google-auth-library
Advanced tools
Comparing version 9.5.0 to 9.6.0
@@ -19,3 +19,7 @@ import { GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios'; | ||
export declare const EXTERNAL_ACCOUNT_TYPE = "external_account"; | ||
/** Cloud resource manager URL used to retrieve project information. */ | ||
/** | ||
* Cloud resource manager URL used to retrieve project information. | ||
* | ||
* @deprecated use {@link BaseExternalAccountClient.cloudResourceManagerURL} instead | ||
**/ | ||
export declare const CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/"; | ||
@@ -44,2 +48,8 @@ /** | ||
workforce_pool_user_project?: string; | ||
scopes?: string[]; | ||
/** | ||
* @example | ||
* https://cloudresourcemanager.googleapis.com/v1/projects/ | ||
**/ | ||
cloud_resource_manager_url?: string | URL; | ||
} | ||
@@ -104,2 +114,9 @@ /** | ||
/** | ||
* @example | ||
* ```ts | ||
* new URL('https://cloudresourcemanager.googleapis.com/v1/projects/'); | ||
* ``` | ||
*/ | ||
protected cloudResourceManagerURL: URL | string; | ||
/** | ||
* Instantiate a BaseExternalAccountClient instance using the provided JSON | ||
@@ -106,0 +123,0 @@ * object loaded from an external account credentials file. |
@@ -45,3 +45,7 @@ "use strict"; | ||
exports.EXTERNAL_ACCOUNT_TYPE = 'external_account'; | ||
/** Cloud resource manager URL used to retrieve project information. */ | ||
/** | ||
* Cloud resource manager URL used to retrieve project information. | ||
* | ||
* @deprecated use {@link BaseExternalAccountClient.cloudResourceManagerURL} instead | ||
**/ | ||
exports.CLOUD_RESOURCE_MANAGER = 'https://cloudresourcemanager.googleapis.com/v1/projects/'; | ||
@@ -93,2 +97,4 @@ /** The workforce audience pattern. */ | ||
const serviceAccountImpersonationLifetime = (0, util_1.originalOrCamelOptions)(serviceAccountImpersonation).get('token_lifetime_seconds'); | ||
this.cloudResourceManagerURL = new URL(opts.get('cloud_resource_manager_url') || | ||
`https://cloudresourcemanager.${this.universeDomain}/v1/projects/`); | ||
if (clientId) { | ||
@@ -102,4 +108,3 @@ this.clientAuth = { | ||
this.stsCredential = new sts.StsCredentials(tokenUrl, this.clientAuth); | ||
// Default OAuth scope. This could be overridden via public property. | ||
this.scopes = [DEFAULT_OAUTH_SCOPE]; | ||
this.scopes = opts.get('scopes') || [DEFAULT_OAUTH_SCOPE]; | ||
this.cachedAccessToken = null; | ||
@@ -222,3 +227,3 @@ this.audience = opts.get('audience'); | ||
headers, | ||
url: `${exports.CLOUD_RESOURCE_MANAGER}${projectNumber}`, | ||
url: `${this.cloudResourceManagerURL.toString()}${projectNumber}`, | ||
responseType: 'json', | ||
@@ -418,8 +423,3 @@ }); | ||
} | ||
else if (typeof this.scopes === 'undefined') { | ||
return [DEFAULT_OAUTH_SCOPE]; | ||
} | ||
else { | ||
return this.scopes; | ||
} | ||
return this.scopes || [DEFAULT_OAUTH_SCOPE]; | ||
} | ||
@@ -426,0 +426,0 @@ getMetricsHeaderValue() { |
@@ -32,4 +32,2 @@ "use strict"; | ||
const STS_SUBJECT_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:access_token'; | ||
/** The STS access token exchange end point. */ | ||
const STS_ACCESS_TOKEN_URL = 'https://sts.googleapis.com/v1/token'; | ||
/** | ||
@@ -97,3 +95,3 @@ * The maximum number of access boundary rules a Credential Access Boundary | ||
} | ||
this.stsCredential = new sts.StsCredentials(STS_ACCESS_TOKEN_URL); | ||
