feat: Adds support for STS response not returning expires_in field.

src/auth/baseexternalclient.ts

@@ -378,10 +378,13 @@ export abstract class BaseExternalAccountClient extends AuthClient {
         stsResponse.access_token
       );
     } else {
+      const expireDate = stsResponse.expires_in
+        ? new Date().getTime() + stsResponse.expires_in * 1000
+        : null;
       // Save response in cached access token.
       this.cachedAccessToken = {
         access_token: stsResponse.access_token,
-        expiry_date: new Date().getTime() + stsResponse.expires_in * 1000,
+        expiry_date: expireDate,
         res: stsResponse.res,
       };
     }

src/auth/downscopedclient.ts

@@ -214,10 +214,15 @@ export class DownscopedClient extends AuthClient {
       this.credentialAccessBoundary
     );
 
+    const sourceCredExpireDate =
+      this.authClient.credentials?.expiry_date || null;
+    const expiryDate = stsResponse.expires_in
+      ? new Date().getTime() + stsResponse.expires_in * 1000
+      : sourceCredExpireDate;
     // Save response in cached access token.
     this.cachedDownscopedAccessToken = {
       access_token: stsResponse.access_token,
-      expiry_date: new Date().getTime() + stsResponse.expires_in * 1000,
+      expiry_date: expiryDate,
       res: stsResponse.res,
     };
 

src/auth/stscredentials.ts

@@ -120,7 +120,7 @@ export interface StsSuccessfulResponse {
   access_token: string;
   issued_token_type: string;
   token_type: string;
-  expires_in: number;
+  expires_in?: number;
   refresh_token?: string;
   scope: string;
   res?: GaxiosResponse | null;

test/test.baseexternalclient.ts

@@ -1053,6 +1053,74 @@ describe('BaseExternalAccountClient', () => {
         scopes.forEach(scope => scope.done());
       });
 
+      it('should return credential with no expiry date if STS response does not return one', async () => {
+        clock = sinon.useFakeTimers(0);
+        const now = new Date().getTime();
+        const customThresh = 10 * 1000;
+        const stsSuccessfulResponse2 = Object.assign({}, stsSuccessfulResponse);
+        delete stsSuccessfulResponse2.expires_in;
+        const credentials = {
+          access_token: 'ACCESS_TOKEN',
+          expiry_date: now + ONE_HOUR_IN_SECS * 1000,
+        };
+
+        const scope = mockStsTokenExchange([
+          {
+            statusCode: 200,
+            response: stsSuccessfulResponse2,
+            request: {
+              grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+              audience,
+              scope: 'https://www.googleapis.com/auth/cloud-platform',
+              requested_token_type:
+                'urn:ietf:params:oauth:token-type:access_token',
+              subject_token: 'subject_token_0',
+              subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
+            },
+          },
+        ]);
+
+        const client = new TestExternalAccountClient(
+          externalAccountOptionsWithCreds,
+          {
+            // Override 5min threshold with 10 second threshold.
+            eagerRefreshThresholdMillis: customThresh,
+          }
+        );
+        client.setCredentials(credentials);
+        const actualResponse = await client.getAccessToken();
+
+        delete actualResponse.res;
+        assert.deepStrictEqual(actualResponse, {
+          token: credentials.access_token,
+        });
+
+        // Cached credential should be returned.
+        clock.tick(ONE_HOUR_IN_SECS * 1000 - customThresh - 1);
+        const actualCachedResponse = await client.getAccessToken();
+
+        delete actualCachedResponse.res;
+        assert.deepStrictEqual(actualCachedResponse, {
+          token: credentials.access_token,
+        });
+
+        // Simulate credential is expired.
+        // As current time is equal to expirationTime - customThresh,
+        // refresh should be triggered.
+        clock.tick(1);
+        const actualNewCredResponse = await client.getAccessToken();
+
+        // Confirm raw GaxiosResponse appended to response.
+        assertGaxiosResponsePresent(actualNewCredResponse);
+        delete actualNewCredResponse.res;
+        assert.deepStrictEqual(actualNewCredResponse, {
+          token: stsSuccessfulResponse2.access_token,
+        });
+        assert.deepStrictEqual(client.credentials.expiry_date, null);
+
+        scope.done();
+      });
+
       it('should apply basic auth when credentials are provided', async () => {
         const scopes: nock.Scope[] = [];
         scopes.push(

