From 5a8f4676630854c53aa708a9c8b960770067f858 Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Wed, 26 May 2021 14:29:01 -0700
Subject: [PATCH] feat: add Id token support for UserCredentials (#650)

IdtokenProvider implementation for UserCredentials with unit tests for idtoken
---
 .gitignore                                    |  3 +
 .../auth/oauth2/IdTokenCredentials.java       |  7 +-
 .../google/auth/oauth2/UserCredentials.java   | 71 ++++++++++++++-----
 .../auth/oauth2/MockTokenServerTransport.java | 14 ++--
 .../auth/oauth2/UserCredentialsTest.java      | 60 ++++++++++++++++
 5 files changed, 133 insertions(+), 22 deletions(-)

diff --git a/.gitignore b/.gitignore
index b637b4b46..fe226042f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@ target/
 # Intellij
 *.iml
 .idea/
+
+# VS Code
+.vscode/
\ No newline at end of file
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index 5629d4e81..be64a607b 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -110,7 +110,12 @@ public class IdTokenCredentials extends OAuth2Credentials {
 
   private IdTokenCredentials(Builder builder) {
     this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
-    this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+
+    // target audience can't be used for UserCredentials
+    if (!(this.idTokenProvider instanceof UserCredentials)) {
+      this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    }
+
     this.options = builder.getOptions();
   }
 
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index b8a05bcd1..780ec7538 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -58,7 +58,8 @@
 import java.util.Objects;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider {
+public class UserCredentials extends GoogleCredentials
+    implements QuotaProjectIdProvider, IdTokenProvider {
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
@@ -186,22 +187,7 @@ public static UserCredentials fromStream(
   /** Refreshes the OAuth2 access token by getting a new access token from the refresh token */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
-    if (refreshToken == null) {
-      throw new IllegalStateException(
-          "UserCredentials instance cannot refresh because there is no" + " refresh token.");
-    }
-    GenericData tokenRequest = new GenericData();
-    tokenRequest.set("client_id", clientId);
-    tokenRequest.set("client_secret", clientSecret);
-    tokenRequest.set("refresh_token", refreshToken);
-    tokenRequest.set("grant_type", GRANT_TYPE);
-    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
-
-    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
-    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
-    request.setParser(new JsonObjectParser(JSON_FACTORY));
-    HttpResponse response = request.execute();
-    GenericData responseData = response.parseAs(GenericData.class);
+    GenericData responseData = doRefreshAccessToken();
     String accessToken =
         OAuth2Utils.validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
     int expiresInSeconds =
@@ -210,6 +196,33 @@ public AccessToken refreshAccessToken() throws IOException {
     return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
+  /**
+   * Returns a Google ID Token from the refresh token response.
+   *
+   * @param targetAudience This can't be used for UserCredentials.
+   * @param options list of Credential specific options for the token. Currently unused for
+   *     UserCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, expiration and audience
+   */
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
+      throws IOException {
+    GenericData responseData = doRefreshAccessToken();
+    String idTokenKey = "id_token";
+    if (responseData.containsKey(idTokenKey)) {
+      String idTokenString =
+          OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
+      return IdToken.create(idTokenString);
+    }
+
+    throw new IOException(
+        "UserCredentials can obtain an id token only when authenticated through"
+            + " gcloud running 'gcloud auth login --update-adc' or 'gcloud auth application-default"
+            + " login'. The latter form would not work for Cloud Run, but would still generate an"
+            + " id token.");
+  }
+
   /**
    * Returns client ID of the credential from the console.
    *
@@ -237,6 +250,30 @@ public final String getRefreshToken() {
     return refreshToken;
   }
 
+  /**
+   * Does refresh access token request
+   *
+   * @return Refresh token response data
+   */
+  private GenericData doRefreshAccessToken() throws IOException {
+    if (refreshToken == null) {
+      throw new IllegalStateException(
+          "UserCredentials instance cannot refresh because there is no refresh token.");
+    }
+    GenericData tokenRequest = new GenericData();
+    tokenRequest.set("client_id", clientId);
+    tokenRequest.set("client_secret", clientSecret);
+    tokenRequest.set("refresh_token", refreshToken);
+    tokenRequest.set("grant_type", GRANT_TYPE);
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
+
+    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
+    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse response = request.execute();
+    return response.parseAs(GenericData.class);
+  }
+
   /**
    * Returns the instance of InputStream containing the following user credentials in JSON format: -
    * RefreshToken - ClientId - ClientSecret - ServerTokenUri
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
index 4b431d28a..b07b58f9d 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
@@ -56,6 +56,7 @@
 /** Mock transport to simulate providing Google OAuth2 access tokens */
 public class MockTokenServerTransport extends MockHttpTransport {
 