this.stsCredential = new sts.StsCredentials(`https://sts.${this.universeDomain}/v1/token`); | ||
this.cachedDownscopedAccessToken = null; | ||
@@ -100,0 +98,0 @@ } |
@@ -322,4 +322,10 @@ /// <reference types="node" /> | ||
* @param data The data to be signed. | ||
* @param endpoint A custom endpoint to use. | ||
* | ||
* @example | ||
* ``` | ||
* sign('data', 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'); | ||
* ``` | ||
*/ | ||
sign(data: string): Promise<string>; | ||
sign(data: string, endpoint?: string): Promise<string>; | ||
private signBlob; | ||
@@ -326,0 +332,0 @@ } |
@@ -744,5 +744,15 @@ "use strict"; | ||
* @param data The data to be signed. | ||
* @param endpoint A custom endpoint to use. | ||
* | ||
* @example | ||
* ``` | ||
* sign('data', 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'); | ||
* ``` | ||
*/ | ||
async sign(data) { | ||
async sign(data, endpoint) { | ||
const client = await this.getClient(); | ||
const universe = await this.getUniverseDomain(); | ||
endpoint = | ||
endpoint || | ||
`https://iamcredentials.${universe}/v1/projects/-/serviceAccounts/`; | ||
if (client instanceof impersonated_1.Impersonated) { | ||
@@ -761,10 +771,9 @@ const signed = await client.sign(data); | ||
} | ||
return this.signBlob(crypto, creds.client_email, data); | ||
return this.signBlob(crypto, creds.client_email, data, endpoint); | ||
} | ||
async signBlob(crypto, emailOrUniqueId, data) { | ||
const url = 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/' + | ||
`${emailOrUniqueId}:signBlob`; | ||
async signBlob(crypto, emailOrUniqueId, data, endpoint) { | ||
const url = new URL(endpoint + `${emailOrUniqueId}:signBlob`); | ||
const res = await this.request({ | ||
method: 'POST', | ||
url, | ||
url: url.href, | ||
data: { | ||
@@ -771,0 +780,0 @@ payload: crypto.encodeBase64StringUtf8(data), |
@@ -20,2 +20,3 @@ "use strict"; | ||
const oauth2client_1 = require("./oauth2client"); | ||
const authclient_1 = require("./authclient"); | ||
class JWT extends oauth2client_1.OAuth2Client { | ||
@@ -56,3 +57,7 @@ constructor(optionsOrEmail, keyFile, key, scopes, subject, keyId) { | ||
const useSelfSignedJWT = (!this.hasUserScopes() && url) || | ||
(this.useJWTAccessWithScope && this.hasAnyScopes()); | ||
(this.useJWTAccessWithScope && this.hasAnyScopes()) || | ||
this.universeDomain !== authclient_1.DEFAULT_UNIVERSE; | ||
if (this.subject && this.universeDomain !== authclient_1.DEFAULT_UNIVERSE) { | ||
throw new RangeError(`Service Account user is configured for the credential. Domain-wide delegation is not supported in universes other than ${authclient_1.DEFAULT_UNIVERSE}`); | ||
} | ||
if (!this.apiKey && useSelfSignedJWT) { | ||
@@ -59,0 +64,0 @@ if (this.additionalClaims && |
@@ -303,2 +303,54 @@ /// <reference types="node" /> | ||
} | ||
export interface OAuth2ClientEndpoints { | ||
/** | ||
* The endpoint for viewing access token information | ||
* | ||
* @example | ||
* 'https://oauth2.googleapis.com/tokeninfo' | ||
*/ | ||
tokenInfoUrl: string | URL; | ||
/** | ||
* The base URL for auth endpoints. | ||
* | ||
* @example | ||
* 'https://accounts.google.com/o/oauth2/v2/auth' | ||
*/ | ||
oauth2AuthBaseUrl: string | URL; | ||
/** | ||
* The base endpoint for token retrieval | ||
* . | ||
* @example | ||
* 'https://oauth2.googleapis.com/token' | ||
*/ | ||
oauth2TokenUrl: string | URL; | ||
