feat: Adds support for STS response not returning expires_in field.

src/auth/baseexternalclient.ts

@@ -377,13 +377,19 @@ export abstract class BaseExternalAccountClient extends AuthClient {
       this.cachedAccessToken = await this.getImpersonatedAccessToken(
         stsResponse.access_token
       );
-    } else {
+    } else if (stsResponse.expires_in) {
       // Save response in cached access token.
       this.cachedAccessToken = {
         access_token: stsResponse.access_token,
         expiry_date: new Date().getTime() + stsResponse.expires_in * 1000,
         res: stsResponse.res,
       };
+    } else {
+      // Save response in cached access token.
+      this.cachedAccessToken = {
+        access_token: stsResponse.access_token,
+        res: stsResponse.res,
+      };
     }
 
     // Save credentials.

src/auth/downscopedclient.ts

@@ -262,10 +262,22 @@ export class DownscopedClient extends AuthClient {
       this.credentialAccessBoundary
     );
 
+    /**
+     * The STS endpoint will only return the expiration time for the downscoped
+     * access token if the original access token represents a service account.
+     * The downscoped token's expiration time will always match the source
+     * credential expiration. When no expires_in is returned, we can copy the
+     * source credential's expiration time.
+     */
+    const sourceCredExpireDate =
+      this.authClient.credentials?.expiry_date || null;
+    const expiryDate = stsResponse.expires_in
+      ? new Date().getTime() + stsResponse.expires_in * 1000
+      : sourceCredExpireDate;
     // Save response in cached access token.
     this.cachedDownscopedAccessToken = {
       access_token: stsResponse.access_token,
-      expiry_date: new Date().getTime() + stsResponse.expires_in * 1000,
+      expiry_date: expiryDate,
       res: stsResponse.res,
     };
 

src/auth/stscredentials.ts

@@ -120,7 +120,7 @@ export interface StsSuccessfulResponse {
   access_token: string;
   issued_token_type: string;
   token_type: string;
-  expires_in: number;
+  expires_in?: number;
   refresh_token?: string;
   scope?: string;
   res?: GaxiosResponse | null;

test/test.baseexternalclient.ts

@@ -333,6 +333,40 @@ describe('BaseExternalAccountClient', () => {
         scope.done();
       });
 
+      it('should return credential with no expiry date if STS response does not return one', async () => {
+        const stsSuccessfulResponse2 = Object.assign({}, stsSuccessfulResponse);
+        delete stsSuccessfulResponse2.expires_in;
+
+        const scope = mockStsTokenExchange([
+          {
+            statusCode: 200,
+            response: stsSuccessfulResponse2,
+            request: {
+              grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+              audience,
+              scope: 'https://www.googleapis.com/auth/cloud-platform',
+              requested_token_type:
+                'urn:ietf:params:oauth:token-type:access_token',
+              subject_token: 'subject_token_0',
+              subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
+            },
+          },
+        ]);
+
+        const client = new TestExternalAccountClient(
+          externalAccountOptionsWithCreds
+        );
+        const actualResponse = await client.getAccessToken();
+
+        // Confirm raw GaxiosResponse appended to response.
+        assertGaxiosResponsePresent(actualResponse);
+        delete actualResponse.res;
+        assert.deepStrictEqual(actualResponse, {
+          token: stsSuccessfulResponse2.access_token,
+        });
+        scope.done();
+      });
+
       it('should handle underlying token exchange errors', async () => {
         const errorResponse: OAuthErrorResponse = {
           error: 'invalid_request',

test/test.downscopedclient.ts

@@ -411,9 +411,11 @@ describe('DownscopedClient', () => {
 
       clock.tick(1);
       const refreshedTokenResponse = await downscopedClient.getAccessToken();
+
+      const responseExpiresIn = stsSuccessfulResponse.expires_in as number;
       const expectedExpirationTime =
         credentials.expiry_date +
-        stsSuccessfulResponse.expires_in * 1000 -
+        responseExpiresIn * 1000 -
         EXPIRATION_TIME_OFFSET;
       assert.deepStrictEqual(
         refreshedTokenResponse.token,
@@ -534,12 +536,100 @@ describe('DownscopedClient', () => {
     it('should throw when the source AuthClient rejects on token request', async () => {
       const expectedError = new Error('Cannot get subject token.');
       client.throwError = true;
+
       const downscopedClient = new DownscopedClient(
         client,
         testClientAccessBoundary
       );
       await assert.rejects(downscopedClient.getAccessToken(), expectedError);
     });
+
+    it('should copy source cred expiry time if STS response does not return expiry time', async () => {
+      const now = new Date().getTime();
+      const credentials = {
+        access_token: 'ACCESS_TOKEN',
+        expiry_date: now + ONE_HOUR_IN_SECS * 1000,
+      };
+      const stsSuccessfulResponseWithoutExpireInField = Object.assign(
+        stsSuccessfulResponse,
+        {}
+      );
+      delete stsSuccessfulResponseWithoutExpireInField.expires_in;
+      const scope = mockStsTokenExchange([
+        {
+          statusCode: 200,
+          response: stsSuccessfulResponseWithoutExpireInField,
+          request: {
+            grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+            requested_token_type:
+              'urn:ietf:params:oauth:token-type:access_token',
+            subject_token: 'subject_token_0',
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            options:
+              testClientAccessBoundary &&
+              JSON.stringify(testClientAccessBoundary),
+          },
+        },
+      ]);
+
+      client.setCredentials(credentials);
+      const downscopedClient = new DownscopedClient(
+        client,
+        testClientAccessBoundary
+      );
+
+      const tokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        tokenResponse.token,
+        stsSuccessfulResponseWithoutExpireInField.access_token
+      );
+      assert.strictEqual(
+        downscopedClient.credentials.expiry_date,
+        credentials.expiry_date
+      );
+      scope.done();
+    });
+
+    it('should have no expiry date if source cred has no expiry time and STS response does not return one', async () => {
+      const credentials = {
+        access_token: 'ACCESS_TOKEN',
+      };
+      const stsSuccessfulResponseWithoutExpireInField = Object.assign(
+        stsSuccessfulResponse,
+        {}
+      );
+      delete stsSuccessfulResponseWithoutExpireInField.expires_in;
+      const scope = mockStsTokenExchange([
+        {
+          statusCode: 200,
+          response: stsSuccessfulResponseWithoutExpireInField,
+          request: {
+            grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+            requested_token_type:
+              'urn:ietf:params:oauth:token-type:access_token',
+            subject_token: 'subject_token_0',
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            options:
+              testClientAccessBoundary &&
+              JSON.stringify(testClientAccessBoundary),
+          },
+        },
+      ]);
+
+      client.setCredentials(credentials);
+      const downscopedClient = new DownscopedClient(
+        client,
+        testClientAccessBoundary
+      );
+
+      const tokenResponse = await downscopedClient.getAccessToken();
+      assert.deepStrictEqual(
+        tokenResponse.token,
+        stsSuccessfulResponseWithoutExpireInField.access_token
+      );
+      assert.strictEqual(downscopedClient.credentials.expiry_date, null);
+      scope.done();
+    });
   });
 
   describe('getRequestHeader()', () => {