+  public static final String REFRESH_TOKEN_WITH_USER_SCOPE = "refresh_token_with_user.email_scope";
   static final String EXPECTED_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
   static final JsonFactory JSON_FACTORY = new GsonFactory();
   int buildRequestCount;
@@ -130,9 +131,9 @@ public LowLevelHttpRequest buildRequest(String method, String url) throws IOExce
       throw error;
     }
     int questionMarkPos = url.indexOf('?');
-    final String urlWithoutQUery = (questionMarkPos > 0) ? url.substring(0, questionMarkPos) : url;
+    final String urlWithoutQuery = (questionMarkPos > 0) ? url.substring(0, questionMarkPos) : url;
     final String query = (questionMarkPos > 0) ? url.substring(questionMarkPos + 1) : "";
-    if (urlWithoutQUery.equals(tokenServerUri.toString())) {
+    if (urlWithoutQuery.equals(tokenServerUri.toString())) {
       return new MockLowLevelHttpRequest(url) {
         @Override
         public LowLevelHttpResponse execute() throws IOException {
@@ -156,6 +157,7 @@ public LowLevelHttpResponse execute() throws IOException {
           boolean generateAccessToken = true;
 
           String foundId = query.get("client_id");
+          boolean isUserEmailScope = false;
           if (foundId != null) {
             if (!clients.containsKey(foundId)) {
               throw new IOException("Client ID not found.");
@@ -178,6 +180,9 @@ public LowLevelHttpResponse execute() throws IOException {
             if (!refreshTokens.containsKey(refreshToken)) {
               throw new IOException("Refresh Token not found.");
             }
+            if (refreshToken.equals(REFRESH_TOKEN_WITH_USER_SCOPE)) {
+              isUserEmailScope = true;
+            }
             accessToken = refreshTokens.get(refreshToken);
           } else if (query.containsKey("grant_type")) {
             String grantType = query.get("grant_type");
@@ -219,7 +224,8 @@ public LowLevelHttpResponse execute() throws IOException {
             if (refreshToken != null) {
               responseContents.put("refresh_token", refreshToken);
             }
-          } else {
+          }
+          if (isUserEmailScope || !generateAccessToken) {
             responseContents.put("id_token", ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN);
           }
           String refreshText = responseContents.toPrettyString();
@@ -229,7 +235,7 @@ public LowLevelHttpResponse execute() throws IOException {
               .setContent(refreshText);
         }
       };
-    } else if (urlWithoutQUery.equals(OAuth2Utils.TOKEN_REVOKE_URI.toString())) {
+    } else if (urlWithoutQuery.equals(OAuth2Utils.TOKEN_REVOKE_URI.toString())) {
       return new MockLowLevelHttpRequest(url) {
         @Override
         public LowLevelHttpResponse execute() throws IOException {
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 288f4d773..d28e6011f 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -34,6 +34,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -73,6 +74,12 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  public static final String DEFAULT_ID_TOKEN =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
+          + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
+          + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
+          + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+          + ".redacted";
 
   @Test(expected = IllegalStateException.class)
   public void constructor_accessAndRefreshTokenNull_throws() {
@@ -699,6 +706,59 @@ public void onFailure(Throwable exception) {
     assertTrue("Should have run onSuccess() callback", success.get());
   }
 
+  @Test
+  public void IdTokenCredentials_WithUserEmailScope_success() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    String refreshToken = MockTokenServerTransport.REFRESH_TOKEN_WITH_USER_SCOPE;
+
+    transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(refreshToken, ACCESS_TOKEN);
+    InputStream userStream = writeUserStream(CLIENT_ID, CLIENT_SECRET, refreshToken, QUOTA_PROJECT);
+
+    UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
+    credentials.refresh();
+
+    assertEquals(ACCESS_TOKEN, credentials.getAccessToken().getTokenValue());
+
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
+
+    assertNull(tokenCredential.getAccessToken());
+    assertNull(tokenCredential.getIdToken());
+
+    // trigger the refresh like it would happen during a request build
+    tokenCredential.getRequestMetadata();
+
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+  }
+
+  @Test
+  public void IdTokenCredentials_NoUserEmailScope_throws() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
+    InputStream userStream =
+        writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+
+    UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
+
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
+
+    String expectedMessageContent =
+        "UserCredentials can obtain an id token only when authenticated through"
+            + " gcloud running 'gcloud auth login --update-adc' or 'gcloud auth application-default"
+            + " login'. The latter form would not work for Cloud Run, but would still generate an"
+            + " id token.";
+
+    try {
+      tokenCredential.refresh();
+    } catch (IOException expected) {
+      assertTrue(expected.getMessage().equals(expectedMessageContent));
+    }
+  }
+
   static GenericJson writeUserJson(
       String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
     GenericJson json = new GenericJson();