/** | ||
* The base endpoint to revoke tokens. | ||
* | ||
* @example | ||
* 'https://oauth2.googleapis.com/revoke' | ||
*/ | ||
oauth2RevokeUrl: string | URL; | ||
/** | ||
* Sign on certificates in PEM format. | ||
* | ||
* @example | ||
* 'https://www.googleapis.com/oauth2/v1/certs' | ||
*/ | ||
oauth2FederatedSignonPemCertsUrl: string | URL; | ||
/** | ||
* Sign on certificates in JWK format. | ||
* | ||
* @example | ||
* 'https://www.googleapis.com/oauth2/v3/certs' | ||
*/ | ||
oauth2FederatedSignonJwkCertsUrl: string | URL; | ||
/** | ||
* IAP Public Key URL. | ||
* This URL contains a JSON dictionary that maps the `kid` claims to the public key values. | ||
* | ||
* @example | ||
* 'https://www.gstatic.com/iap/verify/public_key' | ||
*/ | ||
oauth2IapPublicKeyUrl: string | URL; | ||
} | ||
export interface OAuth2ClientOptions extends AuthClientOptions { | ||
@@ -308,2 +360,10 @@ clientId?: string; | ||
redirectUri?: string; | ||
/** | ||
* Customizable endpoints. | ||
*/ | ||
endpoints?: Partial<OAuth2ClientEndpoints>; | ||
/** | ||
* The allowed OAuth2 token issuers. | ||
*/ | ||
issuers?: string[]; | ||
} | ||
@@ -317,2 +377,4 @@ export type RefreshOptions = Pick<AuthClientOptions, 'eagerRefreshThresholdMillis' | 'forceRefreshOnFailure'>; | ||
protected refreshTokenPromises: Map<string, Promise<GetTokenResponse>>; | ||
readonly endpoints: Readonly<OAuth2ClientEndpoints>; | ||
readonly issuers: string[]; | ||
_clientId?: string; | ||
@@ -334,28 +396,7 @@ _clientSecret?: string; | ||
constructor(clientId?: string, clientSecret?: string, redirectUri?: string); | ||
protected static readonly GOOGLE_TOKEN_INFO_URL = "https://oauth2.googleapis.com/tokeninfo"; | ||
/** | ||
* The base URL for auth endpoints. | ||
* @deprecated use instance's {@link OAuth2Client.endpoints} | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_AUTH_BASE_URL_; | ||
protected static readonly GOOGLE_TOKEN_INFO_URL = "https://oauth2.googleapis.com/tokeninfo"; | ||
/** | ||
* The base endpoint for token retrieval. | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_TOKEN_URL_; | ||
/** | ||
* The base endpoint to revoke tokens. | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_REVOKE_URL_; | ||
/** | ||
* Google Sign on certificates in PEM format. | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_FEDERATED_SIGNON_PEM_CERTS_URL_; | ||
/** | ||
* Google Sign on certificates in JWK format. | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_FEDERATED_SIGNON_JWK_CERTS_URL_; | ||
/** | ||
* Google Sign on certificates in JWK format. | ||
*/ | ||
private static readonly GOOGLE_OAUTH2_IAP_PUBLIC_KEY_URL_; | ||
/** | ||
* Clock skew - five minutes in seconds | ||
@@ -365,10 +406,6 @@ */ | ||
/** | ||
* Max Token Lifetime is one day in seconds | ||
* The default max Token Lifetime is one day in seconds | ||
*/ | ||
private static readonly MAX_TOKEN_LIFETIME_SECS_; | ||
private static readonly DEFAULT_MAX_TOKEN_LIFETIME_SECS_; | ||
/** | ||
* The allowed oauth token issuers. | ||
*/ | ||
private static readonly ISSUERS_; | ||
/** | ||
* Generates URL for consent page landing. | ||
@@ -436,5 +473,13 @@ * @param opts Options. | ||
* @param token The existing token to be revoked. | ||
* | ||
* @deprecated use instance method {@link OAuth2Client.getRevokeTokenURL} | ||
*/ | ||
