user) {
     return new ServiceAccountCredentials(
@@ -728,7 +732,8 @@ public GoogleCredentials createDelegated(String user) {
         user,
         projectId,
         quotaProjectId,
-        lifetime);
+        lifetime,
+        useJwtAccessWithScope);
   }
 
   public final String getClientId() {
@@ -776,6 +781,10 @@ int getLifetime() {
     return lifetime;
   }
 
+  public boolean getUseJwtAccessWithScope() {
+    return useJwtAccessWithScope;
+  }
+
   @Override
   public String getAccount() {
     return getClientEmail();
@@ -833,7 +842,8 @@ public int hashCode() {
         scopes,
         defaultScopes,
         quotaProjectId,
-        lifetime);
+        lifetime,
+        useJwtAccessWithScope);
   }
 
   @Override
@@ -849,6 +859,7 @@ public String toString() {
         .add("serviceAccountUser", serviceAccountUser)
         .add("quotaProjectId", quotaProjectId)
         .add("lifetime", lifetime)
+        .add("useJwtAccessWithScope", useJwtAccessWithScope)
         .toString();
   }
 
@@ -867,7 +878,8 @@ public boolean equals(Object obj) {
         && Objects.equals(this.scopes, other.scopes)
         && Objects.equals(this.defaultScopes, other.defaultScopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId)
-        && Objects.equals(this.lifetime, other.lifetime);
+        && Objects.equals(this.lifetime, other.lifetime)
+        && Objects.equals(this.useJwtAccessWithScope, other.useJwtAccessWithScope);
   }
 
   String createAssertion(JsonFactory jsonFactory, long currentTime, String audience)
@@ -937,11 +949,58 @@ String createAssertionForIdToken(
     }
   }
 
+  /**
+   * Self signed JWT uses uri as audience, which should have the "https://{host}/" format. For
+   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
+   * function returns "https://compute.googleapis.com/".
+   */
+  @VisibleForTesting
+  static URI getUriForSelfSignedJWT(URI uri) {
+    if (uri == null || uri.getScheme() == null || uri.getHost() == null) {
+      return uri;
+    }
+    try {
+      return new URI(uri.getScheme(), uri.getHost(), "/", null);
+    } catch (URISyntaxException unused) {
+      return uri;
+    }
+  }
+
+  @VisibleForTesting
+  JwtCredentials createSelfSignedJwtCredentials(final URI uri) {
+    // Create a JwtCredentials for self signed JWT. See https://google.aip.dev/auth/4111.
+    JwtClaims.Builder claimsBuilder =
+        JwtClaims.newBuilder().setIssuer(clientEmail).setSubject(clientEmail);
+
+    if (uri == null) {
+      // If uri is null, use scopes.
+      String scopeClaim = "";
+      if (!scopes.isEmpty()) {
+        scopeClaim = Joiner.on(' ').join(scopes);
+      } else {
+        scopeClaim = Joiner.on(' ').join(defaultScopes);
+      }
+      claimsBuilder.setAdditionalClaims(Collections.singletonMap("scope", scopeClaim));
+    } else {
+      // otherwise, use audience with the uri.
+      claimsBuilder.setAudience(getUriForSelfSignedJWT(uri).toString());
+    }
+    return JwtCredentials.newBuilder()
+        .setPrivateKey(privateKey)
+        .setPrivateKeyId(privateKeyId)
+        .setJwtClaims(claimsBuilder.build())
+        .setClock(clock)
+        .build();
+  }
+
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
-    if (jwtCredentials != null && uri != null) {
-      jwtCredentials.getRequestMetadata(uri, executor, callback);
+    if (useJwtAccessWithScope) {
+      // This will call getRequestMetadata(URI uri), which handles self signed JWT logic.
+      // Self signed JWT doesn't use network, so here we do a blocking call to improve
+      // efficiency. executor will be ignored since it is intended for async operation.
+      blockingGetToCallback(uri, callback);
     } else {
       super.getRequestMetadata(uri, executor, callback);
     }
@@ -950,17 +1009,31 @@ public void getRequestMetadata(
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
-    if (scopes.isEmpty() && defaultScopes.isEmpty() && uri == null) {
+    if (createScopedRequired() && uri == null) {
       throw new IOException(
-          "Scopes and uri are not configured for service account. Either pass uri"
-              + " to getRequestMetadata to use self signed JWT, or specify the scopes"
-              + " by calling createScoped or passing scopes to constructor.");
+          "Scopes and uri are not configured for service account. Specify the scopes"
+              + " by calling createScoped or passing scopes to constructor or"
+              + " providing uri to getRequestMetadata.");
     }
-    if (jwtCredentials != null && uri != null) {
-      return jwtCredentials.getRequestMetadata(uri);
-    } else {
+
+    // If scopes are provided but we cannot use self signed JWT, then use scopes to get access
+    // token.
+    if (!createScopedRequired() && !useJwtAccessWithScope) {
       return super.getRequestMetadata(uri);
     }
+
+    // If scopes are provided and self signed JWT can be used, use self signed JWT with scopes.
+    // Otherwise, use self signed JWT with uri as the audience.
+    JwtCredentials jwtCredentials;
+    if (!createScopedRequired() && useJwtAccessWithScope) {
+      // Create JWT credentials with the scopes.
+      jwtCredentials = createSelfSignedJwtCredentials(null);
+    } else {
+      // Create JWT credentials with the uri as audience.
+      jwtCredentials = createSelfSignedJwtCredentials(uri);
+    }
+    Map<String, List<String>> requestMetadata = jwtCredentials.getRequestMetadata(null);
+    return addQuotaProjectIdToRequestMetadata(quotaProjectId, requestMetadata);
   }
 