test/test.downscopedclient.ts

@@ -374,6 +374,126 @@ describe('DownscopedClient', () => {
       );
       scope.done();
     });
+
+    it('should copy source cred expiry time if STS response does not return expiry time', async () => {
+      const now = new Date().getTime();
+      clock = sinon.useFakeTimers(now);
+      const sourceCredentials = client.credentials;
+      const downscopedCredentials = {
+        access_token: 'DOWNSCOPED_CLIENT_ACCESS_TOKEN',
+        expiry_date: now + ONE_HOUR_IN_SECS * 1000,
+      };
+      const stsSuccessfulResponseWithoutExpireInField = Object.assign(
+        stsSuccessfulResponse,
+        {}
+      );
+      delete stsSuccessfulResponseWithoutExpireInField.expires_in;
+      const scope = mockStsBetaTokenExchange([
+        {
+          statusCode: 200,
+          response: stsSuccessfulResponseWithoutExpireInField,
+          request: {
+            grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+            requested_token_type:
+              'urn:ietf:params:oauth:token-type:access_token',
+            subject_token: 'subject_token',
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            options:
+              testClientAccessBoundary &&
+              JSON.stringify(testClientAccessBoundary),
+          },
+        },
+      ]);
+      client.setCredentials(sourceCredentials);
+      const downscopedClient = new DownscopedClient(
+        client,
+        testClientAccessBoundary
+      );
+      assert.strictEqual(client.credentials.expiry_date, 1);
+      downscopedClient.setCredentials(downscopedCredentials);
+
+      clock.tick(ONE_HOUR_IN_SECS * 1000 - EXPIRATION_TIME_OFFSET - 1);
+      const tokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        tokenResponse.token,
+        downscopedCredentials.access_token
+      );
+
+      clock.tick(1);
+      const refreshedTokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        refreshedTokenResponse.token,
+        stsSuccessfulResponseWithoutExpireInField.access_token
+      );
+      assert.strictEqual(
+        downscopedClient.credentials.expiry_date,
+        sourceCredentials.expiry_date
+      );
+      scope.done();
+    });
+
+    it('should has no expiry date if source cred has no expiry time and STS response does not return one', async () => {
+      const now = new Date().getTime();
+      clock = sinon.useFakeTimers(now);
+      const downscopedCredentials = {
+        access_token: 'DOWNSCOPED_CLIENT_ACCESS_TOKEN',
+        expiry_date: now + ONE_HOUR_IN_SECS * 1000,
+      };
+      const credentials = {
+        access_token: 'ACCESS_TOKEN',
+      };
+      const stsSuccessfulResponseWithoutExpireInField = Object.assign(
+        stsSuccessfulResponse,
+        {}
+      );
+      delete stsSuccessfulResponseWithoutExpireInField.expires_in;
+      const scope = mockStsBetaTokenExchange([
+        {
+          statusCode: 200,
+          response: stsSuccessfulResponseWithoutExpireInField,
+          request: {
+            grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+            requested_token_type:
+              'urn:ietf:params:oauth:token-type:access_token',
+            subject_token: 'subject_token',
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            options:
+              testClientAccessBoundary &&
+              JSON.stringify(testClientAccessBoundary),
+          },
+        },
+      ]);
+
+      assert.strictEqual(client.credentials.expiry_date, 1);
+      client.setCredentials(credentials);
+      assert.strictEqual(client.credentials.expiry_date, undefined);
+
+      const downscopedClient = new DownscopedClient(
+        client,
+        testClientAccessBoundary
+      );
+      downscopedClient.setCredentials(downscopedCredentials);
+
+      clock.tick(ONE_HOUR_IN_SECS * 1000 - EXPIRATION_TIME_OFFSET - 1);
+      const tokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        tokenResponse.token,
+        downscopedCredentials.access_token
+      );
+
+      clock.tick(1);
+      const refreshedTokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        refreshedTokenResponse.token,
+        stsSuccessfulResponseWithoutExpireInField.access_token
+      );
+      assert.strictEqual(
+        downscopedClient.credentials.access_token,
+        stsSuccessfulResponseWithoutExpireInField.access_token
+      );
+      assert.strictEqual(downscopedClient.credentials.expiry_date, null);
+      scope.done();
+    });
   });
 
   describe('getRequestHeader()', () => {