static getRevokeTokenUrl(token: string): string; | ||
/** | ||
* Generates a URL to revoke the given token. | ||
* | ||
* @param token The existing token to be revoked. | ||
*/ | ||
getRevokeTokenURL(token: string): URL; | ||
/** | ||
* Revokes the access given to token. | ||
@@ -441,0 +486,0 @@ * @param token The existing token to be revoked. |
@@ -47,2 +47,17 @@ "use strict"; | ||
this.redirectUri = opts.redirectUri; | ||
this.endpoints = { | ||
tokenInfoUrl: 'https://oauth2.googleapis.com/tokeninfo', | ||
oauth2AuthBaseUrl: 'https://accounts.google.com/o/oauth2/v2/auth', | ||
oauth2TokenUrl: 'https://oauth2.googleapis.com/token', | ||
oauth2RevokeUrl: 'https://oauth2.googleapis.com/revoke', | ||
oauth2FederatedSignonPemCertsUrl: 'https://www.googleapis.com/oauth2/v1/certs', | ||
oauth2FederatedSignonJwkCertsUrl: 'https://www.googleapis.com/oauth2/v3/certs', | ||
oauth2IapPublicKeyUrl: 'https://www.gstatic.com/iap/verify/public_key', | ||
...opts.endpoints, | ||
}; | ||
this.issuers = opts.issuers || [ | ||
'accounts.google.com', | ||
'https://accounts.google.com', | ||
this.universeDomain, | ||
]; | ||
} | ||
@@ -65,3 +80,3 @@ /** | ||
} | ||
const rootUrl = OAuth2Client.GOOGLE_OAUTH2_AUTH_BASE_URL_; | ||
const rootUrl = this.endpoints.oauth2AuthBaseUrl.toString(); | ||
return (rootUrl + | ||
@@ -115,3 +130,3 @@ '?' + | ||
async getTokenAsync(options) { | ||
const url = OAuth2Client.GOOGLE_OAUTH2_TOKEN_URL_; | ||
const url = this.endpoints.oauth2TokenUrl.toString(); | ||
const values = { | ||
@@ -168,3 +183,3 @@ code: options.code, | ||
} | ||
const url = OAuth2Client.GOOGLE_OAUTH2_TOKEN_URL_; | ||
const url = this.endpoints.oauth2TokenUrl.toString(); | ||
const data = { | ||
@@ -322,10 +337,21 @@ refresh_token: refreshToken, | ||
* @param token The existing token to be revoked. | ||
* | ||
* @deprecated use instance method {@link OAuth2Client.getRevokeTokenURL} | ||
*/ | ||
static getRevokeTokenUrl(token) { | ||
const parameters = querystring.stringify({ token }); | ||
return `${OAuth2Client.GOOGLE_OAUTH2_REVOKE_URL_}?${parameters}`; | ||
return new OAuth2Client().getRevokeTokenURL(token).toString(); | ||
} | ||
/** | ||
* Generates a URL to revoke the given token. | ||
* | ||
* @param token The existing token to be revoked. | ||
*/ | ||
getRevokeTokenURL(token) { | ||
const url = new URL(this.endpoints.oauth2RevokeUrl); | ||
url.searchParams.append('token', token); | ||
return url; | ||
} | ||
revokeToken(token, callback) { | ||
const opts = { | ||
url: OAuth2Client.getRevokeTokenUrl(token), | ||
url: this.getRevokeTokenURL(token).toString(), | ||
method: 'POST', | ||
@@ -460,3 +486,3 @@ }; | ||
const response = await this.getFederatedSignonCertsAsync(); | ||
const login = await this.verifySignedJwtWithCertsAsync(options.idToken, response.certs, options.audience, OAuth2Client.ISSUERS_, options.maxExpiry); | ||
const login = await this.verifySignedJwtWithCertsAsync(options.idToken, response.certs, options.audience, this.issuers, options.maxExpiry); | ||
return login; | ||
@@ -478,3 +504,3 @@ } | ||
}, | ||
url: OAuth2Client.GOOGLE_TOKEN_INFO_URL, | ||
url: this.endpoints.tokenInfoUrl.toString(), | ||
}); | ||
@@ -511,6 +537,6 @@ const info = Object.assign({ | ||
case CertificateFormat.PEM: | ||
url = OAuth2Client.GOOGLE_OAUTH2_FEDERATED_SIGNON_PEM_CERTS_URL_; | ||
url = this.endpoints.oauth2FederatedSignonPemCertsUrl.toString(); | ||
