Class: Google::Auth::OAuth2::STSClient

Inherits:

Object

• Object
• Google::Auth::OAuth2::STSClient

Includes:

Helpers::Connection

Defined in:

lib/googleauth/oauth2/sts_client.rb

Overview

OAuth 2.0 Token Exchange Spec. This module defines a token exchange utility based on the OAuth 2.0 Token Exchange spec. This will be mainly used to exchange external credentials for GCP access tokens in workload identity pools to access Google APIs. The implementation will support various types of client authentication as allowed in the spec.

A deviation on the spec will be for additional Google specific options that cannot be easily mapped to parameters defined in the RFC. The returned dictionary response will be based on the rfc8693 section 2.2.1 spec JSON response.

Constant Summary

URLENCODED_HEADERS =

{ "Content-Type": "application/x-www-form-urlencoded" }.freeze

Instance Method Summary

• #exchange_token(options = {}) ⇒ Hash

  Exchanges the provided token for another type of token based on the rfc8693 spec.

• #initialize(options = {}) ⇒ STSClient constructor

  Create a new instance of the STSClient.

Methods included from Helpers::Connection

connection

Constructor Details

#initialize(options = {}) ⇒ STSClient

Create a new instance of the STSClient.

Parameters:

• token_exchange_endpoint (String) —

  The token exchange endpoint.

# File 'lib/googleauth/oauth2/sts_client.rb', line 41

def initialize options = {}
  raise "Token exchange endpoint can not be nil" if options[:token_exchange_endpoint].nil?
  self.default_connection = options[:connection]
  @token_exchange_endpoint = options[:token_exchange_endpoint]
end

Instance Method Details

#exchange_token(options = {}) ⇒ Hash

Exchanges the provided token for another type of token based on the rfc8693 spec

A callable faraday instance used to make HTTP requests.

Parameters:

• connection (Faraday instance)
• grant_type (String) —

  The OAuth 2.0 token exchange grant type.

• subject_token (String) —

  The OAuth 2.0 token exchange subject token.

• subject_token_type (String) —

  The OAuth 2.0 token exchange subject token type.

• resource (String) —

  The optional OAuth 2.0 token exchange resource field.

• audience (String) —

  The optional OAuth 2.0 token exchange audience field.

• scopes (Array<String>) —

  The optional list of scopes to use.

• requested_token_type (String) —

  The optional OAuth 2.0 token exchange requested token type.

• additional_headers (Hash<String,String>) —

  : The optional additional headers to pass to the token exchange endpoint.

Returns:

• (Hash) —

  A hash containing the token exchange response.

# File 'lib/googleauth/oauth2/sts_client.rb', line 70

def exchange_token options = {}
  missing_required_opts = [:grant_type, :subject_token, :subject_token_type] - options.keys
  unless missing_required_opts.empty?
    raise ArgumentError, "Missing required options: #{missing_required_opts.join ', '}"
  end

  # TODO: Add the ability to add authentication to the headers
  headers = URLENCODED_HEADERS.dup.merge(options[:additional_headers] || {})

  request_body = make_request options

  response = connection.post @token_exchange_endpoint, URI.encode_www_form(request_body), headers

  if response.status != 200
    raise "Token exchange failed with status #{response.status}"
  end

  MultiJson.load response.body
end