feat: add IDTokenCredential support

[salrashid123]

Fixes #99

Adds support for IDTokens into google-auth-java for ServiceAccountCredentials, ComuteEngineCredentials and ImpersonatedCredentials

GCP users currently have to do these steps manually and outside of google-auth-java:
ref: https://github.com/salrashid123/salrashid123.github.io/tree/master/google_id_token#java
this change wraps the various flows into the library

I do not have any testcases here. I'm submitting this first for review of the api surface. Usage for this change is shown here:
#99 (comment)

[salrashid123]

ok, i've addressed some of the request and left a bunch unsolved with this commit as they are relaed to the bit mentioned here:

The biggest thing is if

public class IdToken extends AccessToken

is the best way or not

The IdToken a bit different than AccessToken...the former is a readable jwt token that customers can readily use as-is in an authorized http transport as shown below or with any third party http transport library by coaxing out the token credential.getAccessToken() and then attaching it manually to an Authorization: Bearer header.

However, customers will also want to evaluate and inspect claims embedded within the token (expiration, the aud: field, etc)

  public JsonWebSignature getJsonWebSignature() {
    return jws;
  }

for example

System.out.println(tokenCredential.getIdToken().getTokenValue());
System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudienceAsList());
System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getExpirationTimeSeconds());

in that way, the AccessToken and IdToken diverge and thats why i set them up different.

FWIW, he only reason i extended AccessToken is so that i can plumb it inot a Credential object for use like this

// Invoke the API
GenericUrl genericUrl = new GenericUrl("https://myapp-6w42z6vi3q-uc.a.run.app");
HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
HttpTransport transport = new NetHttpTransport();
HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
request.setThrowExceptionOnExecuteError(false);
HttpResponse response = request.execute();

note, an IdToken cannot currently be used against a GCP service like GCS, Pub/Sub (a self-issued JWTAccessToken can be, however...(some conjecture on my part: i suspect someday a googleissued ID token can be used in a similar way to JWTAccessToken to interact with a googleAPI...)

• I've removed IdTokenProvider.IdTokenProviderException. LMK if it shoudl remain (i bubble everything via IOException)

@broady

[chingor13]

FWIW, he only reason i extended AccessToken is so that i can plumb it into a Credential object for use like this

The IdTokenCredential can be used in the HttpCredentialsAdapter and should be setting the "Authorization: Bearer [tokenValue]" header if installed as a HttpRequestInitializer.

[chingor13]

As for whether IdToken should extend AccessToken, OpenID Connect extends OAuth 2.0 so an IdToken is probably find extending AccessToken.

Perhaps IdTokenCredentials should extend OAuth2Credentials instead of GoogleCredentials given that it's not currently able to be used against Google services and you cannot call createScoped or createDelegated.

[salrashid123]

ok, i changed to

public class IdTokenCredentials extends OAuth2Credentials {

and verified the credentials are usable in the same way. I also see the raw token accessible in a couple ways:

System.out.println(tokenCredential.getAccessToken().getTokenValue());               
System.out.println(tokenCredential.getIdToken().getTokenValue());
System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudienceAsList());
System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getExpirationTimeSeconds());

[elharo]

Lots of style nits (not all called out) and one substantive comment

[elharo]

not for this PR, but this looks really wonky. Note to myself: can this possibly be correct?

[elharo]

should this be any 200 level response?

[salrashid123]

i'm not absolutely sure but i've never seen responses range 2xx from this api layer:
ref: https://cloud.google.com/apis/design/errors#handling_errors
but storage mentions a bit of that here: https://cloud.google.com/storage/docs/json_api/v1/status-codes

(the google apis endpoint iamcredentials uses is older one (similar to drive api, calendar api, etc)

[elharo]

Since we're unlikely to get the API perfect on the first try, we should mark this @beta to give ourselves flexibility to change it in the next couple of releases.

[chingor13]

Looking good! Mostly nits, however, can we add some tests on the IAMUtils error handling

[elharo]

I don't have any major concerns or objections to this if you're both happy with it. Main thing is that everything is marked @beta so we can and will change it if we find we didn't get it quite right the first time, which we almost never do of course. :-)

[salrashid123]

ok,i reverified all the credential types work as intended;

• checked refresh works (ie., init one credential, use it, sleep for 1 hr then resuse the credential)

Note, the UserCredentials (ones based on an enduser three legged auth), does not implement the required interface so the cast won't work

GoogleCredentials adcCreds = GoogleCredentials.getApplicationDefault();              
IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
                         .setIdTokenProvider((IdTokenProvider) adcCreds)
                         .setTargetAudience(targetAudience).build();

will throw

Caused by: java.lang.ClassCastException: class com.google.auth.oauth2.UserCredentials cannot be cast to class com.google.auth.oauth2.IdTokenProvider (com.google.auth.oauth2.UserCredentials and com.google.auth.oauth2.IdTokenProvider are in unnamed module of loader java.net.URLClassLoader @6345dc06)

(unless ofcourse the GoogleCredential is internally a ServiceAccountCredential. Thid'd be working as intended though)

[salrashid123]

thanks; final note, you can use these id_tokens now directly inside gRPC channel credentials

https://github.com/salrashid123/grpc_google_id_tokens/blob/master/java/src/main/java/com/test/TestApp.java#L62

(i'll update my sample there once this change is live and shipped in a release)