   @SuppressWarnings("unused")
@@ -997,6 +1070,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
+    private boolean useJwtAccessWithScope = false;
 
     protected Builder() {}
 
@@ -1013,6 +1087,7 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.projectId = credentials.projectId;
       this.quotaProjectId = credentials.quotaProjectId;
       this.lifetime = credentials.lifetime;
+      this.useJwtAccessWithScope = credentials.useJwtAccessWithScope;
     }
 
     public Builder setClientId(String clientId) {
@@ -1077,6 +1152,11 @@ public Builder setLifetime(int lifetime) {
       return this;
     }
 
+    public Builder setUseJwtAccessWithScope(boolean useJwtAccessWithScope) {
+      this.useJwtAccessWithScope = useJwtAccessWithScope;
+      return this;
+    }
+
     public String getClientId() {
       return clientId;
     }
@@ -1125,6 +1205,10 @@ public int getLifetime() {
       return lifetime;
     }
 
+    public boolean getUseJwtAccessWithScope() {
+      return useJwtAccessWithScope;
+    }
+
     public ServiceAccountCredentials build() {
       return new ServiceAccountCredentials(
           clientId,
@@ -1138,7 +1222,8 @@ public ServiceAccountCredentials build() {
           serviceAccountUser,
           projectId,
           quotaProjectId,
-          lifetime);
+          lifetime,
+          useJwtAccessWithScope);
     }
   }
 }

oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java

@@ -54,7 +54,6 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -332,35 +331,17 @@ public boolean hasRequestMetadataOnly() {
     return true;
   }
 
-  /**
-   * Self signed JWT uses uri as audience, which should have the "https://{host}/" format. For
-   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
-   * function returns "https://compute.googleapis.com/".
-   */
-  @VisibleForTesting
-  static URI getUriForSelfSignedJWT(URI uri) {
-    if (uri == null || uri.getScheme() == null || uri.getHost() == null) {
-      return uri;
-    }
-    try {
-      return new URI(uri.getScheme(), uri.getHost(), "/", null);
-    } catch (URISyntaxException unused) {
-      return uri;
-    }
-  }
-
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
     // It doesn't use network. Only some CPU work on par with TLS handshake. So it's preferrable
     // to do it in the current thread, which is likely to be the network thread.
-    blockingGetToCallback(getUriForSelfSignedJWT(uri), callback);
+    blockingGetToCallback(uri, callback);
   }
 
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
-    uri = getUriForSelfSignedJWT(uri);
     if (uri == null) {
       if (defaultAudience != null) {
         uri = defaultAudience;

oauth2_http/javatests/com/google/auth/oauth2/JwtClaimsTest.java

@@ -136,4 +136,16 @@ public void testMergeAdditionalClaims() {
     assertEquals("bar", mergedAdditionalClaims.get("foo"));
     assertEquals("qwer", mergedAdditionalClaims.get("asdf"));
   }
+
+  @Test
+  public void testIsComplete() {
+    // Test JwtClaim is complete if audience is not set but scope is provided.
+    JwtClaims claims =
+        JwtClaims.newBuilder()
+            .setIssuer("issuer-1")
+            .setSubject("subject-1")
+            .setAdditionalClaims(Collections.singletonMap("scope", "foo"))
+            .build();
+    assertTrue(claims.isComplete());
+  }
 }