From df7dd11ec46ccaf5426de0a0f2f320369706bd40 Mon Sep 17 00:00:00 2001
From: Justin Beckwith <beckwith@google.com>
Date: Sat, 29 Feb 2020 16:56:51 -0800
Subject: [PATCH 1/2] fix: use iamcredentials API to sign blobs

---
 samples/signBlob.js      | 29 +++++++++++++++++++++++++++++
 samples/test/jwt.test.js |  5 +++++
 src/auth/googleauth.ts   | 11 +++++++----
 test/test.googleauth.ts  | 10 +++++-----
 4 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100644 samples/signBlob.js

diff --git a/samples/signBlob.js b/samples/signBlob.js
new file mode 100644
index 00000000..ea52bb16
--- /dev/null
+++ b/samples/signBlob.js
@@ -0,0 +1,29 @@
+// Copyright 2020 Google LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {auth} = require('google-auth-library');
+
+/**
+ * Use the iamcredentials API to sign a blob of data.
+ */
+async function main() {
+  const signedData = await auth.sign('some data');
+  console.log(signedData);
+}
+
+main().catch(e => {
+  console.error(e);
+  throw e;
+});
diff --git a/samples/test/jwt.test.js b/samples/test/jwt.test.js
index 3664ec1e..42c2b226 100644
--- a/samples/test/jwt.test.js
+++ b/samples/test/jwt.test.js
@@ -84,4 +84,9 @@ describe('samples', () => {
     const output = execSync(`node idtokens-iap ${url} ${targetAudience}`);
     assert.match(output, /Hello, world/);
   });
+
+  it('should sign the blobs with IAM credentials API', () => {
+    const out = execSync('node signBlob');
+    assert.ok(out.length > 0);
+  });
 });
diff --git a/src/auth/googleauth.ts b/src/auth/googleauth.ts
index c6d28e49..48e4b501 100644
--- a/src/auth/googleauth.ts
+++ b/src/auth/googleauth.ts
@@ -824,13 +824,16 @@ export class GoogleAuth {
     const id = `projects/${projectId}/serviceAccounts/${creds.client_email}`;
     const res = await this.request<SignBlobResponse>({
       method: 'POST',
-      url: `https://iam.googleapis.com/v1/${id}:signBlob`,
-      data: {bytesToSign: crypto.encodeBase64StringUtf8(data)},
+      url: `https://iamcredentials.googleapis.com/v1/{name=${id}}`,
+      data: {
+        payload: crypto.encodeBase64StringUtf8(data),
+      },
     });
-    return res.data.signature;
+    return res.data.signedBlob;
   }
 }
 
 export interface SignBlobResponse {
-  signature: string;
+  keyId: string;
+  signedBlob: string;
 }
diff --git a/test/test.googleauth.ts b/test/test.googleauth.ts
index 95ac4b5e..150f4ff7 100644
--- a/test/test.googleauth.ts
+++ b/test/test.googleauth.ts
@@ -1390,21 +1390,21 @@ describe('googleauth', () => {
       const {auth, scopes} = mockGCE();
       mockEnvVar('GCLOUD_PROJECT', STUB_PROJECT);
       const email = 'google@auth.library';
-      const iamUri = `https://iam.googleapis.com`;
-      const iamPath = `/v1/projects/${STUB_PROJECT}/serviceAccounts/${email}:signBlob`;
-      const signature = 'erutangis';
+      const iamUri = `https://iamcredentials.googleapis.com`;
+      const iamPath = `/v1/%7Bname=projects/${STUB_PROJECT}/serviceAccounts/${email}%7D`;
+      const signedBlob = 'erutangis';
       const data = 'abc123';
       scopes.push(
         nock(iamUri)
           .post(iamPath)
-          .reply(200, {signature}),
+          .reply(200, {signedBlob}),
         nock(host)
           .get(svcAccountPath)
           .reply(200, {default: {email, private_key: privateKey}}, HEADERS)
       );
       const value = await auth.sign(data);
       scopes.forEach(x => x.done());
-      assert.strictEqual(value, signature);
+      assert.strictEqual(value, signedBlob);
     });
 
     // tslint:disable-next-line ban

From 67f3e2e85a95f82e0ad69f5eb69496e90be8a20c Mon Sep 17 00:00:00 2001
From: Justin Beckwith <justin.beckwith@gmail.com>
Date: Mon, 2 Mar 2020 11:13:24 -0800
Subject: [PATCH 2/2] try this

---
 src/auth/googleauth.ts  | 4 ++--
 test/test.googleauth.ts | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/auth/googleauth.ts b/src/auth/googleauth.ts
index 73c16f4e..93d231ec 100644
--- a/src/auth/googleauth.ts
+++ b/src/auth/googleauth.ts
@@ -809,10 +809,10 @@ export class GoogleAuth {
       throw new Error('Cannot sign data without `client_email`.');
     }
 
-    const id = `projects/${projectId}/serviceAccounts/${creds.client_email}`;
+    const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${creds.client_email}:signBlob`;
     const res = await this.request<SignBlobResponse>({
       method: 'POST',
-      url: `https://iamcredentials.googleapis.com/v1/{name=${id}}`,
+      url,
       data: {
         payload: crypto.encodeBase64StringUtf8(data),
       },
diff --git a/test/test.googleauth.ts b/test/test.googleauth.ts
index 550cb115..c125046d 100644
--- a/test/test.googleauth.ts
+++ b/test/test.googleauth.ts
@@ -1391,7 +1391,7 @@ describe('googleauth', () => {
       mockEnvVar('GCLOUD_PROJECT', STUB_PROJECT);
       const email = 'google@auth.library';
       const iamUri = `https://iamcredentials.googleapis.com`;
-      const iamPath = `/v1/%7Bname=projects/${STUB_PROJECT}/serviceAccounts/${email}%7D`;
+      const iamPath = `/v1/projects/-/serviceAccounts/${email}:signBlob`;
       const signedBlob = 'erutangis';
       const data = 'abc123';
       scopes.push(