break; | ||
case CertificateFormat.JWK: | ||
url = OAuth2Client.GOOGLE_OAUTH2_FEDERATED_SIGNON_JWK_CERTS_URL_; | ||
url = this.endpoints.oauth2FederatedSignonJwkCertsUrl.toString(); | ||
break; | ||
@@ -569,3 +595,3 @@ default: | ||
let res; | ||
const url = OAuth2Client.GOOGLE_OAUTH2_IAP_PUBLIC_KEY_URL_; | ||
const url = this.endpoints.oauth2IapPublicKeyUrl.toString(); | ||
try { | ||
@@ -600,3 +626,3 @@ res = await this.transporter.request({ url }); | ||
if (!maxExpiry) { | ||
maxExpiry = OAuth2Client.MAX_TOKEN_LIFETIME_SECS_; | ||
maxExpiry = OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_; | ||
} | ||
@@ -733,28 +759,7 @@ const segments = jwt.split('.'); | ||
exports.OAuth2Client = OAuth2Client; | ||
OAuth2Client.GOOGLE_TOKEN_INFO_URL = 'https://oauth2.googleapis.com/tokeninfo'; | ||
/** | ||
* The base URL for auth endpoints. | ||
* @deprecated use instance's {@link OAuth2Client.endpoints} | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_AUTH_BASE_URL_ = 'https://accounts.google.com/o/oauth2/v2/auth'; | ||
OAuth2Client.GOOGLE_TOKEN_INFO_URL = 'https://oauth2.googleapis.com/tokeninfo'; | ||
/** | ||
* The base endpoint for token retrieval. | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_TOKEN_URL_ = 'https://oauth2.googleapis.com/token'; | ||
/** | ||
* The base endpoint to revoke tokens. | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_REVOKE_URL_ = 'https://oauth2.googleapis.com/revoke'; | ||
/** | ||
* Google Sign on certificates in PEM format. | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_FEDERATED_SIGNON_PEM_CERTS_URL_ = 'https://www.googleapis.com/oauth2/v1/certs'; | ||
/** | ||
* Google Sign on certificates in JWK format. | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_FEDERATED_SIGNON_JWK_CERTS_URL_ = 'https://www.googleapis.com/oauth2/v3/certs'; | ||
/** | ||
* Google Sign on certificates in JWK format. | ||
*/ | ||
OAuth2Client.GOOGLE_OAUTH2_IAP_PUBLIC_KEY_URL_ = 'https://www.gstatic.com/iap/verify/public_key'; | ||
/** | ||
* Clock skew - five minutes in seconds | ||
@@ -764,11 +769,4 @@ */ | ||
/** | ||
* Max Token Lifetime is one day in seconds | ||
* The default max Token Lifetime is one day in seconds | ||
*/ | ||
OAuth2Client.MAX_TOKEN_LIFETIME_SECS_ = 86400; | ||
/** | ||
* The allowed oauth token issuers. | ||
*/ | ||
OAuth2Client.ISSUERS_ = [ | ||
'accounts.google.com', | ||
'https://accounts.google.com', | ||
]; | ||
OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_ = 86400; |
@@ -97,3 +97,3 @@ import { GaxiosResponse } from 'gaxios'; | ||
*/ | ||
constructor(tokenExchangeEndpoint: string, clientAuthentication?: ClientAuthentication); | ||
constructor(tokenExchangeEndpoint: string | URL, clientAuthentication?: ClientAuthentication); | ||
/** | ||
@@ -100,0 +100,0 @@ * Exchanges the provided token for another type of token based on the |
@@ -81,3 +81,3 @@ "use strict"; | ||
const opts = { | ||
url: this.tokenExchangeEndpoint, | ||
url: this.tokenExchangeEndpoint.toString(), | ||
method: 'POST', | ||
@@ -84,0 +84,0 @@ headers, |
{ | ||
"name": "google-auth-library", | ||
"version": "9.5.0", | ||
"version": "9.6.0", | ||
"author": "Google Inc.", | ||
@@ -5,0 +5,0 @@ "description": "Google APIs Authentication Client Library for Node.js", |
Sorry, the diff of this file is too big to display
549148
9125